2017 - A Year In The Red by Dominic Chell and Vincent Yiu

Hey well welcome to our talk here in the red it's tough being the first talk of the day particularly when there's besides the night before so thank you for all we were there last night for making the effort to come down this morning and listen to what we've got to say so what I'll talk about well for probably the next 45 minutes or so well we took discussing some of the advances in red team tactics that have come to light over the past 12 or so months and we tried to cover a broad range of areas starting from the up closer is that we're starting from the outside with recon and infiltration through to establishing situ and lateral movement

and we'll talk about some of the things that we found most interesting including the tools and techniques and released by other researchers as well as some of the tools that we've developed and that proved useful to us during my engagements and most of the tools that we'll talk about we have released we gave a slightly different version of this talk at still kind of coupla months ago and we kind of release a lot of tools off the back of that but you can find them all on the MDC active breach github page and so my name is Dominic Chell I work for a company called MB sick and I have overall responsibility for the company's C best and star red

team services this is my third Manchester 'besides talk so I guess I must be doing something right because they keep taking me back yeah I'm Vincent you and I work alongside Dominic on the active breach team I'm DISA this is my first besides Manchester talk so from our perspective over the past few years we've really noticed much more focus being paid to red team exercises particularly over the past twelve or so months we've had a lot of more clients coming to us asking us about red team exercises over traditional penetration testing now I'm not exactly sure why that is I suspect it's to do with by him from the regulator's so we've seen the development of structured frameworks

that provide a more formal approach to conducting Red Team penetration testing with backing from regulatory authorities so we've now got things like the C best scheme which is backed by the Bank of England we've got the TV scheme over in Holland which is backed by the central bank and Netherlands and we've got the ICAST scheme over in Hong Kong so like yin and yang because we're teaming becomes more prominent so blue teaming advances in defensive controls the wider adoption of some boxing and technology such as Microsoft ATL apps and device and credential guard as well as the rise of threat lenders that is people who are proactively and iterally looking for and threats within an organization or making red team and

considerably harder so as such red team tactics must evolve and that was really the inspiration for this talk because we believe there's been some really interesting developments over the past twelve or so months so I'm going to pass you over to VIN he'll talk about some of the advances in reconnaissance so the traditional and sort of like reconnaissance like you perform on a red team is mainly to profile a say a target an organization you might try and find details such as you might try and profile the employees you might try and look for layer of infrastructure on the Internet and things like that so but here I'm going to focus on an email collection so I guess a lot of the time

on our reconnaissance activities we want to obtain a list of email addresses for a target organization to be used in activities such as password spraying on the external infrastructure or even I'm spearfishing so email collection has traditionally been performed using search engines such as Google and Bing social media like Twitter and Facebook and LinkedIn and you can probably find them if you're lucky might fund an email on children so traditionally email collection is performed using tools like the harvest or recon ng but we found some issues with these sort of tools so here I'm going to focus on LinkedIn and explain why we're looking at LinkedIn so if you look on the right hand side you

can see lots you can see the the employees name the organization that the work out the sort of role and title and layer and geographical location so this'll be of interest if you're I'm trying to scope down an engagement to a specific region and more importantly allows you to search by organization so if we if you actually just type in an organization name at the top you can actually navigate to their company page and then after went after you click on that page and you can see that there's actually a box that allows you to there's actually a link that says see all 1 in 6,000 employees on LinkedIn so when you click on like you'll have a

list of all of that organizations employees so the issue here was like of all as this useful access on LinkedIn most of the tools that we found were broken I would do to improve the new UI updates on LinkedIn or it was based off of them using a API key and so we create the tool called linked in to sort of overcome less the idea of linked in is to streamline the collection process so ideally if you're on an engagement all you want to provide is a target company name a domain maybe and you know a few minutes later you hope to get a large list of emails that you can potentially use without too much faffing around so

this scraper is actually based off of Danny crustal scraper we basically went ahead and fixed some of the UI updates and also added email format prediction using the hunter recruitment API thing so here's a quick demo of the LinkedIn tool

