The Hunt For The Red DA by Neil Lines

right thank you can talk and they will do me okay we'll start right who am i near lines in pen tester evolving it in a range of security areas social engineering is my favorite we're going to touch on a lot today apart team neta tude to be mind seeing the other confidence to smoke out last year quick backgrounds I'm interested in sort of nation-state friends and I'm interested in what the media have to say about it and on to like reading about it 2016 and Russia China Iran and North Korea regarded as the most instance or threats to the west a quick I have a few boring slides like that I swear to play quotes

but it starts flying cyber-espionage basically stealing stuff that's not yours government laid attacks nicking other countries information this was an interesting quote I will slow down in a minute I will go for this most loads very quickly I warn you now Michael Daniel which has the form of us special assistant said you'll never be able to prevent them all everything to spend it revolting eventually I think that's accurate and I liked it and i think it was good at some of that level and they did that publicly right so what are our targets and just good like doing this any ideas for it out there to anyone what sort of things will nation state to

be doubtful they kick thank you anything else breathes stuff and after things of Finance things of worth and paint actually aren't they all watched affinity recently and thereafter to paint patents they like to know how things are made and they lied to them replicate it these are the areas they're targeting most transport manufacturing retail energy companies financial companies medical companies right to get zero day start thinking Daisy right I'm sure you're all aware of the term Daisy right but the idea of taking a power station down switching off the power and causing complete chaos this is something that scares the hell out a lot of people and it's quite an interesting area bit of a

thing after the power went out what happened and this suit from the media and it was last Sunday and it just caught my eye basically saying that hackers potentially tried to bypass a nuclear power station defenses last week and it was called and stopped this is another interesting thing from the media apparently to have 7700 present active professional hackers working for him which I think that odd statistic I don't know if it's true or not that the vision of people have enough career is they're quite limited and they don't have much yeah they do a lot of bad things but theoretically they've got seven thousand seven hundred people now doing it full-time this concept we are at war we

are being attacked all the time and we're also attacking other people all the time back and forwards back and forward it something that's overlooked because there's never been an official you know we're in just act but we are this is an interesting statement that i read to date there has not been a single cyber crime that's regarded bad enough to be an act of war yet okay so think nation-state cyber attacks are the fetes what do you think ARF right outfit on again and nation-state anyone what do you think what person comes to your head so I was that thank you very very good one and i'll get back to a bit anything else there's think more basically what

do you think the nation-state costly expensive you know really advanced incredible entre not to swear sophisticated exactly why i said i'll come back to that that ticks all those boxes it's expensive it's sophisticated who's my slide saying that and i have my suspicions this isn't official that I have my suspicions that they're not sophisticated as you think and I think the reality is that they could be done by a non nation-state it can be done by an individual right let's look at an example of what was regarded as a no state and the reason why what about show is regarded as a nation state attack was because it was connected back to North Korea now it was never proven and you're

probably all read information on it and let me go that far into it and you probably watched documentaries is that this one here in Vice did anyone watch it it was very very good soluble on viruses brilliant there are about 25 minutes long the straight to the point and a front of lots of security experts saying things like we're at war and i find it amusing I'm quite interested in media and those words around things they're really excited about it they're really selling that's the sexy sell but the reality is well this is what happened right so guardians of peace I see my notes on November the 24th 2014 a hacker group identified themselves as

guardians of the peace are broke into hacked so late media now to get it right what was taken personal information about Sony employees emails between employees embarrassing stuff very embarrassing you released emails salary information and unreleased Sony films which is obviously connected to finance there's money involved in that their dimension massive lots over those films being released right what do the guardians of peace though now this is what interests me and this is my tools gonna start changing a little bit they got remote access internal network they exploited internal misconfigurations they hunted out users of interest and exploited domain admin at that point I lit up I thought what they did what they got the main event and they stole data

there's my things of interest it started me thinking what is the difference between what they've done is hot regardless highly sophisticate by the media this is like the most scary people in the world ever that the media patrol and what a general good pentester does so we don't steal data but on a good pain tears a good remote social engineering engagement we will get access from the outside to the internal network we will exploit internal misconfigurations will elevate or attack misconfigurations common misconfigurations and we'll book will exploit to become the main admin so it got me interested apprentices were doing that how sophisticated really are so-called bad guys that nation-states right boilerplate snack time you all

