Low Hanging Blue Fruit: Defending With Open-Source Tools

a lot of times being on the defensive side costs you a lot of money and actually it turns out that there's a lot that you can do using open source stuff not everything has to be super expensive and this is what the alone will be telling us about so you're on all right thank you very much I'm very excited to be here this is the second time I've been here besides on stage presenting and welcome to my talk low-hanging blue fruit hacking and defending yourself using open source tools now I always forget to introduce myself so luckily PowerShell allows us to invoke credentials here are mine my name is Yvonne King I have two degrees

in computer science and for over a decade now I have been defender at the Central Bank of Israel and also as of last year have an honorable mention that the sands holiday hacks test challenge CTF which I was very proud to get and you can also find me on twitter at samurai now as the question for you all which one of you here in the audience considers themselves hackers raise your hand come on ok sure most of you do not consider yourselves hackers remember that answer no info state conferences they like to talk about the latest of attacks that sexy hacking techniques and this talk is not one of those talks you can go now

what I'm going to talk about is actually give some tips and tricks about how to monitor how to catch the low-hanging fruit they're really silly simple stuff and you know why because it's still there and we need to raise the bar for the attackers but I like to start with a story in 2016 my boss it got the authorization the permission the budget to send me on a pilgrimage no sorry not not to Mecca but rather the mecca of hackers sans course at black cats later on Def Con it took me about two months of bureaucracy to get everything sorted out by the time I was finished with the bureaucracy I was I was done by the week before my

flight I suddenly get an email from HR they said the duty turbulence political tension the state of Turkey all flights from the Bank of Israel to Europe and the US were canceled five minutes later I get an email from my boss he says did you see that a letter from HR I said yes what do you think he said I did all I missed its to have months of bureaucracy I think you should talk to HR I said so I decided to dismiss the elevator and just run seven flights of steps up to HR I barred you to the door totally breathless and the woman there she was on the phone she gave me a weird look I

tried to explain myself oh he's kind of hard after around seven flights of steps and then she's done giggling she gave me another weird look and she said your boss is telling you to do silly stuff it's at that point I realized I was being punished apparently a team member by the order of my boss sent a spoofed email from HR from that person to me saying that my flight was canceled so week later I did flight to blackhat I took a fan's course later on it was a Def Con I had a blast but whoever gotten into conversation with I asked them what I tell them what my boss did to me and asked for their

advice what would they have done in my place I even got an answer from Chora Donna the head technical assistant to the mr. robot series he told me what he did to an in consider to work a worker in a former workplace but none of the answers were good enough for me I wanted to go on an entire big fishing targeted campaign against my boss I love him to death but he deserved some retaliation the only problem is I had no idea how to do it so I started researching researching SM P headers house both emails the from the to the recipient all those different headers how to spoof an email eventually I managed to spoof an email from his

boss to myself to my mailbox something about the latest Gartner convention and insights from it so that was good but I needed a weapon I need to weaponize that email so I decided to go for office which is one of the best weapons there are and apparently one of the format's that you can say the word document is the 2003 XML format and in it those macros are saved as a binary blob that's encoded as base64 the tag the XML tag for that is called a data doc and soap and the even the beginning of that encoded binary blob if you decode the basics before the beginning it starts with active mind so I encoded the malicious macro sent it

to myself but our emailing filtering system blocked it I was stuck then awhile later for some reason God knows why I decided to look at that binary code at that base64 encoded string and re-encoded a second time and sent it first of all the macro worked the document opened and second of all when I sent it to myself it bypassed the filtering system so apparently the filtering system was looking for the regular base 64 encoded decodes to active mine but now it was looking at a different string and didn't recognize it I haven't tried the same trick a few days ago just to upload something to virustotal I created a VBA reverse shell meterpreter the basic of basics and did

this thing and the count dropped from like 50 to less than 14 different engines that actually recognize it this simple chair next thing I had to bypass the email sandbox but by passing a sandbox is not too hard if you realize what its weaknesses and that is human interaction so instead of the regular otta open macro which runs just when you open the document I change it to a different macro which runs when you scroll down to the next page which I was sure that my boss would do so I managed to get everything to my mailbox oh yes everything was set to go so it was the first day afternoon I sent the email to

my boss and it was waiting for a reaction when he comes to my office he said listen this is Thursday afternoon nothing good will come out of this go home now I know I am because in Israel we walk we work Sunday to Thursday Friday and Sunday is the weekend and he was about to go home but as he was trying to close his computer he saw an email from his boss something about the latest Gartner conventions and insights from it and my boss oh he dislikes Gartner so he had to open that email and see what his boss wanted and it was a office document so he looked at it even and they moved content because some of

the graphs there weren't drawn visually well enough and of course the document was boring just regular stuff you'd find on Gartner and not no insights whatsoever so we close the document and then he saw this on his desktop and a few seconds later all the documents and pictures he had on his desktop changed the dot script my boss's heart missed a few beats that MANET he called me up on my extension says okay listen are you in the office I said yes you're calling me in my extension can you come to my room please so I walk in in a straight poker face yes what's going on and yank his chain for a few minutes before divulging that