all right so we begin by running the linkedin tool so this is what you would see I'm using General Motors as a test case ER staff link out there sort of like questions and then I put General Motors comm here and I quite quickly realize like that's not the right domain and googled a bit and it's actually GM calm so I fix it up i put also here to perform the email format prediction it finds that its first dot last domain calm and then it begins scraping so here you can see light it's actually skipping a lot of headless profiles that it's found a headless profile is basically a profile at the current account that I'm

using cannot see because it doesn't have a third degree connection to that target so to improve like the sort of results from the tool you can use a an account and begin connecting with employees within that target organization so if you manage to connect to someone that's quite popular within that organization then you can see a lot more of their employees so these are the sort of formats that are available as a HTML format in the form of like a report for easy browsing and includes like their own title and region so that's good but it's not like useful if you're gonna put into other tools so there's also a CSV format so this allows you to learn just

highlight the emails column or you can even do filtering go on location like the United Kingdom and then select a specific employees to be put into other tools which will then talk about next

so now I'm gonna pass it back on to dominate to talk about infiltration and so infiltration is sometimes one of the hardest parts of a red team traditionally there's been a lot of focus on things like fishing but the blue team has really kind of wised this tactic so unless you're creating particularly low noise targets spearfishing campaigns there's a good chance that you might get spotted so we were particularly interested in other vectors for targeting corporate networks aside from fishing although sometimes I do have to admit it may just be as simple as creating a carefully crafted email sending it to your target and asking them to run a Python command on the terminal of their mat book as poor

old Colin fund but to our dismay in this case we found ourselves giving Colin tech support because the version of Python open SSL and his Mac wasn't compatible with our payload so there's been some really interesting developments in targeting exchange environments of the past twelve or so months and there's been some impressive tooling released tools such as male sniper ruler these can all be used to target and perform password guessing attacks against the exchange and in some cases inject arbitrary OWA rules to gain code execution on a user's workstation so with that in mind we started to think about other kind of exposed and ad connected ad integrated services one of them that kept popping up for us was and

Skype for business but unfortunately couldn't find any real kind of research or tools on how to attack these services so we started to kind of investigate this ourselves so Skype for business or Microsoft Lync as it was formerly known typically comes in one of two flavors and that is either an on on site on premise and scuffie business server or hosted server and using federated authentication so you may have something like integrated into office 365 for example fortunately identifying whether an organization is using Skype for business is really trivial and typically there is an DNS entries because the service supports auto discovery so what you'll find is there'll be a dinner century such as link discover dot the company's

domain or link discover internal dot whatever the company's domain is and if those DNS entries don't exist you it's quite trivial to find the the service panels are quite distinctive so you can find them on things like showed him so we were kind of interested in how widespread sky for business was and so we run a quick DNS a numeration of the Alexa top 1 million and what we found was that roughly 26 percent of them were using it and off that three point seven percent were using office 365 now as I mentioned because sky for business integrates into ad we believe this might provide a kind of additional opportunity so I did identify ad crunches from the

internet but unfortunately there are no tools really around to communicate with these services so what we went on to do was develop a tool called link sniper so link sniper was basically a a tool that we created that was allow us to and form authentication to sky for business deployments when we started to kind of investigate how the authentication or what kind of types of authentication sky handled we found that is supported ntlm kerberos and OAuth we basically opted to go down the route of OAuth really because it was the most simple to use so what we found was it was as simple as creating a post request with a grant type of password and then

supplying a username and password and sending it to the service this is obviously after you've done any kind of auto discovery steps but given the service supports and ntlm kerberos and there is also potential for doing things like and pass the ticket or pass the hash type attacks against sky for business we started to look how office Lee 6/5 did authentication unfortunately it didn't actually support the kind of a Worf method that we'd kind of already implemented for the on-premise servers office 365 actually used the u.s. trust and rst authentication these are the kind of core our protocols used by Microsoft security token services and ad FS but what we were able to do is

