BSides DC 2017 - Beyond the Domain: Exploiting Hidden Critical Assets on Red Teams

the besides DC 2017 videos are brought to you by threat quotient introducing the industry's first threat intelligence platform designed to enable threat operations and management and data tribe a new kind of startup studio Co building the next generation of commercial cyber security analytics and big data product companies my name is Brandon after naggy this mic picks up really well so I'm gonna stand back a little bit but welcome to beyond the domain this is a higher level talk about some interesting places you can find some information and read teams and I'm going to dive into a tool I created called session gopher as well which helps you find segmented hosts jump box and UNIX systems as well

so a little about myself I'm an associate consultant at mandaeans which is a subsidiary of fire I I'm actually from Northern Virginia originally I went to the Potomac School in McLean Virginia and I then moved to Alexandria Virginia but right now I'm actually based out of New York at Mandi and I've been doing a lot of tool developing some red teaming and in general I like to program and I went to Vanderbilt University and studied computer science and economics there also I'd like to mention that I'm here hiring you know I love coming to these community events these security organizations whether you're you know super skilled and technical or you're here to learn and hungry I firmly

believe in my referral bonus that I get so by all means so you may think it's the same if you talk to any man yet employee and they refer you it's not you should come to me instead just come on up seriously after the talk come on up and I'm happy to talk to you all take your resume that kind of thing so let's start with open source intelligence gathering SPF SPF record stand for sender policy framework records and they're actually part of the text record in you know DNS service and as an attacker these can actually give some insight as to what services the company is using so what it does is if I

want a different company to send emails on my behalf this article right here talks about LinkedIn allowing DocuSign to send emails on behalf of LinkedIn then I have to authorize them in my SPF record for my company for my servers so I would explicitly say am i in my SPF record ok I'm allowing if you see an email from LinkedIn but it's actually from doggy sign it's allowed because I gave them authority to do that now what that does for us as attackers if I'm attacking LinkedIn and I look for their SPF records I see who they've also authorized to send emails on their behalf and what that means is that I know DocuSign is now one of the

companies that they use as a service essentially they're using that for their document management knowing that that presents some really interesting fishing opportunities I could say I'm from DocuSign and send it to an internal LinkedIn employee and they might believe hey this is actually one of the services we use I must have forgotten to change my password or whatever the situation is and right here is a text record that would show the SPF part and this is an example you see that the equals SPF 1 that kind of thing it'll tell you for the site you that you're attacking essentially who they've allowed to send emails my tree house another good source of assent is looking

at subsidiary companies so most people when they're targeting a company they look at the IP addresses associated with that company so they'll go to BGP ehe net or aran net they look up IP ranges that are owned by the company but a lot of times the weakest link is actually one of their subsidiaries huge organizations have tons and tons of subsidiary companies and often these subsidiaries don't have the infrastructure that the parent company has they don't have the manpower they don't have the technical prowess so there they might actually be the softest source of entry so there's a really cool way to kind of enumerate these subsidiaries a lot of these public companies well they have to submit full

files to the SEC and one of these files is called a Form 10-k is anyone familiar with a Form 10-k great so within that is a section I guess called exhibit 21 and within that you can see the subsidiaries this is for Pepsi as an example if you click on this it will illuminate every single subsidiary that they have and this is publicly available you got a sec gov you just Google Pepsi subsidiaries this will come up and you'll list them all just like this frankly if I was going after Pepsi for an engagement I might start at one of these subsidiaries because you know they're watching like a hawk on their corporate servers the corporate networks so

subsidiaries might actually be good ways and my engagements at Mandy ik we always look at the exhibit 21 filings who here's a played with eyewitness before right it's a great tool so my colleague and friend Chris transfer wrote it what it does after you get your ranges of IP addresses that you want to target so you get a bunch of subsidiary companies you find their IP ranges you get you know related networks etc you can do an nmap scan across all of them find out what web ports are open 80 and 443 and normally this is a ton for big companies if you run I witness you feed in that end pet and not output I witness it'll

take a screenshot of every single port 80 and 443 open and any other port you provide it not only that it'll tell you if there are default credentials that are typically used of that kind of thing so if it finds an Apache server with an admin you know interface exposed it'll say these are default Apache credentials and you can just go through like this image here it's a really clean interface you see that the source site you see the screenshot you see any default credentials associated with it it's a great way to synthesize data it's called eyewitness another kind of clever source of Intel when I'm on the red team's to find information about the company and

