BSidesCHS 2016: "Hunting High-Value Targets in Corporate Networks" - Patrick Fussell & Josh Stone

so as a slide says I'm Josh stone and this is Patrick Russell we're pen testers if we if we specialize in anything I guess in terms of research interest and you'll see it in this talk a little bit and we're kind of all about post exploitation so that's a lot of what this talk is gonna be about we work for a company called PSC don't let the the simple seeming acronym scare you too much we do PCI compliance but you get a sense for how we do a pen testing at least in this talk and we were recently acquired by NCC groups I think I have to say that we probably should have gotten the new and updated logo so if you're

familiar with them they'll show you where we kind of fit in things perhaps hopping right into it one valuable question these days I think because there's a lack of industrial definition about what really is pen testing anymore strangely part of me wants to say that pen testing is when you just tack stuff and sometimes I think that's what we really want it to feel like if you go take a hacking class you get a you know take some training get a certain certification or something in a pen testing related topic you'll find out that there are some different formal ways to define what pen testing is we got some set of different phases that we

we run through too often I think in in real life for a lot of places pen testing looks more like this and I'm on the the side of the fence that thinks this isn't what I remember pen testing being 16 years ago and I started it and so I'd say it's not actually a pen test but what we're talking about today is the sense in which all pen tests have an objective there's something that you're trying to achieve it's not just about hey I'll scan and I'll find some stuff and tell you about a few things that yeah you might want to patch but I don't even know how to exploit them the real goal of a pen test really ought to be

finding the crown jewels in the environment we work in a PCI environment so for us the crown jewels are usually pan data we're looking for credit-card numbers themselves we find those then they're not PCI compliant kind of by definition then it's a matter of figuring out how do we fix that now what this talk is going to be about is not so much yeah new vulnerabilities or exploitation techniques but post exploitation tales from the trenches examples from real pen tests where you know we're talking about the mindset or the thought process that takes us to things I think this is valuable for a defender as well as an offender how many of you are defenders

ok cool how many of you are offenders if that's what's the third category I'm not sure just an enthusiast perhaps but uh or being coy so if you're a defender pay attention to the thought process that we're presenting as we go through these scenarios because a lot of times what we find is if you have really good hygiene in your network you've fixed a lot of the things that you can scan for there's still a lot of architectural decisions that have been made that help us work our way through a network to find those crown jewels we'll probably make sure we get a little bit of coverage here and there from that defensive side as well

so first one

all right so one of the things that that we always do and kick off a pen test is try to look for what's our early access or how are we gonna gain that that initial access that will be Josh talked a little bit about we focus on post exploitation but we still have to get to that that that first compromise it's going to give us the things we need to start that post exploitation process and that's always our low-hanging fruit in sort of the traditional model that Josh was talking about that might be some vulnerability you find with with with necess I think one of the things that's a little more interesting though from the pen testing perspective is that

there are a lot of learner abilities they can give you that access that aren't necessarily something you would find with necess and as we kick off our pen tests we look at you know scanning enumeration trying to build a picture in it and probably even before the pen test we start with scoping calls and speaking with the customer and trying to define what are we actually going to be testing as the pen test progresses as we get a better picture of what the the network actually looks like we start to see what goes where and how did these things relate to each other one situation that we find pretty frequently is after an organization's had pen test for maybe three or four

years that they start to have the better hygiene I said they've cleaned up a lot of the the low-hanging fruit and it becomes a little bit harder to gain that initial access I think from the pen testing perspective then it becomes more important to think a little bit more about those vulnerabilities that are maybe a little bit harder to frame as vulnerabilities there's lots of interesting things that are inherent to a network that we can exploit that give us the access we need in that excuse me in this initial phase just to sort of highlight this one thing I want to walk through is a couple of pieces of information you might gather that that become real relevant

so one of the things I like to do as soon as I kick off with pen testers look at what are the some of the naming conventions that are that are used a DNS is a really great place to look here so you know run through you just in map you can whatever tool you're actually using to look at this we look and see okay it looks like a lot of our users are a lot of our systems are related to specific users so we can see this looks like you know we've got mr. a Smith and j pin way these are look like that they're probably people we don't know for a fact that these are their user names or what