actually this was quite well documented on MSDN and we were able to implement this into our kind of links and have at all so it's supported not just on-premise service but also office 365 and eventually we were able to create a tool that could perform password spraying and password brute-forcing against and sky for business deployments so I'll give you a quick demo of the tool now and you can see how it works

so essentially the tool is based on a partial script and all I'm doing here is just just proving that I've got some users in my text file and then there's a powershell commandlets called invoked link spray and which you supply at the list of users you supply a password to try and it will basically test that password against all the users initially it will do all the auto discovery steps it will find out where all the service and points are and then it will attack them so you can see in this case we've been able to actually find a valid user call doodlebugs RMB so credit UK with the password of welcome one obviously we

don't actually use Skype for business so this this constant exists anymore about you welcome to give it a try and so you can find link sniper on our on the NBC set active breach github page so while describing Skype authentication have briefly mentioned the concepts of Federation by didn't kind of explicitly explain what it was so officially it's a way or Microsoft described it as a way of providing a single sign-on across stressed boundaries but unofficially it's actually a way of exposing Active Directory to the internet which is pretty awesome from a kind of offensive perspective so essentially what it allows you to do is implement federated services things like Skype for business things like

exchange integrate them into office 365 and but it also allows you to share the identity as someone within your organization and across trust boundaries so with trusted business partners so that might be from one domain to another for example and company a to Company B or it might be company a to Microsoft themselves maybe if you're using something like office 365 so why is this interesting and why is it relevant to Skype well when we started looking at attacks against Skype what we kind of discovered was that and was this really interesting option in the office 365 admin panel and so you can see on my screen shot up here external communications tab and there's a simple

tick box which says let people use Skype for business to communicate with Skype users outside of your organization so what does that mean well it basically means that I find the company and I've got external communications on and it means that any other use who is using Skype for business and they've got federated authentication you can actually just go ahead and talk to users within my organization so this is pretty good if you want to do things like maybe targeted or directed spear phishing via Skype for business I am based messages and we can also do things like user enumeration we can get a list of the contacts within an organization and we can also get presence awareness

of presence that is whether it uses online at given time which could be useful if we're doing something like a physical Red Team exercise so what we actually went on to do was go and create we created a new office 365 account with a username of Skype support and we can see on the left hand side we've got the the attacker screen this is what the attacker would see and he's basically sending a message to the Joe Bob shoes are saying oh there's a new skype update you really need to download and when this kind of executable and on the the right hand side this is what the Joe Box user would see you can see all it says

is Skype support we've got a service announcement and providing him a link so I don't think that's relatively kind of convincing but if the user the only kind of real hint that it's not from within that organization is this option up here where it says external network now if the if Joe Bob's was maybe kind of wise and he went to look at the contacts what he would actually find is the the email address for our Skype support user well in this case what we actually went on to do is we managed to find a Microsoft domain that just expired and we went and registered it so we have actually got a Skype door support recently expired

microsoft domain so hopefully that would and we've used this on a number of Red Team engagements and it's been relatively convince him so moving on from infiltration but in a similar kind of area I'm going to talk about some of the things we've seen developed from a defensive evasion prospects if that is tricks that I've come to life or evading specific security products or Blue Team monitoring tactics so it's the first line of defense the corporate web proxy provides a really good place to firm up your defenses and and it's one of the controls that we often see organizations implement or introduce is limiting the sites that can be access through the corporate proxy through the concept of categorization so

a lot of companies consider customization to be a security boundary we don't and you'll find out why so what customization does is it will effectively black hole any sites that aren't categorized so maybe you want to limit your users up from only visiting maybe like financial government sites for example you can do that with customization maybe you want to stop them accessing sites of a certain genre so maybe such like adult sites or sites containing profanity again you can do that form customization now this can be a problem during a Red Team exercise because it means that our fishing site or our commanding control site ultimately needs to be categorized and if we're creating a new domain it won't

be categorized and so the typical approach to this has been using tools like cut my fish or domain hunters what these tools do is they will search online and find expired or recently expired or recently going to expired domains and basically all I used to go and purchase these data mains will snipe them and these are domains that have already been categorized and you can use them because they're kind of safe customizations and the downside to this is really that is hard to find target relevant domains or maybe typist what it means so say for example and we're targeting like Bank of America we might want to register a domain like Bank of America VPN comm or something like that