how to move laterally is through chat logs now a lot of chat logs are not formalized by the company that they might use a third-party just randomly they might have their own internal chat that everyone uses it could be proprietary short but these chats always log somewhere right to see that history it's logged somewhere and a recipe stat am was a big fan of that but these logs people are always talking about sensitive information they're just like in emails but this is more readily available if someone says hey can you reset my password quickly this was my old password or hey what server do I need to connects you to get this resource this always takes place in chat

think of your own companies this probably happens and we can go through an example so Skype for example it logs you know the chat history stored in a database file and these are the different sources for it on Windows Max and Linux and we can actually go through in this main database main DVD L and see some of the messages so I pulled this up on my Mac and I just opened it up in sequel Lite browser right these are the tables that come in that main TV file there's all sorts of interesting stuff so you have messages there that'll tell you the content of the message is you know contacts participants and chats really really good stuff so if we

actually break out into messages we'll see what the structure of this looks like so this is what I do on a red team I'd go and I extract that file I'd put it in a sequel light database and I'll see these Adele lyrics coming up and you could read through and search for things like password injury and strings anything like that this one right here says come over my parents aren't home I don't know should we click on it if we click on and we'll see the full body if you guys want to click that's fine we'll do that you shouldn't clicked on it it's Chris Hansen with Dateline NBC

helpdesk an intranet so every company typically has a helpdesk or internet site and it's normally just on a server without any kind of segregation it's just a port that's running open on the network so if I plugged into any specific company and like in a jack on the wall I can see this server I can interact with it and the issue is that there's lots of useful information on these you know as red teamers we try to dig and dig for information and get it in every corner this site tells us the information without us asking it's amazing on our real engagements we've had instances of finding password files they're intentionally saying if you need to log

on to the point-of-sale servers here are the here the credentials part of that it'll tell you network diagrams all sorts of stuff and these sites are often either they don't require authentication or when they do they're not segmented and what that means is that if you're a salesperson or you're a marketer you can look up PCI information and network diagrams all day because they're not divided based on access walls or anything like that literally on every single one of my engagements I have tried to search for keywords like PCI Network diagram on an intranet site like this this is just an example and I've gotten really good information every time I type in PCI I

see where the PCI environment is and this is often a goal we established for ourselves as red teamers trying to find the credit card information now let's talk about separate accounts and I want to give a little disclaimer here that this is never virtually never in scope to go after personal accounts for people you saw organizations you're targeting but if you find yourself on an engagement where that is in scope for like a small company is startup this is kind of an approach so startups and small companies and my experience have been the hardest targets first of all they have a very limited attack surface they have one website maybe they host it on the cloud

somewhere and phishing them is a nightmare because it's ten people in a room when they get an email there they say to the other people did you send this no okay it's phishing so how do you actually if you are just given the attack service of the company itself you might not have a lot of luck but these individuals have all sorts of opportunities to go after that they have a ton of accounts not related to their company's website their company accounts again this is never in scope on a real engagement but for smaller engagements that might be so targeting the employees is where that would come into effect this is what a real bad attacker would

do there's a site called name check comm is anyone heard of this name chk one bet there okay so it's actually a kind of interesting tool it's a way to find available usernames online and people like to have the same handle like us you know weirdos we have the hacker handles that we use across every site we try to make it the same everywhere for branding purposes right this site tells you where the username is available and therefore it also tells you where it's not available and if someone has a name that nobody else would use you'll know where it's taken already so I'll give you an example this is the name check interface when you go on there it does domains it

does user names and it goes down I mean there's this is truncated but user names goes way down so if you type in cough FAA for example you see how the internet they scurried like rats to get every kind of user name it I don't know what they're doing with this like is it Pinterest account because they're fatty but these are all the ones that have been taken so if I'm a bad bad person and I look for a specific handle that I know that he employee has I'll know that they have an account here here here and here if there's password reuse anywhere they're in deep trouble is if I find it for one

place I'm gonna find it for a lot of other places and that allows me to move kind of like spider-man from one account to the other until I get into their corporate account and this is the kind of thing where you know breaches come into effect there are all sorts of open source password breach dumps online for the LinkedIn breach you know all sorts of different services so if you find that that username is in effect is is taken somewhere and you find that password breach you can test it there and then move across the other accounts that you know they have this enumerate set for you now let's talk about outlook and office 365 this is kind of a clever

way if you don't have physical access or a beacon into the environment you're targeting but you have credentials and you know that they have an office 365 server then you can actually get in with a cool tool called ruler have you all heard of that anyone heard a ruler a couple people kit I'll talk about that in a second but office 365 especially an Outlook write it it has a global address list which is really wonderful source of information so if you have credentials and you can authenticate to their obvious 365 you know their exchange instances you'll get names titles phone numbers organizational structure of everyone in that organization essentially it's whatever the their IT