know this but I'm just going to put it in any way for the record generally it takes 98 days for financial firms and 197 days for retail to detect a breach so how long did it take to get accessing now this is an interesting stat thats related to death last year at Def Con 2016 eighty-eight percent of hackers who are asked said that basically it took 12 hours so go back to that not yet 897 days we takes them on average 12 hours to get in I'll put a little bit of a fly comment at the bottom 12 hours i think a long time I've enough quite generous that actually can access from the outside to the internal organization and

get complete compromise to domain admin level right out there if they all wants to have a direct Lisa saying that so now otherwise I'll carry on right so it got me thinking could a single person accomplish the Sony hack what is sophisticated and what would the cost they well basically is the price of the laptop theoretically I think it could be done by anyone at home with a laptop so how to write from remotes internal site for getting zero days because they're costly and they don't often come weaponized so you have to know kind of what know what you're doing with them start thinking what I'm sort of thinking is replaceable that which are macros o

LED HD OS even I'll put it on a lure that from my slide to get picked up all the time all year in C now been all summer talked last year and now i'm very interested in you and say I'm interesting functionality I'm interested exploiting what is there what can we do with it what will not get picked up by ivy what can slip past battle i'm interested in writing the start off with video at this point I'm like look around i pre-warn now fellow right here we've got is a macro now the users click enable macro for it to work while clicking it makes a call back to the fracturing over here which is callo now

as you can see I've got a session from that machine from clicking know how the session remote internet machine at this point I drop into she'll just so you can see here what can you do well there we are on the cali box connecting back to the Machine the windows box here so that gives you full access as that standard user to that machine just from the second it's enable on the macro i'm not going to show you how to create macros at this point i've released it all on my blog which I'll tell you what about again so you can see exactly how this is all done not too fast forward a bit these videos

the next one I'm going to show there's no la now i relieved are starting by the been exploited for the last couple years and it does a link now when you double-click it there's shortcut it opens up power shell which runs a command back for the Kelly box and that point you get a shell off the box you saw judge from the use of double-clicking that you've got remote access to that machine I personally think our label to the odd and if I receive a word document or a powerful document or any kind of document with another document embedded in it I wouldn't click on it but from tests that we do work and I've done myself and

other people do and I know it works macros no l8r very very successful right the next one is urine circuit responder going just hoping the word document we've received their the machine navels that may know when to get domain connected but also the username and the password hash what happens is is when you open you and see it makes an SMB request back to the machine which ops ii responds a response back to it and it goes great have a username have my password hash so what I'm going to show you their freeways which the third way doesn't give you direct access into an internal network but the first to do now what I find what I find is a lot of

places after you get hash value reverse the hash I don't about emissions is now so we'll do a talk and they still have ssl vpns on the outside or citrix boxes with single factor authentication so just getting creds can give you a pivot into the network I do it all the time so it's carried a macro is probably ultimately in and that without credentials it's not that useful which I'll get back into later right you and see it interests me these are never very quick demo of it so there's a cloned web site of the famous dating website now just from viewing the sites a refreshing the browser right just from refreshing the browsers and not putting any

credentials in whatsoever would get impressed so we get a hash just doing it now what I'll show you in this video is I look at the source code and if you zoom in right above them there's a request now I'm going to zoom in on that because you not about to see that from there so that's if you can all see that but literally is just as a file share a request to a fictional image that's not really there but mob stuff it's legitimate functionality Microsoft is no difference it just make the request out and it's 445 outbound is open on your firewall and you're using Internet Explorer that's going to happen it does happen a lot on tests right so

quickly talking about you and say cracking hashes now I'm not going to sell this it's free anyway but I'm not here to promote this today that released the dictionary called rock tastic there's got a billion unique combinations cracking hashes isn't really a problem a lot of people will say oh I don't use rells and I do usuals these rules with it but I would try the dictionary first and then old news rules is required rules don't add football teams that don't have town so then add CT names that don't add the top thousand male and female names to it they are also incredibly slow now I heard people say I don't really care about being slow

because I've got releasing at home well personally I haven't got a ten grand we got home I used purely for cracking hashes i wish i had but my wife is not going to let me buy one of those the reality is that's what I've got and it's here now lenovo laptop and a lot of us have corporate laptops they're hideous what would happen and this is what we have right final point before I talk about the internal side to it insane products you've all got any way that we've now got from the outside to the inside at this point when we've got creds with the hashes and you could do it ugly as hell this is and anybody on