because it would kind of add authenticity to our own phishing campaign but the problem with this is that that domain wouldn't actually be categorized so what we started to do was research how customization was performed and how proxy sites were actually determining what category a site should go into and we found a number of kind of flaws in this process and we ended up developing a tool called chameleon and so what chameleon allows you to do is basically take any given host and categorize it against whatever category you want for a supported types of proxies and at the moment it supports Bluecoats McAfee and IBM x-force which is some of the kind of the biggest

proxy sites but not only that what we found was but the domains didn't actually really have to exist so we can see up here we were able to categorize evil door I really don't even exist what the calm as banking and now any user who's using IBM x-force thinks that that is a banking site or we were able to categorize food calm as again finance and banking and any user who's using any of the McAfee products and for proxy will think that this is banking and so that was pretty useful so I'll give you a quick demo of our chameleon tool okay so I'm basically just creating a new DNS entry so you can say literally just create it's c2 dot I

think it's a PT one the info and just to prove that in our resolves I'll just do a quick lookup on it so you can see it's got an IP address so I've literally just created that host I'm now going to run a chameleon and I'm going to tell it to categorize this as as banking so what the way it works is basically we found in the way blue code does its categorization we found that if you cloned a certain site and you made some sort of changes to the the actual content on the site blue code would be fooled into thinking it was the same category as whatever the primary site was so in this case we cloned Bank of

America calm and you can see blue coat now thinks it's financial services and the kind of we can go on and verify this by just going to blue code site because it is instant and on blue code site you can verify what category for any site is just by popping the domain in and you can check the rating and we see now blue CO or blue coat services think that c22 apt wand info is a financial services site so we can now go on and use this in our kind of fishing and kind of see to

so I'm gonna rush over to VIN we'll talk a little bit about some boxing so traditionally antivirus has been heavily based off of signatures and known signatures in it's a way to and detect malicious content there might be some heuristics but I don't know how successful laws of actually being a you know our last night I was just trying to bypass and knock 32 and that was quite trivial it was just a an hour's work or whatnot so the idea of a malware sandbox is to perform automated malware analysis on the target file that you you're not sure whether it's a malicious or not this also allows organizations to start bringing these capabilities in-house without actually having to hire them the

expertise and because then you just need to bind the point spritzer and so what this does is it will execute a file within a controlled and isolated environment the idea of it being isolated is a lot it shouldn't connect out to the internet shouldn't be able to communicate with anything on the internet but you know likes a virus to all the sand boxes will connect out to the internet for whatever reason so you know you can learn start looking for issues within that sandbox the key off of and not execute within that sandbox but that's a another issue that so what it will do is when it executes it will examine what it does when a file is

executed and it will look for malicious indicators so malicious indicators can be and it's outside my expertise but usually it looks for stuff like right into registry creating new services connecting out to target domains and yeah sort of observes the traffic and so we're gonna do a quick case study on the popular my fire I what's happening the popular fire malware protection system so the web MPs and the email MPs so in a lot of organizations that we've come across usually the issues with deploying the sandbox is due to the architectural design and configuration within that specific environment so yeah and it also sort of depends on the the appliances that you might have bought so with fire I think they have

loads of different types of appliances and I looked on the website if you want to ssl decrypt you have to buy another ssl decrypting appliance so if you've got the cash to splash and it'll probably work out okay for you but if not when you'll start having then some holes in the security even but if after you buy one of these and appliances another thing we came across was the number of limitations with on like some boxes in general and but here we're gonna talk a bit about like fireeyes limitations so in terms of file types it does sandbox the regular binary such as exes and libraries so executables and libraries and the office malware

documents and so you're around your regular dark and doctor doc M XLS and xlsm and maybe PowerPoint files as well also it will take archives and extract urn binaries to some boxes and these files within it and it'll also somewhat shortcuts what we found was like well at least from our observations over a long period of time now is like it doesn't sandbox HTML applications and it wants sandbox JavaScript files so you can basically send the target a HTML application over a stage off in PowerShell or something and it's in it or just let that file through anyways yeah this is mainly due to what I think is because it doesn't know what to do