the actual relation is but we can probably start to guess here so if we if we can get a little more efficient about the naming conventions that are used in the network we might be able to create something useful from this another thing that's fairly ubiquitous and especially in Windows environments is is remote desktop and this is another thing we can kind of play in here so if we look at if we connect to a session that's already alive somebody's already logged in to a lot of times you'll see remote desktop watch you show you the the Active Directory or the domain as well as a username if we plug these things in together we

can create a list of users potentially because we know the naming convention this Union for the domain as well as now we've got a list of user names if we can match those up and there's a lot of ways we can actually might want to create that list but now we've got a great starting point and again I think what's important about this is these are things that are inherent to environment this is just the way that they've run this isn't necessarily a vulnerability but now we've got a great way to run maybe some password guessing attacks that can get us to that that initial access that we're looking for

yeah I'll say on that one I've seen a lot of people go nuts over trying to close anonymous user enumeration on their domain controllers kill their trust so they can get rid of that stuff it's tough along those lines and then don't realize that DNS leaks the same information and I've actually I don't know if I've ever seen a customer after I find that actually rename their systems so it's an eternal vulnerability it's always going to be there so yeah next year it picks up where we've got some basic credentials maybe we did what Patrick just talked about now we got ourselves a regular account we got Joe schmo's password and as we might think

Joe Schmo doesn't sound like the most exciting and interesting user we go and check on the domain and unfortunately he's just a domain user would be really really cool if that was domain admins group membership but nevertheless we find a lot of times and in my opinion has been for a number of years now the hard part of a pen test is the initial entry point once you have the initial entry point then escalation and post exploitation just follows real quickly so the question is since we got a user but he's not a very valuable user you know what does it get us and for the defenders I see a lot of cases where I'll say well I got Joe schmo's password

and I'll say well that doesn't matter he's just a you know he's a temp or something who knows what it is but people don't take it seriously and you know in real life there's some things we can do with this so one thing that domain user gets us is we've now gone from accessing nothing we have the least singularity of compromised battery if you will we have literally infinitely nothing that we can talk to suddenly we have things that we can access and even though domain user doesn't control systems he does have access to a lot of files and I found I think yeah I was adding it up a couple days ago I've done

about 180 on-site engagements in the last five years and I have twice ever found a case where I didn't find something juicy in a file share so some file shares are or some files are much more interesting than others you can find batch files maybe that have credentials in them web dot config files does show everywhere a lot of times a web developer wanted to do something with the web route and so he opened up the permissions on it and never thought about it again but now everybody has access to a database service account credential if they only thought to go and look for it nobody made that share with knowledge IT doesn't even know it's

there but we can find it so we're looking for you know big files you find disk backups VM decays for virtual machines I've had a couple times where I found a an appliance with a share that was readable by everybody with the MD case for a domain controller there's there's nothing more valuable than that so in a little network that's not so hard a little network you've got 30 users in an office somewhere you're talking to a few thousands of files that probably any user can get access to so you can go through that in afternoon but when you scale this up to any organization of size a real corporate environment may be national or global in

scope we're talking about 30,000 users a hundred thousand users now instead of thousands of files were thinking about thousands of shares it gets very difficult to start going through those you can go through the manually and this will probably actually drive you crazy because every time you click on something you don't have access to you get a pop up oh you know I've accessed that hit ok that's really annoying you can use some tools and script up some things but there aren't a lot of things that are specifically well designed for it so it can be a real pain you know that there are jewels out there there's stuff that's going to get us collation

and you just don't have the time I'm there for a week maybe two weeks that's really really fun engagement and that's just not enough time in some of these environments to go through hundreds of thousands or millions of files so I have a tool you can get the current version of the tool there's new and coming out I'll tell you little bit more about that in a minute but plundering file shares is something that needs to become an automated process so just a quick how to do it nmap find some SMB servers turn that into a list of SMB urls these are all the shares or all the systems that may have shares then in multi-threaded fashion you know