that show you a more pretty-looking email but the reality is you can add microcode an hour late and again see all into the same word document so you can really really weaponize these things now that's a more prettily document as a sort one that will be used on engagement and the reason why i say i use this on engagements is because i know this has been used in the wild this is the sort of thing the media has on their blog so that this is what happened and this is what we have looked on what we've received so it's just ways of enticing people to hit macro this is a good example of la la and it's a

recruitment word document so you just put an email open the document for more information and just right they'll speech there about how underneath these are all the individual jobs and each one would be its own ola they do work they work very well have any questions about that one going along this is good it's good we'll go through quick and make you quite short right so we've gone from the outside and on the inside now this is gonna be a bit painful for PowerShell people here and I recently discovered a love the PowerShell I'm quite slow and i'm quite set in my ways I've been using metasploit for a long time and I didn't want to move over to the house I had a

process that works mean it does work and still worked that I'm starting to change it now more to powershell uses less of metasploit the one that show you now is the metasploit and process that i have done flight last two or three years so we've got crazy and we've got a remote shell on some internal box now let's get those pretend here here's the shell and what would you do once you've got access to a shell where the first thing you want to start looking for is Miss configurations for this I think they're typically would use SMD login with the credentials now start running this apologize offensive a basic flavor warfare that we go to the whole process

so you add the user name that we got to add the password

and at the subnet I'm always interested in pomo jewel scripts that allow you to set the our hosts I like the idea of similar ization the fatty you can just spray it out against an interface subnet I wasn't asked very very interesting right I hate run now what we're looking for we're looking for any user with local administrative access local administrative access is gold bust and allows you to use basic set against box it also means it got a good chance against system when you're on pace exec on that box and ecosystem health of this happen well if I get creds and won it I've coming outside to the internal side it's common it's common that you'll find

is spray / / 24 it's commonly you'll find one or two boxes where that user has been given the local admin rights why are they think even local admin rights on that box there's lots of reasons it's just miss configuration for one and the fact that maybe they have rights to install something on that box or later they were developer and they need it for a certain reason it's just incredibly common on finding right so once you access to it you can use person correct and I'm gonna talk about like basically executive Chris exactly is a lot of you here will know bit on the slide and that power didn't know how to that's how you can figure pit except

this exact also quickly it's like Talia gives you access to the machine now the reason why you want access that machines because that uses that crowed you've got has got local admin rights on that machine so that's why those of instant interest to you now this video here very quickly let me show you snowfox for an option on here it's just me using Pierce exec just in case anyone didn't haven't seen it before and at this exact what I can say is about a year and a half ago two years ago changed it from using dropping a shell to the box to powershell which is fantastic because it automated bypasses antivirus before this is to use so called feel ya feel or

shelter to make a payload that would slip past antivirus but now it just automatically slips past antivirus which is which is great overpressure

this is very interesting up notes when it's lost its power shell when you run it I'd say twenty percent of the time you don't get a session back immediately now what found is if it like some green like a Christmas clothes off so just run it again and what you find is down the second attempt you will get a shell or sitting on the access right gate system is not an exploit is an attempt to personate a security context or system right to this work you get system I have to remind myself of that because I'm quite capable of saying it is an exploit and course it's not but what happens when you run get system and it doesn't

work now it's a bit when i start to get rid of upset i like it makes it easy and fifty percent the towing it is 50 at a time is not now it's probably more interesting but it's not easy so when it doesn't work professor professor prove esque as people keep telling me and i'm getting a lot stronger at these are typical ways of privacy ms 16 s 0 2 is these regards quite successful and UAC exploits is another one user access control and will stop you from getting system and it is very good i recommend to people they turn it on is that no anything that pops up and says are you sure you want to do this i would

recommend having it because it's one of the things that stops us from getting system harm joyce power up is also another good way now i'm going to talk about some powershell sort of a trick in a bit later and not at the moment right so pretending one of those are just worth of my free videos for everything and how cash is now writes a quick update we've accessed from the Intel from the outside to the inside we've exploited internal miss configuration share files with local administrative rights and we've got hashes what can we do now okay there's time to start sending out the domain admin the DA okay if it just casing that doesn't know here