with these file types because it's not being written into the sandbox additionally fireEye appears to use and predefined guest images so it'll have a look in the web interface and there's limited configuration options to be honest looks on the website it says like they roll out new guest images every month or so I don't know how I'm how true that is but yeah and so the issue with predefined guest images is law if an attacker gets access to one of these appliances you could trivially reverse engineer these guest images and start looking for variables that you could key off and begin evading these sandboxes and because i've one lehnsherr's these pre different same predefined guest

images of allah you could also pretty much guess lot the sandbox image so like safe it's a Windows machine and underneath it wouldn't be the main joint and because it's pretty funny you can't modify it then you can't necessarily the main join mark and particular image on to your domain and if it's not domaine Joe and then you expect the target to be I'm on the domain then you can basically do it at the main joint machine check sort of thing to bypass this and some book alright so over learn some boxes we've come across a lot of security operation centers it's beginning to look up process spawning and so in particular what I mean is I'm I process spawn

chains I mean like process child will and process spawning relationships like parent to child so say if you were in commander XE and you're spawning notepad.exe you might see that commander XE spawning notepad.exe so here are a few examples explain what I actually mean so and so if a stock analyst began to see MSHDA XE spawning PowerShell XE then it might alert on the fat lot and Empire and cobalt strike and Metasploit framework spay loads in HD a will actually do this sort of spawning so in AM exploits and let's see what for yeah it's HD - psh lot format will basically when you execute the HD a it will spawn in MSHDA container and it

will basically just from the powershell anesthesia I'm over LAN what come online login seems to be a thing now like quite popular so you like soccer analyst might look for words like dashing coded command or any substring of what - encoded command up to around - ENC long PowerShell commands might be a suspicious indicator because I'm safely developer in an organization you might not necessarily be running really long PowerShell commands are over a command line you might actually just run your more expected to just run PowerShell directory and start working from within that so now for a few bypasses are so if they look / - encoded command or any substring quite and regularly I have seen us in

some environments where the - PC and shorthand is actually I'm overlooked because it's it's not a substring so that's probably something like if you're on the blue team surely make sure you're looking out for as well and if you're on the red team is probably safer to use light instead of the dashing coded come on if you're using the regular ASCII - in your payload so you know if we're using like a Western keyboard we'll type - and we'll get listen short - but if you actually open up the character map and look for own unicode character 2 0 1 5 it will be a slightly longer the action that gets interpreted the same way as the regular - there's actually a

few more dashes that you can use I've also unicode but I've just labeled like one here because I'm yep so so what if you're looking for like words like all commandlets like invoke expression or invoke web request so invoke expression if you don't know is to basically execute a string which we'll get past is like PowerShell basically involve web request and there's a HTTP can actually no HTTP connection to the Internet and then download say a like a file and so I've got a quick proof of concept up which basically sort of like bypasses some of these sort of checks if you were looking for those keywords and commandlets and so what this does is it

spawns PowerShell within PowerShell and Len spawns calc and so the nslookup deck c-lister and unless to me help that Vincent you could at UK will basically do a DNS txt record lookup for that domain and that the result will be count to the XE which will then get passed into list dot notation which will execute like binary and yeah then basically let's just popped calc on the screen it was just a quick proof of concept and then Daniel / Hannon earlier on in the year released their involved cradle crafter and this does the involve web request type lookup but alpha skates it so what with traditional cradles and you know it's likely like there's all these signatures filiz but

if you take a target PowerShell scripts on the internet you want to stay off of or execute then you can pass it in to invoke real crafter and I'll spit back out a off the skated and cradle it you can copy and paste to execute on the machine so now what if MSHDA direct see was spoiling PowerShell directive and so how do we overcome lot so Matt Nelson has actually made me aware of the SW BAM locator comm objects where you can instantiate as common objects and basically use it to create the PowerShell and that XE parent Stasia so what this does is learn it uses WMI to spawn the process and learn it basically