scan the tar out of it I find that simply indexing all of the file shares if you do it properly with a decent tool which I like to think mine is decent yeah I can do this what used to it takes me an afternoon and a little company now takes me an afternoon and a big company because I get back a big list and I threw all of my spider results and I end up with hey there are 310 web config files in this environment so with over 300 of them how long does it take for me to go look at 300 web config files well that also takes a whole afternoon and so automate that too we

did an automated mirror we just pull all those down run all those URLs right back in through plunder pull all those down and we automate that that process and like I said I think out of 180 something engagements I've had to where I didn't find something juicy on a file share and the reason is because most people don't know what file shares they have they'll think of their file server but actually if you have 600 or 6,000 machines in your environment many many hundreds of them have shares you probably don't even know are there and what happens is somebody says I need to share something they right-click on a directory they make a share they don't realize that the

default permissions are going to be everyone read they won't be everyone right they'll be everyone read and there's enough stuff out there that you want to be able to get it so to do this effectively scaling this up to large environments want to automate it parallelize it to scale there's some business logic you don't ago you get some places like a financial institution as an imaging system where every single receipt every single signature card is in there so you might have literally millions of files in a directory yeah there's some business logic involved in doing it and that's why I wrote plunder I have a new version coming out that's gonna do this a little bit better and

add some extra capabilities I've been proof testing it last time we presented this talk I had said I was going to get it out real soon but then my house started to look like this because I live in Baton Rouge and so I've been a little bit delayed on the project but it should be coming hoping by end of the year to get plunder to out which has a few other beneficial features so thinking about the the strategy though think about how I get access to something that everybody considers useless most IT administrators most security people will consider Joe schmo's account useless they'll say that'll never get you anywhere but I promise ninety nine and a half percent

of the time it gets me everywhere eventually just by poking around and looking

huh so one of the ideas I think we like to have when we go into the pen test is amaze assume that there is a problem somewhere and our job as as good pen testers is to help identify those issues and how how they might be used realistically and so we have to start the pen test with this concept of we're gonna go find the problems I don't know I've been toying with ideas is there anybody anywhere who would say my network and my systems are 100% secure I don't think that there is that would be a bold claim if there was so one of the concepts that that we tend to to work with fairly commonly is

because we do a lot of PCI pen testing is that we have networks where there's essentially two environments one of higher security and one of lower security this isn't always necessarily directly PCI related work lots of companies who have just you know might be your production environment versus your corporate environment whatever it is this can fall into lots of different categories I'm it's just convenient to talk about PCI X we can say we want to always keep our cardholder data somewhere nice and secure so so we have these we have these variant environments and we have some way to separate them what we see here is just one one version of it or one way

this kind of falls out where maybe we have all our users in one place some intermediary hose the bash that they OPA neck too and then we have all over valuable data somewhere else a couple things to note about this is we have to make we're gonna have to administer this this network so we have to have a way to deal with these and and we know that our users are gonna be connecting through so keeping that in mind what starts out looking like this kind of turns out looking like this well we all we've all seen the situation where we put one hole for one day because this one guy needed the one thing and you multiply that 365 times

and now we've got a pretty pretty different situation I mean this is one of the things we're looking for in the pen test is how can we leverage this to get what we need so real quickly this let's look at a typical pen test scenario we started off with all our scanning enumeration we learned a little about the environment we got some initial access we were able to use that to escalate maybe you liked what Josh was talking about where we find some credentials on a share so now we've got DEA creds domain administrators are great but what does that really mean nothing essentially I mean that's yeah great you've got to me administrator but can I use it to get me

anything and how do we leverage that access to actually get to the CDE or maybe get to our production environment where our valuable data is now that's where the value of this this process comes into play so how do we do that that's a good question we want to get to the profit step so so going back to that that initial concept that we always know there's there's problems we want to make sure we can use these da creds and look at our ability to know something about the environment so in our first phases we were building some clear picture of the environment so how do we do that I think one thing that we've