what is a DI basically if the keys to the castle is a high schoolish level of a single domain is access to fall domain joined resources it just gives you access to a defendant on the domain right the first thing you want to do when you're hunting at domain admin is intimately logout Nessus if you tempted to use it uninstall it must personal opinion start to listen to traffic no your tools I call this the clones it's incorrect that some hash is the actual official term now why does Microsoft not sold passwords I'll get to the reason why pastor hashing words is because they don't salt password so if you have a password hash from one box at

the local administrative hash it and they've cloned that logs over and over and over again that same password hash is going to be on all the other boxes now the reason why they don't salt has hashes is because backward compatibility they just can't do it would break it and that is why still today they're not doing it they're fully capable of doing it they just don't for compatibility reasons so Microsoft engineer comes along built along she really liked it clones that machine over and over and over again and then on the final day he's off sick and someone else comes down doesn't know he cloned actually build his own machine so what happens is we come along with hashes and we can

access that machine that machine that machine that machine not that one because he was off that day that we can access that machine with that same hash and people will keep saying as the hash is dead it's not a key scene on test it just keeps coming up and up and up it to the point where I would believe if any nation state was going to do it they can just use this it's going to work and why would you not do something that works yes it's noisy some of you might be thinking this is nauseated not it is noisy and I find a lot of people don't log problem or they don't have a scene

that have no way of having alerted messages so a lot of tackers know this if you were trying to attack someone who made paint let's just say it's an example what's the likelihood that they're going to think a nation states going to attack them and secondly what's the likelihood because they're not down at Alicia I compliance they don't have to be government any of their kind of compliancy from that what's the likely that they going to have logging it's cross then also criminals are starting to catch up worth noting 2016 has been reports a lot of a ransomware on somewhere and somewhere and it affect a single box well noticed on geez pass the hash now so they clicked one in fifty

files in one box I'll then come to all you ever boxes if they can't using this exact process and they'll encrypt all of your boxes which is really scary also pen testers use it all time right this is fantastic tool that idea squat long time S&T sm assembly exact what if some big that allows used to do is stick the username in would password hash you don't have to reverse the password hash and elector you check your system admins who don't very useless it's brilliant those albany thing for long times are really really good what I'll do it it'll spray out those hashes against the entire network your subnets that you have defined and it will log into all

those machines using the hash that we've given it where it can log into and it will run a command looking for domain admins officers what is for and then it will give you back mr. a list of all the IP addresses where the domain admins are and their name now if it can do that basic set can get on to that box so after running it i siad means everywhere domaine happens everywhere and it's quite scary and every test after test I do from the outside getting to the inside and you just think why are you all logged in as the main admin it can be very no ranging from two to four years is right about 20 of their IT team

it's just like there seems to be this broken idea that if you're an administrator on an either a Windows domain you have to have two main admin rights to administer it and you don't so when should have domain the a account the use i was going to throw this question to you by i think it said and but a lot of people say like password resets installing software this is all all incorrect your goose delegation of permissions have to output a delegation of rights and always get it wrong and then Microsoft delegation of permissions and you can say that that admin has rights to install this software that admin has was to change passwords that I

mean can change passwords and install software tell they have the main admin rights hell no I'm not gonna trust them with that that's the key sucursal domain admin and I ask someone a lot smarter than me about this and said went with the heb use he said simple when you set up your domain and when it absolutely hits the fan that's when you squeeze my nothing sorry I'll fill up and preachy so you found two main admin how to exploit it so you've used SMB exec you've spotted where they all hidden you use purse except to those boxes and you've got remote access to those boxes and then you've got this incredible tool many cats northagen know

that mimic cats but just in case i watch our video right so we're on the box is exactly that may not have been sitting and I'm going to use the post exploit of limit cats in metasploit and run it and they go voted to Main Avenue at the bottom now this works at the 2009 server and windows 7 and it always makes me excited when I thirty thousand nine box of the day I on it comes straight to that box i'm running this now and i'll use a SMB version and i'll double check the machine and if it says like 2,000 on a 2012-2016 as a lot of crap but i'm gonna get to know in a minute so people