instead of MSHDA exponent power shell or XE it will be WMI prvs exe spawn in PowerShell that XE so if the defender is not looking for that as well and this might I'm sort of bypass and the the range of check that they are additionally we created a tool called power DNS your have Dom did more specifically so what this allows you to do is if we go back to that proof of concept were using the nslookup taxi to do these this TNF staging you could actually do a full staged like say if you wanted meterpreter or something you could stage meterpreter entirely over DNS so say if you send the target a payload and they receive it by email but

they don't have internet access from a target machine but they have because of the NSF burn and external lookups configured then you could use this to stage like the NS payload entirely over a DNS and get and get commanding control on that machine so yeah so traditional cradles are potentially blocks by proxies and filtering but DNS is a another story you can't really categorize the DNS you probably they probably are more advanced the Anessa sort of like servers nowadays not I'm aware of so DNS is actually being quite common as a egress filtering so IP grass channel sort of thing but not necessarily for on staging payloads and over so Dom's create this tool and

let's have a quick look at a demo to show you what it isn't a so basically the way the Tool Works is when we run up here actually gives you your your download cradle you can see it gives you a very short powershell one-liner that you can just pop into like something like a HD a file you could obfuscate if you wanted to but we've got an example HD here which i'm going to run and it will basically execute the download cradle and when it runs you can see it generates a bunch of DNS requests so in the first block we actually create like a staged a staged payload which is retrieved by the download cradle then

executed and then that basically tells it the order where all the other blocks from the powershell scripts are and then it will retrieve all those blocks by dns and implement them in memory without touching disk and you can see up here we've actually made it create we've got like an implant back beacon implant back on our global strike command and control and so that basically gives us a way to completely avoid doing any kind of DNS requests and we can maintain everything over a web request and we can maintain everything over D and ass if we wanted to

all right so now I'm gonna talk a bit about command and control and the sort of advances around that that's not Vincent by the way okay so the topic of the main printing is sort of being quite popular over over the past months and half a year sort of thing and so for those of you that don't know it two main fronting as being traditionally used by services such as the the tour service and it basically it helps bypass censorship issues in certain countries so I'm not gonna go too much into it but in our M specific like our research we looked into the CloudFront content delivery network so that some Amazon's and what this allows you to do is

connect to any Amazon edge node and specify a host header for a target instance so if it's my malicious instance learn if I can it's a edge node and say I want to get data from my middle Isha's instance then they all grabbed it from my instance so I put into more context so if you connect to say a zero dot a de Bresse static calm and give it a wholesaler of my incidents that CloudFront net looking for a cat jpg or something then the cat that jpg might not exist on a zero that a degree of static calm but it exists on my instance so when you do this sort of request that you'll be able to actually

grab the content from my instance and get that cat that JPEG so moving on a little bit and so from right so even involve a zero that a bit a degree of static calm gives us a you know more of a trusted domain to use and you can there's actually a cname records I found so that you can use with CloudFront so if you're an organization you probably don't want to be using random gooood dot clouds net as your own sort of like content delivery and domain because then it doesn't look like good right and then so you might want to use like say Bank of America dot see the end of Bank of America comma something

so I went ahead and just owned scanned Alexa top 1 million for scene records and I came across around roughly 15,000 and my first gun so yeah it's quite it's quite a large list what's more interesting is a lot of these sort of organizations use it so we've got financials like API the HSBC comm that you can use there's an some government entities in the USA so that's pretty good if you know if like organizations only allowed to read government websites and for the proxy for example so let's so there are a few shortfalls with a domain printing it only works if the proxy is not RFC to six one six section fourteen twenty three compliant which

basically means like when you specify type the main that you want to grab data from the proxy is supposed to rewrite like request and fix the whole setup we found one like anomaly and the so fast web gateway when I tested it I was not expecting it to work but for some reason like sulfus just doesn't rewrite the end request and yeah and if you go on the admin panel it actually thinks that you're connecting to like C so I was using cDNA z of the Arizona government and yeah thinks I'm talking to the government website when it's in fact a c2 channel so this can also be quite useful if you've already infiltrated the organization and you