we've process we sort of perfected is looking at active network connections so looking at that that a fashion host scenario we know that we want to know something about who's connected to those hosts and in order you know where am i my potential targets nest that is a a great indicator so if I've got domain administrator creds I can hypothetically collect net stats from all of the systems where that account has privileges so let's just imagine or one of the ways this actually plays out during a contest is we gather the nest add information from all of the hosts and there may be in that corporate network or that use reveal and what can we do with that data so now let's take a

look at do we have any direct connections into our valuable networks we can just use a little bit of creative grepping well the first time I ever did this it turns out that there were no direct connections and I thought well let's take a step back and look at what else we know about this environment to build a little bit clearer picture and maybe there's something else that's interesting even if I don't see the different connections into my target network so actually from a recommendation from from Josh and a little older scripting what we would I what do we process we've we've come up with is actually turning those net stats into something that's a

little more graphical it's something that has some meaningful data in it so using a tool called graph is if anybody's familiar with that we can we can use that to draw graphs from some nice textual information and something you might get that it looks something like this so there's lots of ways you might parse this data out and turn this into actual actual grass but this is just an example of something that might be interesting in that set of data where we have tons of incoming connections into a single host and that might tell you that there's something special about this host and now this is really interesting because what does this mean is this some sort of

Bastion host or if we see tons of incoming connections it might be a database or a file share of some sort but I also think that if you look towards the top right there you see that there's a one host connected to one another host those can be interesting too so there are lots of cool things we can tease out the sort of information

but another direction you might go is or I think maybe the more meaningful pieces those things that the people at your client or the IT department or the network administrators can't tell you or won't tell you or maybe they don't know about you might find connections that they thought were gone or we're not aware of and these are the places where you usually find the most valuable access so in several situations in a pen test what's actually come out is we had an old bachelor host we set up that doesn't have this doesn't have MFA can figure it on it and we can see that those connections are alive and now I don't have to use MFA to get to my

protected environment and you'll see that there are often dozens of cases of these source connections in a pen test if you can tease out that that data

so next scenario is a little bit different this one's not not a pci example we do mostly PCI but we do a little bit not this situation we're working with the product company that's concerned about public leaks about new new products coming up and so instead of looking for those you know cool sixteen digit numbers what we're really looking for here is you know finding the marketing assets for unreleased products this is a it messes up a product company quite a bit because you might get somebody who decides so I'm not going to buy the current round of stuff because I know the next things coming out messes up the sales projections causes real problems for them and I figured that

yeah with this not being necessarily a PCI segmentation problem I thought there's probably not going to be a substantial segmentation boundary was protecting that kind of information I should just be able to do the the regular exploit escalate post exploit find the thing and then I'm done and I don't know about you but I tend to kind of overly romanticize my job so I think of pentesting and network as some sort of medieval conquer the world scenario yes I I figure this company is as some some chunk of the world and it breaks up into little fiefdom and then within those you've got towns and Hamlet's and if I can just find ultimately the keys

to the entire kingdom then I'll just go to the part where the marketing people live and bada-bing bada-boom and as doing all stuff we're talking about before I had gone through the file sharers found nothing I went through all the the net stats didn't find anything that wasn't like something that's not the domain or something interesting that I might be able to jump over to and I'm getting to that that 11th hour and just starting to think oh now this is this was supposed to be an easy assessment this doesn't have any really substantial boundaries I don't understand why I can't find these files and as I was saying before a pen tests have an

objective sure I can hack some stuff but if I can't find where these things that they're concerned about protecting are then maybe they're pretty protected and then I start to look like I don't have success criteria for my pen test and one of the things I had gotten along the way I think at the time what I was doing is trying to figure out you know what defensive Suites are they using I'd collected a listing of running services on all the systems in the domain yeah so this listing you know you can see here we've got a variety of services running yeah this is just for one particular IP I have you know a thousand or a couple

thousand of these whatever it is and I thought well I'll just start looking in there maybe there's something interesting so first thing I did is just a quick visualization you can see you know some services show up everywhere every system has you know the workstations service or the server service or something like that but then sometimes there are some others that are much less common down here so these are the ones where yeah there's only one system that has this service that's going to be like the guy with the Nvidia card or the guy with the HP or something like that right they're gonna have some special hardware some special drivers and I started thinking you know I've