started have windows 10 and i'm finally a lot of people surfaces i'm turning up to sort of offices now is there to do an internal or through the remote and you check what machine ET fondue i suspect as a surface and it has the fall flat windows 10 on it now we don't attend and windows 2012 onwards they change the registry settings in microsoft that will not allow you to instantly request in memory what the pros would be affected users password its and in the cast doesn't work but what you can use and I found that very recently by fluke some feta cheese quedado now the key logger pivots metasploit will instantly pick up antivirus and then Google their names

like look out here like that it's worked brilliantly place module run it and it waits 142nd to believe it counts down so it's not instant it doesn't instantly not let me show you waits for an idle period of one hundred and thirty seconds and then it automatically what de tends to lock their screen and when they lock bag it is a log back in you see their credentials and thank you worked so old-school tricks are working against new school boxes it's quite interesting there is also to result in a little bit called prophecy to which my friend developed is sitting there probably annoyed when we now for 20 him out create proper which is the same kind of

principle is exempt songs right so come across word choices for domain admin so where the main avenues you what would you expect with the original password tools for the main me something complex a lot of characters passphrase really good password I CeeLo 2 passwords 2015 retested next year 2016 it's just it's like much of complexity says uppercase lowercase and a special character or a number i just sit all the time really really weak passwords so the keys mimic act anyway but the figure 2 views they simply log in you're gonna with just a weak password and Sprite out against the subnet the chances are you probably get two main admin as well because the choice of two main admin

passwords that I've scenes last 23 years is shocking right quick recap some guy existing outside wrongly inside we exploited misconfigurations we're now two main admin what to do next this is the bit where I point on certain domain controllers now that I postal module spirits in metasploit to do this and lots of scripts to do this but those lights quickly do an ipconfig all and i look at the dns server and i was told this by apprentice two years ago basically when you're particularly active directory or if it's NEX NEX NEX is next or DC promo then lexisnexis then next what happens is one of the configurations do now asks you what's the IP adresses if you do DSO that

automatically if you just present actually all allow you to have back as the dns server now some also said i know this is true the DC theoretically has to be in doing this box but thank you your usual agree they don't suit has to be so this is why when you do not click configure it's a very lightly bite your dns box I will be DC and often you'll see two now at this point you can rdp to it because you've got the Khmer napping happy no credit you can add a patriot or totally you can pierce executive it Pierce exacting gate is fantastic now this is the bit that I absolutely deserve this thing gets me of the time

when you do a hash dump our would pause this but I'll doing and also explain it the crunchy pause it was in this mode but if I don't have to jump now I thought it's like the frequent showing is dropping you've got the jam top here we go Thank goes on and on and on and on now some of those smart might be able to spot that they've actually that's because this is a large box in my house I'm not going to show you any client stuff there but it's also interesting because i had the same password for every user and if you looked at the hashes in a minute minutes tops they're all the same there's again

I'll read for smoke shop doesn't sell passwords now an interesting comment so that is why it's still talking into intravenous an attacker wouldn't do this they just do it don't care but I always ask a client at this point you have multiple DC's I can see to hear that you have anymore is there anyone you're a particularly preference that I do this one out so they'll replicates it's the same day two on each one the reason why i asked them that is because in my experience of doing this twice this has made a DC bounce just from running have stopped so i was pre-award that it is low risk but there is a potential risk

mostly it's always worth noting is people right so you've got the hashes you can craft all those with your chosen dictionary are you fantastic what do you then do looking at share folders is always a good point now if you can find an organization chart quite often put on their websites or somewhere you can find it generally in a share folder you can access to everything at this point yes the main act domain admin gives you access to everything there's not going to target individual people we've got the hashes and lots of the lancaster house and all you can crack it so you can start taking to co you can start targeting i know human resources is

always great one reading the earth emails there you're going to find a few documents that's exactly what guardians of peace wanted to do with silent okay so on average this is what I found to get from nothing from sending an email in it takes between 30 to 4 30 minutes 24 hours so that's quite I think white relatively short amount of time that's why I did that as a start why does it take something mocked a bit the phytate takes 12 hours and I'd like to take 12 hours personally right that was the old process and if I had rewritten this I start this talk writing about six months ago if I know what I know today I would