want to set off this long term covert communications channel and because it'll be less than you know like someone might suspect less suspected government website to be the c2 channel so after you bother the infiltrator it's quite easy for you to learn perform internal week on to determine whether and you can actually use the main fronting through a lot of specific web Gateway and also if there is no root CA installed on that machine it's probably quite unlikely like the proxy will be able to SSL inspect that traffic and if it can't SSL inspect it it it might work both ways but if it doesn't drop the packet and it routes it through then you're you're

sort of like the integrity of your packet is maintained and it'll work as well if it doesn't if it decides to drop it because of the configuration because it can't inspect that traffic and it doesn't want layout with the organization let you out of local area so it's quick demo of the main friends yeah

so on the left here I'm doing a DNS caching list just to show that there's nothing there that I've run the domain fronting payload you see at the initial request to see the end of Arizona that goof and they can see on the left and DNS cache now and then I'm yeah basically you can use as many domains as you want in one pail or you can just basically rotate between them so you can have like a thousand domains or something and yeah if they start blocking one or two you know they have to go through the whole one thousand I'm that was just doing something on the weather to prove this to a situ and it's

all functional so just do it and then I go ahead and list it bar idea DNS and I can see like there's different there's different IPS basically like it resolves to each one resolves a different edge node and you've got more IPS to beacon up to as well and a quick look at the sort of contents and connecting to probably Arizona gov and learn it actually specifies my particular and clad for instance

so a bit about lateral movement so right traditionally and there's like the PX exactly W am i the powershell remoting the comm except the RDP that you can use for lateral movement but not like say foo heavily tight like net firewall network so I've got a bit about at all that I wrote called RDP inception abuses the fatwa a lot of people mount Lehrer the discs in RDP sessions so you exposed a backslash backslash ETS client batch let's see a directory and basically what you do is you put this proof of concepts into the stout folder of the RDP session but someone's hard to feed into and and when they log in it will infect the host

machine and when the host machine reboots next time you'll get a shell on that host machine I'm so basically it's poems ups and in fact and sort about with time here but I'll speed up a little bit and then so here's a sort of scenario of systems admin is already peeing into the management jump box which learn for some reason he's idly peeing into the domain controller and then the domain controller resided peeing into file server and and family into a compromised database server so if we start deploying the IP inception on database server next time he logs in form file server with drives mounted somehow it will impact the file server and limbs that women got woods so it's

of interest because the database server might not be allowed to connects back out to any finger off and only every three eight nine inbound them to the database server so this sort of allows you to and don't pass that gap and so quick survey on Twitter of cyber security related people for around 50 percents that they actually mount Lee drives to just give you an idea of how applicable this is gonna pass you back when to dolphin so I'm going to very quickly just quickly talk about a tool called bloodhound um we couldn't really it's one of my favorite all talk about kind of advances in red team tactics without kind of mentioning so miss tool

was released in a year ago essentially what bloodhound allows you to do is use graph theory to provide kind of visual mappings of ad environments not only this but you can use these mappings to basically identify pass for brothers escalation and by looking at the relationship chips between different nodes and what I mean by this well let's look at an example let's say we fished a user called Alice Alice is a member of the the help us group and the helpless group is a member of a group called support but may not necessarily be immediately obvious to us but bloodhound will actually figure that out by analyzing all the kind of relationships between ad objects and let's say the support group

actually has admin rights on the sharepoint server and at that current time there's a domain admin with a logon session on the sharepoint server now that is a very useful path for escalation which may not has a same be immediately obvious to us but bloodhound will create something that looks a little bit like this up in the top hand side we can see we've got the Alice user and we can see Alice is a member of the group called help desk and the helpless group is a member of the group called support and support has got admin rights on the sharepoint server and the sharepoint server has got a DEA session logged on so we can basically use that