staff puts in but you know the hierarchy of every employee you know where they're situated you know their phone number you know their boss everything I mean it's it's you talk about Spearfish thing this is honestly fishing with dynamite afterwards if you can't get in after getting this information you have a problem you should be able to get in with this kind of information and that's happened for us so and previous engagements I've had breach data so passwords and credentials from public breaches we've been able to go in through to get their global address list and we use that information as a vector to get into the company again so we just use their email address

to get the information about every single person in the company and then we sent targeted emails to those other individuals we were targeting and all this information makes us very happy I had to add that one I'm sorry so he was ruler that I was talking about ruler is also a good way to kind of eliminate the middleman and use obviously cc5 access to execute code on the system that you're targeting essentially it allows you to run code on the underlying system so if they open up their Outlook application on their system ruler can inject some malicious code into that system just by them opening their email essentially and down here it says what does it do you can download the global

address lists like we just talked about but the malicious mail rules makes it so that if you send an email the trigger word for example then that trigger word will you know create a beacon back to your computer it will run malicious code it's an amazing tool there's released I believe it troopers this year that you all should uh you should look into so secret sharing this is becoming a little bit more common some companies have secret sharing servers so kind of like a password manager that has Enterprise you know password manager for enterprise there are also secret sharing servers specifically for managing passwords on-premise on a server and being able to share it across other users this can be

dangerous because it's centralized within your environment and that bookmark if someone's saving that bookmark on their computer their chrome history or Firefox history it'll be the same everywhere they're all using the same secret server internally and a lot of times your Active Directory credentials will work the same to access this so if you open this up for example you'll be able to see this is what the real interface would look like it would show the password for any service that you want it'll show you the Machine the username and you could search something like Oh I want I want credentials for mail I want credentials for this resource that resource so secret servers are becoming

more popular and becoming a more targeted you know a better place to target on on red teams as well proxies so some applications that require internet access have to go through a proxy on the network and those proxies often require credentials to get out of so for example some Java applications will need the Quran shil to that proxy to be able to ping out and download packages etc so I bees often have these credentials hard-coded in the IDE I'll give you an example in a second so these are a couple instances on the right you can use system proxy settings or command line JVM settings to pass in the proxy information so basically what what

developers will do is they'll just put the credentials for the proxy in their IDE so that when the applications running the JVM gets those arguments and it'll just be able to go through that products e seamlessly so this is a really bad screenshot in hindsight but you can see this is IntelliJ and there's a Java ops variable right there and that variable is where the user would put in the username and password for the for the proxy they're trying to get get out of so if there's an IDE on the system that you're targeting then you can look there for a credential for the proxy essentially now I'm going to talk about the tool that I created called session gopher

specifically defined UNIX systems and segmented networks and jump boxes so we used to see flat networks completely but companies have gotten better and rightfully so I segmenting their their networks in their traffic a lot of times there'll be a jump box you need to access to get into a PCI environment of hosts a lot of times you can't you can't interact with other hosts because there's you know things in between and a lot of companies are adopting more Macs and Linux systems on their critical infrastructure now it's not just windows anymore so the problem we try to find these UNIX systems right so let's talk about UNIX systems first often on our engagements we find that intellectual

property for like fashion companies they have that all on MacBooks point-of-sale terminals are often on linux systems and these are goals that were tasked with they task us with finding these systems but these systems are both not Windows and not domain joint so if their domain join Windows systems it's easy to find everything we have that down to a science we have power view we have bloodhound it I think both are actually will Schroeder is going to great job doing that but it's well documented how to find Windows systems because active directories job is to tell you where they are but how do we find Linux and Mac systems [Music] so the current methodology that we have

we can do a couple things you'd run nmap across basically in the dart right you don't know where the system is you're just gonna point it somewhere just run it on this subnet and hope for a Linux or Mac port to be open that you would see you can run netstat on every Windows system that you see and see where it's communicating and if there's an obvious Mac port connected to there or you could do something like look in AD Explorer look for an Active Directory group called Linux admin or Mac admin find their host through like an SCC em server find their Windows host and look for clues on that box about where their Mac

might be that kind of thing but if you notice this is all about happenstance this is shots in the dark you know nmap I if you're dealing with huge companies you can't just run nmap and hope to find a host it's like pointing the Hubble telescope and a black spot in the sky it's a bad analogy because you actually find something if you do that okay but you don't want to do it's not effective it's not efficient there's a better way to go about this and not only that these rely on active hosts these rely on active connections to Macs and Linux systems from Windows boxes or systems that are up currently so we were wondering is