have written it very differently there's a lot quicker ways I knew this previously polite and group sex male and groups XML if you any standard user can mount a share on the domain control that's how these work normally they can by default they can now if a standard users to mount the domain mounted share on the DC if you couldn't afraid there that's the locations and policies directory if you look the group xml or schedule tasks xml or services xml they're great they're encrypted ave s that the passwords are in this document is it contains the username and password now quite often it is the domain admin in those documents alternatively it's a local admin even so

it's of high level value can attacker and much loft encrypted the key I have the exact date to one here now I don't at some point they released this week I'm not sure if you can see there that's the key they released the cave my friends last week to the war we've got the key so we can now reverse them I'm sure someone got a kick that day from Microsoft for that once it's released without there's nothing you can do about it so we're all go the standard user which remount these directories we can download a copy of the group X and mouthwashes word document a text document should say and it looks they're yellow what is highlighted is username

and the password hash and underneath I'm using a tool built into cali which is just one of the Ruby script going to the metasploit framework and you literally just run that command and it reverses the document for you the hash in the document to reverse it for you and you can see there they go the press what is let's get acting takes about two minutes to run every time I run it I was thinking that you can I work in a work is going to work into what course is going to work into something every time they got to but he always takes a few minutes right kv 296 2486 does rolls off the tongue now what I've made a tattoo

of it prevents new credentials for being placed in the group's policy preference so you group sex and our files if you run that update you can no longer do that it doesn't let you but what it doesn't do this is the catcher it doesn't go back and delete them because if you believe them services and stopped working so a lot of people will run this update thinking outs fixed end but the reality it hasn't so any standard user on your network now can mount that directory they can rip those files back they can reverse the password is microsoft released okay and they can use whatever level of privileges that account that is what I think is one of more

rapid ways to get into my nubbin once you land on the box this is the new one and it is one of blew my mind and clin major revealed Kerberos ting to the world has been implemented into a lot of frameworks already now Club roasting every user has the right to request service account information from the domain control including the password hash that is it doesn't roll off the tongue and that's scary as hell but any standard user can do this it's just functionality now it used to be complex we're talking about its earlier Nomar friends where it used to be like four step process to doing is complex it'll probably break and you get frustrated

and had but the world and give up and think it's too complex lights been made ibly simple now but before I explain the reason why we made simple I've been asked Todd this slide Kerberos provides secure user authentication with an industry standard that permits into compatibility basically win2k was implemented a wintry k and it's the blackest cluster to do they're going to use it and they're going to keep using it and using it and using it and there's nothing you can do about it now the only real fix for those is to make sure that your service accounts have really really strong passwords now it's worth mentioning a service account nine times out of ten do not have the passwords set

through the spot every spire to run out and secondly they were often configured years and years and years and years ago well before complexities have been forced in a corporate environment and for that reason they're often shockingly weak passwords and so this is one of the few exceptions where crashes and either the rock tastic dictionary don't work because that's all that complexity where these is one of a rocky one them and really restocking put my password password all lower case and services and the password is services if things like acting really bad they're often also the divine admin group so within I went on with expand right hash cat has included support now for crafting these and this

is what the new frameworks that come up and I think is brilliant and is proceed to has created on my friend Ben Turner and David harder the Twitter there Iran's interest in following him it's the what was implemented into that was this underneath you say all you do is literally get access to a machine get shell on it using possède so is the same thing the mac user macro attic access to machines in cortecito then all you have to do is run invoke Kerberos output format Prescott select object they don't and he go and wait about second to later and it's word to get your hashes back and go quick explosion and how to do it

and this is quite scary she can send an email in run that and their domain admin without doing anything just from seeing iron with a minute right so took a look back this is the reason why I am getting really really into using PowerShell and in a year's time if you hopefully come soon as a talk no I do it'll be basically just about powershell but right I took a look back over the last few months and statistic wise here and confront I did 14 internal of the structure test seven remotes social engineering tests and I'm not lazy also do web apps and everything else is thrown at me on top of that 2170 of them

are got the main happening and its really comment why do you not get demain happening generally if it's a cliche test and it's just not red hat boxes and it's a Windows domain nine times out of ten you're going to get it if it's a remote one and you got a social engineering engagement you're going to get in you're going to get it ok so this bit when it gets more interesting alarms time I've got left so let's thank you when it fails and you might start considering if your nation state you're going to think i'm going to go i'm going to tom's travel stops going on aeroplanes it's the third time living my life up in on an airplane to get here