been in this company there's gonna be a group that puts together these marketing assets it's gonna be a team of people it's gonna be I don't know you know five to ten people something like that just guessing based on size the company and I thought these would be the ones that are most interesting maybe there's some distinctive feature here that may lead me to my objective and so as I refill through the data pulled out all the ones that just show up five to twenty times or so I noticed that other 12 boxes running the SolidWorks licensing service anybody know what SolidWorks is yeah so SolidWorks is slightly too expensive for me to have it but wish I did it's a 3d

modeling package since I got my 3d printer I'd really like SolidWorks and I thought you know I bet they're new products have CAD models so somebody is a CAD designer and they're putting these things together so now I have those twelve systems instead of looking at a thousand boxes and trying to guess where stuff is and just flailing about like mad now I have a specific target people that are interesting or more interesting than other systems on the network so look at their system and I find out why I never found any of this stuff on the file shares and that is because they don't use the file shares most companies this would be a policy violation

probably because they're putting everything on their C Drive but that gets me the CAD models for the new products and I have my success criteria and I finished that up and I thought wow that was a really fun pen test you know just had that kind of lucky stroke there at the last minute but then I started to realize how often I could have done something similar in other pen tests yeah how often can I find some sort of idiosyncratic data point that illustrates or brings out the fact that some groups of systems are different from others so I started to think through now as part of my modus operandi I need to have a a bevy of different

distinctive features I look for things that will help me categorize the network because I've only got three days I've only got a week or whatever it is to do this assessment now I've got to understand 4,300 machines by the end of this week so you start seeing these things everywhere like what if I had a listing of all the network interfaces on all the systems in the domain well the guy that has that one VPN or the guy that has two cards and he's still honed into the CDE or something like that and those those show up pretty quick yeah or what if I had a list of all the processes running everywhere and you

find really interesting stuff there or you know in every system that has a Cisco directory in Program Files yeah that's a distinct as a distinctive feature you can easily scan for is just a shell script away but that helped me one time I had an environment with tens of thousands of users but only 300 people had a Cisco directory those are the ones with VPNs and some of those VPN to the CDE so now I can focus my attack I get there a lot faster instead of having to you know it's all a keylogger on four thousand machines and fry my box and probably pick somebody off now I can focus on those specific targets and it

leads me to the jewels so think of this not so much as yeah Oh neat you could look at services and that leads somewhere it's not just about services it's a thought process where you say I must find some data point that with my current network position I can collect from the network and that may help me discriminate between different groups of systems and find the ones that are most interesting and this is all it's not exploitative yeah there's there's nothing exploitative about pulling a list of processes on a system that's not hacking or is it because I'm just using the I'm using the computer yeah in a way that maybe wasn't anticipated and so no

one's ever gonna patch that as long as I got the creds now I've got a way to move through the network fast so next scenario is it's kind of fun I think we've made a couple references to it the idea already there are certain eternal vulnerabilities there are these these attack opportunities that will never go away because either they depend on something that no one's responsible for so like if if it isn't a vendors fault there will never be a patch right so like dumb passwords is an eternal vulnerability if someone's always gonna choose winter 2016 and no one can no one will patch that you can solve it with a filter but that's apparently painful so

nobody ever fixes it eternal vulnerability I will always try that now this is another one that's kind of fun when the pen tester sees something like this you know it used to be especially earlier in my pentesting career this would give me extra heartbeats because I'd be like you know it doesn't really matter how advanced a position I get in this network multi-factor is just going to shoot me down because I can't get hold of that token that that guy has and this puts me in a position of failure from the very beginning yeah but over time you start thinking about the problem and like patrick said there's no unassailable network there's always going to be something you can do even if

it's something that was outside the rules of engagement we should be able to think of something that could work anyway and then we start thinking well once we get super creative we start figuring these things out can we fit these somehow into our process can we do these in real time during the pen test so a couple years ago I presented a number of things that we do to bypass multi-factor authentication actually turns out to be a very fun problem it's a very compelling and the one I'm going to talk about today is not those ones this one's different didn't fit into that talk but and I actually find now I use this one more than any other if I