there a better way to find Macs and Linux systems without them being active with a more targeted approach a way to know for sure where they are and we're getting closer with that so here's our solution HP users is a registry hive on on Windows and it's got persistent storage of save session information for some remote access tools so the users don't have to be currently logged in but if they've logged on to that system before and they've used remote access tools like when SCP putty FileZilla and they've saved the session in those in those tools they get logged persistently 2hk users HP users so our thought process was this though UNIX systems might not be domain joined there are

often Windows systems that are that communicate with these systems right Windows systems often manage Linux and Mac systems so there's obviously an artifact on some Windows systems on the environment that would tell us exactly where the UNIX and Linux system is and the H key users hive is where that would take place so within the H key user type is save section information there are remote access tools on these Windows systems that communicate to these Mac and Linux systems that's the point if we can look for these tools if we can look for artifacts of these tools on Windows systems we'll know the IP address the username you need and the password to access those Mac systems we'll find them

so within this hive I'll show you what it looks like this is HP users on a system things were getting an s-1 521 I believe represent domain users who have logged on to a system before and someone can correct me if that's that's wrong I need to double check that but when you find these hides if you log in remotely to a system if you log in physically this is created it for your domain account and that just stays there it doesn't go anywhere so again the idea was this you find evidence that these tools are being run if a computer is running winscp then it's communicating with a Mac or Linux host that's the

bottom of that's the bottom line if there's an artifact these tools have have been run on that system then it would show you where they're connecting to and you'll know the IP address so if the save session exists for an SSH session or SFTP kind of thing you can extract that session because it's persistently stored in that registry key so specific tools specific remote access tools to access these Mac's let's go through them here are some tools so winscp is a good one that's how Windows systems a lot of times use you know file transfers to Mac and Linux systems FileZilla potty super buddies good for scripting multiple puddy instances RDP in some cases can RTP is really a

general-purpose remote access to a remote logon tool but we extracted that session information as well than B and C so if a Windows system is communicating with a Mac or a Linux system and they use one of these remote access tools which they would this is where artifacts of that tool would exist so it would be in the S ID that I pointed to earlier the domain s ID and in their safe sessions kind of subdirectory there so putty winscp and remote desktop they're all saved in the registry but FileZilla and super putty by default go into a site manager or sessions dot XML file and they're just on disk and you can change the default location but a lot of

times we see that people don't they just keep it in that roaming FileZilla site manager XML location so let's talk about these save sessions and hopefully I convinced you do people here have experience using winscp for example yeah a lot of people get so hopefully I convince you by the end of this to put a master password on that it's very easy to do so this is where a winscp this is where when SCP session would look like in the registry so you go down to sessions and then session name whichever the session name it would have a host name there it would have a password that's a obvious gated string and a user name so again you're looking for window

you're looking for Linux and Mac systems you find a Windows system that you think belongs to an IT person or someone who might be interacting with these systems that you're looking for on a daily basis and you look and you find this registry key this says they have saved winscp sessions if you actually dig up that key like we did it just here you see the user name associated with that session to log onto that Mac or Linux system and the host name the IP address and the password so here's the important part the password is not encrypted by default this long ridiculous string is just obfuscation there's nothing to it you can reverse it without knowing a

password and here below it this is where the registry key is that would tell you whether the master password is being used or not in this case it's all zeros which means now so I wrote this PowerShell to a session gopher which I'll get into a little bit more 2d obfuscate that password string that you just saw and here's why you should really change your pet use a master password the key 2d obfuscate it's not really a key it is the host name and the user name of the session concatenated together to get the password the obfuscated you just need the host name and the user name of the session which is in clear text as you can see over

here and not only that you don't even need what they are you just need the length of them the key is a number in the end they just use the length of the host name in the and the user name so I know the length of the host name and the IP address and I can cat and I add them together I can decrypt I use decrypt in quotes because it's not actually the right word I can do if you skate your password and I'll get it in clear text if you use a master password to actually encrypt it though so so do that so here's what the output would look like of using my tool so it would extract the

user name and the host name concatenate them together get the length and you can see for admin Anthony it was a person from two slides ago that jar build up straying just was super password it the obfuscated set in PowerShell and it'll extract all the save session information from that key our DP sessions they don't store passwords but they're stored in this registry key over here and I'll post these slides by the way in case you're wondering so RDP if you want to know so this actually helps a lot on our engagements with finding jump boxes so if there's a specific network a specific box are trying to access and we suspect one a specific domain for example that we're