today and right why risk it for a biscuit is my daughter said if you don't want to try and instantly rother put their site and get access in if you don't need to so what are some of the possible better ways of doing this more savvy ways of doing it and it's just something that I was toying with last year and not spoke about to anyone really so far and while doing a lot of internal testing announced that people use wireless ops ii guess wallets is very very close I guess wireless now it's often segmented correctly from the internal wireless which is great it's all done properly and so what's the danger well generally guest wireless networks i just opened or

if you have a police case of weak word like Hello 2017 off some line at all and in wanted anything or as a four-digit pin order your pins you can brute force would burp and there's no lock outs on the cisco and has no lock down so you just literally run through about four seconds of bantering and if segmented correctly where is the risk well it's going to find corporate users on the guests which is insane but it happens so you can be sitting outside and it can be looking at the water network and you'll see corporate users actually connected to the guest network all the time now why do they do that well if you ever

turn up to site on your Thursday a lot of likely people put you on it just for ease of use it's quick related to you sometimes she has had direct internet access outs and people like that to the restrictions on their marks office forgets if it's ever connected it will always try and connect back to it when it sees it now people so but they don't broadcast profile was the problem well I'll started researching it and i was looking at this these pub [ __ ] group 24d bi directional antennas they've actually said and quit and you can plug in straight into what is alpha tardes these are pretty scary stuff about to show you the amount of distance this

thing can see an SSID from now instantly it's worth and it was a bit of a laugh off it now i looked at my wall but that's pretty scary and that instantly anyone who does was the term ago was rubbish because you can't broadcast back now you're right you can see it that they won't have the power probably too broad to us back to you but it's still interesting that you could just be sitting moles late and start doing a bit of recon on these people start to see what they've got and you're going to see corporate users on it you know if it's worth doing on up and what would be more realistic would be one of these which I

pringle can things now you big nut it's two miles wide really she just sit across the road and parched you know few minutes down the road especially London to be realistic and an eclectic any plugs into an alpha card so corporate users run the guest Wi-Fi what I would do and what I have done to prove this actually does work is connect to the guest wireless foret responder which is incredible you get hash ears Rock tastic to cracker and then I use first in now our picked up first in it's not two years ago and I'm that's really cool a company who hadn't used it for years it's just a stupid tools that we should

be using all the time we sometimes just ignore but first a nurse is fantastic you put the domain name in and a second or two later I'll pop out the sslvpn an overview I although office 365 potential to maintain now what's interesting is you've got Craig's so you've just connected to their corporate and their guest network and you now know that it's doorways to self AP a domain name is this and they wrote of you a domain name is this so you just connect to it using those creds so you just literally sitting in a park across the road and you've got access to internal data the VPN things are really common for the earlier single factor authentication on

big plans it's a scary common right when it just doesn't work this is the thing I do a lot of internal SD as well and if it all fails and you've got a walkie interrogating at court five in the morning when we got the cram down we saw a load of offices from the air force or later would pass the load of corporate offices and I could see for the door to went past no turnstiles people walking in hell they're just absolutely queues of people courts and I'm walking in instantly I just knew you can walk strange their strength 11 straight upstairs and the this just happens over and over again so Reds get stopped

actually for trying to access into a physical building there's exceptions that even the most extreme places can be going to turn style is hindrance but what someone suggested to me is to save her a new pad getting food going at lunchtime the yo works you could just walk in it with a bit shifty in a bit and being a rush on your mobile phone you can't including you in your hand and so I can't my enough a personal best good let me in there if that's for you it just happens all the time anybody doesn't focus where the front door wouldn't allow late so just quickly run down the back I'm gonna run back door

and said this much the same thing too yeah yeah fine let Liam rights your on-site find a place to hide and I just sit in a middle of an office I don't I used to when I first got notice we've got shifties or don't hide in a really small little place now to sit right amid I start talking to people quite happily people don't expect that person they've been cleaning who is it the cocky person but they don't generally think your malicious right map drives called broadcast cause broadcast the seat that you're saving a lot of Borg access to until the network or a fedora of internal testing on this screen here you can see