it was all me and he didn't just unleash ransom rare before the weekend on the entire organization but that got me thinking about how I myself can possibly try and hack my organization to make it better to go to the next stage of defending it so here are a few tips and tricks I found along the way the first one is overriding edr products now who's everyone's favorite cats some would say that's dude others would say this guy but this is a security conference so we're probably all thinking the same thing right Benjamin del Pease famous mini cats tool that allows us to dump user credentials for memories well I was messing around mini cats and I kept getting caught by

the AV so tried various variants I found let's call it a variant cheeky mutts so I was messing around with a Kiki Mott sample and I kept getting caught by the EDR product but I wanted to bypass the EDR product the parolee problem is damage em on a blue team are not a pen tester I don't know how to invade such products but I had a sneaking suspicion certain files were looked upon more favorably than others whitelist advice let's say files with certificates from known vendors so enter our tool of choice sick thief six leaves is a Python script that takes file with a certificate in it and just rips the certificate apart and embeds it into a

different file so I took my key key much sample and I took process Explorer from sysinternals which has a Microsoft certificate and I just got an Thoth signed kiki Mott sample I'm sure what you're thinking right now and you're right this certificate is totally invalid it has nothing to do with the file it's embedded in it's just there but guess what when I tried that trick it completely bypassed the EDR product and I was early and I was allowed to run me me cats so I told that to the EDR company they were surprised they asked for my toad sign Kiki Mott sample I gave it to them and two weeks later I got an

updated version of the product and now the same trick doesn't work anymore so I have just raised the bar for the attackers this next section I like to call them piss exact in my pool everybody's familiar with PS x''k it's a tool that's used by sister demons and attackers alike who like to live off the land it allows us to do remote commands remote host and it does it by sending a file to the remote admin share which is C Windows and also it creates a service with the same name and then through RPC named pipes you can send it commands to the remote host and also get the output from those commands so that's on the red

side but how can you monitor the use of PS X like a new organization because it's OK for me the SIS admins and is using it possibly but if a secretary in HR is something's fishy here it's not too hard because you can look at the system event log and windows which is 70 45 a service was installed on the system now an attacker can change the name of the file he also can change the name of the service that is being run but are two things that he probably can't change using PSX echo the fact that a file will be created in the admin route in C windows and the fact that it's going to be a service as well so

even if I have a totes legit pea SEC SEC I can still find it and according to my personal small experience not too many services are run from the C windows folder so once you clear out some regular organizational noise you get a pretty good noise signal to noise ratio to catch some potential candidates for P acetic password spraying pestering is something that we hear a lot in the news for the past year or two and it sounds very elaborate but it's actually pretty simple technique a lot of companies have been have fallen prey to it Citrix would be one of them but all you have to do really is take a list of users and the list of passwords are just

one password and you enumerate all those users with that password or the list of passwords and see if everyone is using a weak password so on the red side if you want to try it out there are many tools to do a password spraying my personal favorite is Bo Bella deaf hack he's from Black Hills information security and his tool invoke domain password spray it's a PowerShell script very easy to use you just given a single password and then iterates over all the users in the organization for that password or I can give it a list of users and the list of passwords now don't worry it's not going to lock any of the users because it's only gonna try

each password on each user no more than two or three or four or five times depending on the code you can always change that so we won't lock any of the users now let's say an attacker has compromised the machine in the organization and is currently activating a password spree how can you monitor catch them in the act that's not too hard as well because we have the security log event ID 46:25 an account failed to log on now if you correlate those events into your same product and you try to catch let's say more than ten of those events in less than 5 min appeared or 1 minute period and it's not Monday in the rest

of the world or Sunday in Israel where everybody's coming back from their vacation and holidays or the weekend and can't remember their passwords hmm you might be dealing with a password spray you can also log on different types so you have the interactive type which is number two or network which is number three or RDP which is number ten gives you more information so this passwords video exercise got me thinking by my own sort of password organizational behavior in Maryland organization how many people were using weak passwords I was here I wanted to find that out now if you're a hacker one of the Holy Grails that you're after is this file entity s doc did this is the

database file which holds all the users password hashes and it's located on the DC on the domain controller but if you're a defender you already have the keys to the kingdom it's no problem you can get to that DC and there's even a built-in utility in Windows called NTDs util which allows you to take a backup of that file including with the system hive in the registry the Sam and you can copy it let's say to see temp our next tool of choice is one of the in packet library files it's a Python script called secrets dump and give us that directory and it outputs a file with all the names of the users and all

in it and all their hashes of their passwords the next thing I did was use a tool of choice I'm sure some of you are familiar with it it's called Excel spreadsheets so I started taking those hashes and grouping them together to users getting creating clusters and you know most of the classes were not clusters at all there were a cluster of one meaning one user with a unique password not necessarily strong not necessarily weak but unique but then there were other clusters bigger clusters that had 18 or 60 or 88 users all sharing the same password now listen closely because this might be happening in your organization as we speak I checked those users out and you know

what all those users were applicative users and infrastructure users not human users users used by commercial products to access the domain through at this databases on behalf of the regular users and that's only an entire story because I realized that whenever the cysts admins were tasked with the task of creating a new user they created a new user and there's so many passwords they can remember in their minds they just use the same password over and over again and guess what one of those users was a domain admin account so if someone compromised that password it just had a password of a domain admin so will not share password with my friends so a solution would negate the need for the