trying to access or hostname and we suspect there's a box that might be able to communicate with it then we can run such and gopher on this box and see all of its RDP history and if it's ever connected to that then we know that that would serve as a jump box to get to that domain or that segregated host so this is how this is the key that you would get it from it has this user name hint key which would give you the user name associated with that RDP session FileZilla this is one of the non registry ones FileZilla sessions or stored in site manager XML by default and in this location by default which

again I I've rarely seen this ever moved by the user it's just basic ste 4 encoded the password and in the file so my tool will just you know grab that base64 decode that super buddy I mentioned earlier it's a it's a good way to script multiple putty instances at the same time putties client for SSH and it has in its XML file this is also non registry based an extra args parameter which you could provide a password for so to automatically authenticate to SSH with a password you would provide - PW and whatever the password you want so again if you find this artifact on that system you'll see where the Mac is where the Linux system is and you'll

have Pretz for it a lot of times so we also built in a thorough mode for this tool who knows who this is there you go surprise as henry david thoreau yes so in thorough mode it'll search the entire file system for dot PPK files and RDP files so putty private key files or dot PP k files and they're created using something called puttygen which is kind of a one-off tool to create these keys and they'll create and then they'll have information for the public key kind of cryptography that takes place to authenticate the private key to authenticate to a remote host if they're using that also RDP files RDP files are interesting because they are both

executables and you can interact with them and the hex editor they're very nice and I'll show you right now so this is what dot RDP file would look like if you open it in something like sublime text you'll see all the arguments that it provides so if you saw this RDP file on your desktop you double clicked it it would begin to open up a an RDP session to a remote host but within it is all the arguments that it takes essentially so the format is field name type of field value so it would be something like prompt for a credential : i for integer : 0 which means prompt for credential and the next argument you're

gonna see is an integer value and at zero which means no we're not going to prompt for Prudential it would either be an integer or string but this tool also extracts this information as well to find out what hosts are connecting to what hosts so you can map out your your network a little better putty that pbk files just talked about earlier so they contain private key information these keys can either be encrypted or in plain text and you can choose that when you generate the key in the first place so this one here is not encrypted you see that top bar it says encryption none and then the private lines is the actual private key and the Mac

associated with it and this allows for one-click putty logins using the private key obviously so when you run it through mode it'll find these files it'll tell you the kind of encryption used and it'll extract the key and whether it's whether it's encrypted like I mentioned and it'll extract the information in the already P file as well so this is just kind of output from running it what it looks like you can see the FileZilla sessions it'll have pertinent information about the user the password used the host and some of the different arguments within that file is illah excel file that I showed you RDP files like I mentioned and already P sessions in the registry - now the neat

thing about this is that you can run it remotely the point is to map out the entire domain to get an idea and not just where the Windows systems are which is very easy to do but to find out where all of them communicate with a Mac or Linux system if they do so you have a full picture of the domain so to do that you'd have to run this remotely you could you could run it from one host and have it remote into all these other hosts and extract any save session information and finds there and that'll give you a mapping of the network so it uses WMI to do so WMI is windows management

instrumentation it's generally considered very quiet to remote into other systems but it requires local administrator on that system that you're targeting so you can run this across the entire domain if you want you might get locked out if you know you're using bad creds or something like that so maybe limit it to a few systems at a time WMI within PowerShell is used with the invoke WMI method command which is really powerful it allows you to basically scripts WMI calls in PowerShell and that's what this uses and so if you were to run this on several hosts what the output would look like it would div on that first host that you provide it and it only found RDP sessions in this

instance but it'll give you the user name in the host name that's all I had for RDP and it'll just keep digging through if it had if it had one SCP would do that in the office cake that had putty etc it would do that so essentially running this on the entire network you'll find every connection possible to Mac Linux or to another and to synthesize this kind of data I added a right to CSV file flag so basically it'll just give you all the credentials you want in a nice little folder now this tool has been integrated to a couple sources recently PowerShell Empire and crap crack map exec has anyone used either those powershell on

fire on your engagements yeah okay so I'll just show you quickly these if these are two popular ones so I wanted to mention that so in PowerShell Empire it's very simple once you have your agent you just to use module credentials hash session gopher and then just do run and this is example output it found a winscp session on this system with a beat that you have the beacon on Angelo username Dwight beats office reference FileZilla session I found one it got the credentials there and RDP session super putty sessions etc and so here's the link on github if you want to hear more about it use it in your engagements I recommend it obviously and that's it so if you all

have any questions about anything feel free to reach out to me that's my Twitter right there you can follow and thank you for your time