have a situation where we're using a bastion host that's a remote desktop and protected by multi-factor authentication and that's how I get into the CDE well this is actually my number one attack technique right now successful shockingly successful in many places and also very difficult to fix so in order to explain the scenario we're going to start with Bob yeah so Bob is your average mark one corporate employee Bob lives with the faceless masses in the infinite cube farm and he eats out his his existence and mostly ruled by harsh and unforgiving tasks mistress which is his outlet calendar I assume you guys have seen these before usually they're full of all kinds of meaningless meetings that just

take up nothing but time occasionally you get the joy of eating you get to go out at least once a day try to stretch that two hour and a half if you can then you know occasionally you have to be social you have to talk with the co-workers around the break room or maybe you go go get the Starbucks or something somewhere in the day and of course there's the biological imperative and this and this means if you think about the average corporate employee that most of the time most of the day their screen looks like this right and this is this is uninteresting we even think of this as a security feature this is something that keeps bad guys out but

underneath this screen if I could only get past it is an already logged in Remote Desktop session to the CDE if I can get into this then I get my success criteria I get active session right so I start thinking about well what am I gonna do I mean wait until Bob doesn't go to the CDE well watch Bironas screen locks Mimi cat says password right or key log it somewhere along the way and then I'll RDP to his desktop and I'll steal his session right I find some way to persist in the CDE maybe it's through DNS I think we're talking about that earlier I can tunnel that out or maybe ICMP or maybe the CDE can talk back out

to me or talk to the internet I'll find something take me about five or ten minutes figure that out and then I don't ever have to do MFA again I'm all set so as in a common theme if you're in a small network this is easy to do but it's also really low yield because we might only have a couple users that actually access this crown jewel environment so that means I got a hope it happens at least once this week yeah maybe maybe it isn't so likely but this is a fun attack method because as the environment scales the probabilities start to change and so we might have hundreds of targets in a big company or

some places we might actually have thousands of people that are regularly interacting with the crown jewel zone and if I can only find this specific moment relevant to one of those sessions that I win so when we're looking at it this is really and we're just playing the numbers here if you've got enough people then this small subset of people that are currently lock screens on top of active sessions to the CDE then I can execute this attack right so the point being as the network grows in size a little black shaded area approaches a probability of one that it exists in the network so the challenge is we need to find people with lock

screens if you search on Stack Overflow they'll say oh use this function in this DLL blah blah blah I have to put some sort of payload on the system and then I'm thinking then I have to buy fast nav I hope they don't have some sandboxing bit 9 will drive me nuts and that's really hard and I'm a hacker right so hackers don't do hard stuff on purpose they do fun stuff on purpose and so the easy way is something already talked about and that is I just need to know when logon you i dot exe is running because it happens that every time your screen is locked that process exists so now I have this little four step attack

I find connections to the target zone we do have a that's not whispering like Patrick was talking about earlier I find all the people with lock screens that I just do a song about in the previous scenario to pull a list of all the running processes I use the the super leet hacking tool grep to calculate the intersection those two sets and then I use the also equally leet hacking tool remote desktop to connect to it right so think about this all I have is creds I found some way to escalate and then the rest of what I'm doing is really system administration it's post exploitation but it's not really hacking per se and there's nothing here that anybody can

patch without making their network unadmitted straight able so once I do this I get my list I've got you know at any given time what happens is I'll I'll put this all together into a shell script and I'll just run it and at any time through the day it'll come back with two five you know seven IPS or something like that those are currently attackable entry points into the CDE now one of the objections there's some delicacy to the attack right it's not it's not just a fire-and-forget but probably the biggest objection i've heard from people is they'll say that you know baby bear will come back to his computer and see that someone's been

sleeping in his bed right though they'll unlock their screen and see all these scary windows up that he'd never seen before or you know we won't see the mouse moving but you know along those lines and then the jig is up and I'm gonna have to worry about you know having to burn all my bridges on my way out and it's actually not really a concern at all because as I had started this scenario there's one piece of information I absolutely have about Bob's day and that is his calendar and I know he's going to be trapped in that meeting let's change control meeting for an hour if I do this and I see nothing on the