Syst admins to generate strong passwords and remember remember them so it needs to be something hmm a machine a computer maybe a password vault of some kind something that can generate strong passwords and save them for secure viewing later so that humans don't have to a while later I was looking at a pen test report done to us by an external pen testing company and I was reading through the pages and one of the pages was talking about weak users and a list of users that had a weak password not that me thinking I was pretty curious because how many people I mean how did the pen test to know how many people had weak passwords

luckily the report had a screenshot of a logo of a name of a tool I looked it up it was free now due to Euler reasons I can't divulge the name but I wanted to know not just who has a weak password I want to know how weak is weak how many were using password or capital a strong guy one two three four five or one two three four five exclaiming should mark I knew the tool knew it just didn't divulge that information so I had to enhance the tools capabilities but Dhananjay mama blue team another verse engineer but I did know one thing I know that certain programs are in dotnet is c-sharp if

they were compiled in debug mode compiled with all the symbols and the source code inside it could be decompiled so enter a tool of choice whoops il spy il spy as a tool that allows you to do just that if the file is compiled that way you can just throw it into the tool and it will output an entire C sharp project which you can load into Visual Studio which I did it took me about two days to compile in and get the code running again because I'll smile is not perfect it had some over references and it will act a few references which I had to put eventually got the thing to run but I realized that this tool is not

so much a hacking tool it's more of an assessment tool because you have to run it with domain admin credentials on the actual domain controller but apparently I couldn't debug the code live dynamically because the sis admins they don't like it when you try to install a Visual Studio IDE on their domain controller so I did go a different route and go for a code review and a static analysis so took me some more time when we go over the various functions trying to understand the workflow of the of the tool but eventually I got to the actual function the actual class in it the actual function that took a weak password from a pre-configured password

list hashed it and then compared it against all the hashes of the users on the domain controller so all I had to do was add one line of code not just true or false at the user had a weak password but what the password actually was so now the report came in with a list of users and all their list of weak passwords for any weak password found and I have curated a password list from various sources and then refined it so what I did was just take those passwords let's say password and then add a password one password - password 10 so I could see not just who had a weak password but who was running around

with the same schema of the password something was just comparing hashes would not have told me I have a lot more time than I thought so I'm gonna give an out give up another story one of the extremely weak passwords that I had found out one of the users was a user from IT someone who always claimed to be security aware security conscious and he always went into meetings talking about how do we need security even took a seaso course to understand security better and he had an extremely weak password that had to make him think of that password he needed to change it how could I sort of prank Ashley tell them that he needs to change his password so

my organization does a Outlook Web Access internally so I logged in as him and there's an ability to change the icon of the picture of profile to something else so I changed it to uh are you familiar with the statue the thinking man well there's a meme out there it's probably a famous meme of the face Bowman and that's what I did my apparently it was too white he didn't even notice so when did a week heard nothing so I decided to schedule an appointment with my boss to see so every day for a week talking about password policies with him being the organizer nothing happened because he was so busy with other projects every

time they got a pop-up of a meeting he just canceled it a week later he talked to my boss and asked him what was it but I know some meeting with you for the past week and my boss was none the wiser so he said I don't know so the guy just shrugged his shoulders and left I started to escalate so I decided to go back to the profile picture apparently it was it it wasn't colorful enough so I decided to change it to a picture of Disney's Pumbaa from The Lion King that's big that's colorful that God is attention so he realized he was being hacked by someone from IT the first thing he did he changed his password

when I ran the report again I couldn't find it anymore the only problem is which I didn't think of is the fact that he still thought he was being hacked even a week later because apparently some people were communicating with him through email when you get the profile picture of someone it stays in your cache so everybody kept on getting puma pictures of him every time they send him an email even though i'm the server that picture didn't exist anymore so after that they told me are you out the truth I know I have no idea who's hacking you it's not me also found out that 25 percent of my users popular password shall we say and out of

that 43% were human and 57% were applicative and that's something that knowing getting that visibility is an agent of change now we can do something about it now then we know that the problem exists so to conclude when I start this talk I asked you which one of you out there consider themselves hackers most of you did not raise your hand but the question is what is a hacker and it's a good question and go ahead and give you my personal interpretation a bit you see being a hacker is not a skill set it's a mindset so if you have a curious nature if you like to know how things work if you question Authority if you want to know

what lies in those gray areas between how a system is supposed to work and how a system actually works then you might be much more of a hacker than you've previously thought of yourselves because today I know I am thank you very much [Applause]