responder and here I've got windows 7 machine starting up which is an exact replica of a kind of dimension now just been starting up the windows machine you can see a hash so just from being on the same network and that machine starting you've got a house and I'll explain the reason why you've got another one again with it just going to the desktop you've got a hash now in a minute I'm going to go to my documents we did you get a hash and you see where I'm going with it taking on document again you get a hatch now this machine is broadcasting out all the Ptolemies filthy it's going where are you where I'm here respond to this

thing on here on here certainly your authentication to connect me no reason why it's doing is I'm at share if you look there you won't see it very well but that's share their highlight a little bit he's always broadcasting out now loads of people have mad shares it's just what we do map shows of course broadcast broadcast can be responded to responded ends up with you going creds right when responder doesn't work and you're on the internal physical side what do you do or this is when it kind of gets a bit of a challenge it's actually quite enjoyable though because it's different it gives you a chance to fig cold boot attacks really really

common people don't encrypt pcs they encrypt laptops not pieces I've got five minutes to go does anyone have questions which always quickly carry aren't very quickly go for it move some questions rigid and right so soft Callie go to the conflict directory your copy the sermon the system file use pw dump you got the hash this is great and sometimes people put bias protections on i've done this once i'm not gonna have done this hundreds of times until it once on NSE test of cracked open the box and middle of an office and i've had my phone out googling how to reset the bios settings on this machine and i've done it in the middle of an office with people walking

past me we've been colleagues and any word no one stop me now on something now I'm six foot six got ginger hair I stand out it's like non-stop me right grabbing [ __ ] bypasses doing that grabbing straight to the local administrative accounts what you're grabbing from that box there's a clue that bypasses the requirement to responder domain user password cracking domain use of share rides and does feel slightly like to that's just fun right that all fails you can finally reinstall meses and fire it up are there any questions come on play someone a question maybe it's that was most insane thing I've ever seen then most scary cool oh sorry well I believe

the Christmas what would you recommend an enterprise does to stop these kind of attacks mmm well think we just always historically say it's about training of employees in you know training employees to spot suspicious things I do agree I agree that is a level of that you should people should be told if anything unusual report it don't forward it to the entire company which is what I found a lot of the time people are do put you in say image into an email and send it into an environment and via their smtp price that service on the outside to the flies come from an internal source outlook will automatically accept it and just open that image and send the

request now someone forwarded that definitely the business and I went from having up rehashes to having like 1500 and it is just going to that note delete and the message a very simple sational delete it now I think we need to have appliances and email proxies and firewalls I'm not here to talk about vendors but there is firewalls out their applications they are checking which will stop any reverse connection vacuums not from a browser now we're discussing this earlier is wait around it you've got to start being pretty clever to get round these things and a lot of like the kind of nation state ones wouldn't get round this initially they'll find a way around eventually I realized was

blocking it but I think you should have it layers of hardening physical devices that do this and have good trained employees to actually configure them as well as internal training is very quickly to blame people go you clicked on it to your fault and that's wrong it's not it's also your fault for having an infrastructure that allowed them to get to the point where it got to them with ease and secondly they're not having good training internal to so this isn't right if you receive any email that you don't think he's right you should question it you should the ventline open it recruitment emails i use those all the times and people open it and those really people like to be

someone said to me people like to be made to feel special they like to be made to feel wanted important if you tick those boxes and I feel a bit of pain as I say it if you take them boxes people will do it and they will open it you need to tell people that you're a word don't you opening stuff from the prison people in my place that's not normal again you have devices female props an email protection I don't want to mention the name but it's a big couple of vendors who have this sort of detection and also far walk and application layer firewalls are any more questions for I haven't and I just do sa testing I'm not part of

their I don't do red teaming I was discussing this earlier and we do do retro music business we do a lot of it I just doing what i call quick and dirty grabs and get in within half an hour domain admin put in a report that's what I do I haven't had any I've had a few of good challenges and they've got email protection they've got props you know the email I don't say no do you know I'm getting yet another application their firewalls they give me the amount of the biggest amount growth and but there's ways around them there is the it's not the trivial to do that eventually has to pick up with our own episode and start

talking to people which we really don't like doing that and any other questions thank you very much just before i go to see adverse there's my twitter kind of almost send me any questions at any point i do reply and i have a blog as well which is my exploit 2600 which my YouTube blog and that has all the videos I've shown you now and I show you how to make them all and if I was interested in making them thank you