calendar it's okay I'll wait a few minutes I'll find somebody else I'll try the second IP on the list it turns out that you can always find somebody where you can have reasonable confidence that they're not going to be in their desk for a little while and it only takes you five minutes ten minutes max to tell whether you're gonna have an easy persistence vector on that box in the CTE and then you're like your one agent away from a persistent pivot then you're swimming in the CDE Network scanning stuff and probably having to tell them so that you don't bring down the CDE during your test train so this I think is really fun like I said

it's my number one technique now for mfa just because it's so dumb I can't believe it works but it's also really safe and very reliable and it kind of doesn't go away if you're using RDP as a bastion host protocol you got to think about that there a couple things you can do if you're interested ask me afterwards I don't want to use too terribly much time on it but there you go all right so then the last situation I want to talk about is one where maybe we've we've gained access but to really find the data that we're looking for to be meaningful for success criteria we need to have a little understanding of

the business process so we've talked a little bit earlier about you know developing this picture of the network and getting a little bit deeper understanding so in this situation or you know we've already gained domain administrator access let's say to the entire environment we've perhaps the customer has as two domains one for their high security network and one for their low we've gotten both of those we feel like we've got full access maybe we have a bunch of meterpreter shells open or whatever your post exploitation payload of choices whatever it is we know we've got the access but we can't find our data we're looking so in a PCI pen test this might be we're

looking for that cardholder data we've poked around we can't find it but we do have the access we need so the thought process then might become when you take a step back and think about okay we know that somebody somewhere in this organization is looking at this data so we just need to understand who that might be and how we can leverage that so a couple pieces of of information in them that that are useful and actually this is kind of jumping out jumping off from what Josh was talking about before where we're trying to build a clearer picture by looking at what's actually happening on on our host so we looked at who's logged

in to each host we might look at what what user groups they belong to in an ad what group membership they have and then we can also look at an individual system looking at what the processes are so so this becomes you know let's say that we don't don't understand a lot about what this how this client operates maybe throw their very large and they didn't tell you very much in here and your kickoff meetings so we're trying to build a beer a better picture of their processes about looking with actually happening on their systems so in this situation my process becomes okay who's logged into what what groups do they belong to and what processes are

unique to those to those systems to try to build that that clear picture in a large network this becomes this tedious and and even with a little bit of a key and grepping you might have a hard time putting all these pieces of information together that's when it might be useful to turn this into something that's a little bit easier to look at so maybe using a tool to convert this into something like JSON and now we can apply a little bit of a data science magic when we can turn this into something that's a little bit more meaningful so now we have a graph of what users groups and processes are unique and how did those group together

especially in an environment that's large where we have lots of users and lots of different groups it becomes important to be able to identify how these things are put together so in this situation we know something about there's a marketing department maybe some customer service an IT department we want to know a little bit more about how these things fit together so once we look at that that data set now we can break this down a little bit further we can identify which systems belong to each one of these groups what maybe what VLANs they're in and now we can look at specifically what's going on which none of the systems the first time I actually applied this

the things that I noticed or whether things became useful in analyzing their business processes everybody in the n bar everybody in the in the environment was using Google Chrome which doesn't mean that doesn't mean a lot except for two groups are using Internet Explorer which seems kind of strange because everybody hates it so there must be some reason behind that and what I found is looking at those groups that are customer service people we're using Internet Explorer to access an application than the CDE and that was really handy because their net Explorer was caching some of these the cardholder data locally on the machine and using a little CC search magic variable to find that information so now

we're able to go from maybe something where we don't really have a great success criteria we haven't actually found the date of the were looking for to identifying something that's really mean before the customer and helping them to try the environment so I think conclusion I think one of the things that Josh and I really tried to hone in on with what this is what are our thought processes we've put a lot of energy in trying to mimic the the bad guy we actually want to think about how do we move through an environment how are we leveraging things that are inherent to a system that that give us the access that we're looking for