information to very quickly go straight to where we want to go to and escalate privileges so if in actually went on to automate some of this and you created a tool called angry puppy so what angry puppy does is it's basically a couple cobalt strike aggressive script which will import some of the JSON output from bloodhound and it will basically automatically execute the Bloodhound attack path and it will pop you a an SMB beacon in plan on each of the compromised nodes and so you get to your target node so we'll give you a very quick demo of the the angry puppy tool

and so here's a hand the tap path yeah so that we've already determined that we want to use and we export is a JSON file and learn and see that then I'm going to the cobalt stripe sort of terminal and type in angry puppy and we can then select the JSON file that we want to execute so the the attack path that we want to execute and the type of a pivoting that we want to use so I'm going to use SMB so yeah and then it will go ahead and just execute this at a path there's only two hops here so won't take too long so it's executed the first hot it line goes on and grabs credentials let your

knows that should be on that box and then determines whether it needs to pass the hash or you make it token then it moves on to the final box that we want to get onto and then I tell if you like the it's a box finished

so you can pretty much use angrily to streamline a lot of the kind of post exploitation process went on a kind of reading engagement so but it didn't really stop there for the town'd in May this year they released a major update which now included access control list is an attack path so basically bloodhound will now map out all the kind of ACLs that protects all the relevant ad objects so all the users the groups and computer objects in an active directory and all identify misconfigured access control entities and that can be used for an escalation path so it will find things like the force password change attribute which will basically allow you to change the

password of a target user without actually knowing their current value so it might be like functionality that's used like a help desk for example where they can reset all the users passwords and we can obviously use that if we compromised one of those accounts we can use that misconfigured ace to basically compromise any other users within AD and escalate privileges pretty quickly it will also identify things like the generic rights attribute which basically gives you the ability to update any kind of non protected target objects parameter values so for example there is a script path parameter which you can if it's misconfigured you can basically modify which will allow you to control the command or scripts that will be

executed the next time a user logs on so aside from bloodhound there was also some relatively interesting active directory research performed over the past twelve months and the thing that really starts was was the work that was done by Ben Campbell will Schroder and Benjamin Delfy so essentially at the heart of this research was the concept of Kerberos delegation that is the ability to give a service a token that allows it to impersonate another user and in order to do this the service account needs to have this trusted to authenticate for delegation flight applied to it but to avoid the kind of concept of unconstrained delegation that is where you've got a ticket granting ticket that

allows the server to impersonate any service or machine on the domain which is obviously a bad thing Microsoft introduced the concept of a service for users to sell 4s for you to self and as for you to self basically implements an additional ad attribute and this msds allowed to delegate to which basically dictates the specific services that tokens we used to authenticate him so what does this mean from an offensive perspective well offensively if we're able to compromise a computer or user object that has this trusted to authenticate for delegation attribute applied to it then we can impersonate any ad user to that spm research done by Alberto Cellino from call security basically highlighted that it wasn't

just these specific services that we compromised but we could actually compromise any service that was running as that given target user and ultimately this often leads to for host compromise they were then kind of major updates to the Power View kikoenai in packet toolkits which will basically allow you to request the relevant tickets and go on and actually exploit these issues so kind of wrapping up what's next well the past twelve kind of 18 months have been pretty exciting from a writing perspective and advances in blue team tactics of really kind of meant we've needed to evolve personally I think we'll start to see a lot more research in defensive evasion you know as organizations start to adopt Windows 10

more widely we'll probably see more device guide bypasses more attacks against Prudential Guard they'll probably come under much closer scrutiny hopefully we'll find some additional kind of ad research hopefully uncover some more hidden gems like the s4 you research that I just mentioned and then I kind of generally speaking I expect the area of red teaming will grow further perhaps with more sector specific frameworks kind of similar to C vest even I cast support for four other sectors so finally just thanks to all the kind of researchers that we kind of mentioned during our talk I would go and follow some of these guys on Switzer if you're kind of interested in red teaming they kick out a lot of interesting stuff

if you're interested in any tools that we talked about today here's the link to the anti sec pensive breach github page where you can pretty much download them all and that's it any questions please

no questions no questions excellent [Applause]