but turning those into discrete thought processes because I think communicating this in a way that helps maybe other pin testers but also people on the defending side see what are the things that you're doing that are built into the network that may may be useful to a bad guy or definitely useful to the pen tester room and where do those intersect excuse me and hopefully each one of these sections was reflective of those you know each one of those thought processes we're trying to get across any questions doing your wonderful little SMB scan I always see that it's it's not too hard second for recording purposes question is if we're SMB scanning like crazy on the network

yeah how does somebody detect that it turns out it's not too hard it's just something that most people don't monitor too well if you monitor authentication velocity or authentication volume essentially with whatever your sim or monitoring environment looks like that'll be a good indicator and I think one of the best detective measures you can have is not so much having a bunch of signatures that look for specific you know tools or exploit payloads or something but if you just have something that says our usual authentication behavior in the network looks like this it's this level and then one day it's like 10 times that somebody's doing something really weird

yeah now be aware I mean so we're doing this as a professional service we're there for one or two weeks or something so we're gonna do it super fast there's no there's no waiting in between now if somebody's casing the environment in more malicious scenario the main way to keep from being detected is gonna be to slow it down probably use a lot of different source points and find some way to make it look as close to regular on Finnick asian as possible I have actually seen a couple suggestions for it's not a honeypot per se but that you you deploy it's not quite honeypot but it's similar yeah the idea that you have a certain account or a certain system

that is literally not used yeah specifically I see this log with write ever honey user and whatever it's gonna be and that way you could even configure specific specific rules if anything ever enumerates all the shares off this system then somebody's scanning because nobody uses that system for anything so some of those are kind of fun and thoughts to play with I think I think you have to be you have to be fairly mature industrially speaking to be at the level where you can start playing around with those kinds of detection methods raspberry pies with SMB shares that Malkovich just to see if somebody scanning for us to be yeah it's a red canary right there yeah perfect yeah the

other one I've seen is like LM and r and n B and s everybody's favorite infrared risk vulnerabilities if you have a system that logs in across the network with a disabled account but if you ever see somebody an IP other than that one authenticate with that account then you know for sure somebody is man in the middle there air proxying those connections or their SMB relaying or something interesting with that because no one can use that account so yeah there's some interesting things there

yeah

yeah so we do a couple things one is you have to make sure that your screen lock policies are the same and on in the secured zone as they are inside or maybe slightly more aggressive that way if the screen locks on this side then it's guaranteed that the remote desktop session has already locked right another one would be that you require a multi-factor to unlock the screen occasionally some people say oh it's so inconvenient to have to MFA to unlock the screen it will just the MFA to login but you don't MFA to unlock that's really bad idea the other one is to start thinking about well what does somebody need in order to carry this out

I need to have remote code execution probably on that system and these days we live in an era where there's no reason you can't turn the firewall on on a Windows client it still boggles my mind how many conversations I have with implementers that where they say oh we can't turn the firewall on because something will break it's like no your domain will work fine everything's a pull like your system goes to the domain controller for the GPS it goes to the AV system to pull down that's right so it turns out if you firewall the the workstation well then you force me to do something elaborate to get RCE on that box right so now I have to do things

like change the logon script well you can detect when someone changes your logon scripts you could monitor the records in the directory or you can monitor files in that log on etc or you make me do things like change GPOs I'm going to use the task scheduler or something in the domain to run something on that firewall box so if you start thinking about multi layering your workstation environment and in a lot of cases because we're looking at a PCI scenario so you might have 10,000 employees but only 300 of them have to access the CDE so that's only 300 workstations that you have to armor so you can attack it a few different ways

anything else going out to rate what I'm sorry yeah yeah you can also train people like it really should be the procedure to close your CD window when you get up just like you train people to lock screens kind of works but unfortunately that those are the scenarios where it's like the passwords again all but two of the users in your network might choose good passwords but it says remaining two that bring the whole network down right so relying on training is difficult but if you can automate killing that idle session that's cool also application whitelisting those kinds of things are real handy because it makes it hard for me to to do my post exploitative things on your

system

on college campuses some flavored water so you can fight over this pineapple and strawberry and you probably want to fly with it because it's a

[Applause]