BSidesIowa 2019 RedTeam Rumplestiltskin

yeah cool all right good afternoon everybody we'll go ahead and kick it off my name's that's a facin and here to talk about red team Rumplestiltskin just a note this is an entry level talk at the end of the day besides conference so if you've been in security for a while and you want to learn something cool Jen's teaching the walkthrough for the Sands hackfest which I'll probably be more informative for you them as well but thanks for coming out to watch it Who am I my name's Zak Zak cephus work at pro circular security engineer there you know outside of that security stuff SiC I see essentially a chapter of SEC DSM on the Iowa City area so if you're

out that way come come check us out we do essentially the same thing said yes I'm buzzed but smaller-scale cuts yeah so why am I here I'm gonna tell you guys a bedtime story it's one of my favorite stories and it's an anecdote that I use in not only red teaming but in security in general and it revolves around Rumpelstiltskin outside of the story we're gonna go over some basic concepts for anyone looking to breaking into red teaming specifically but a lot of its applicable to security IT in general but again pretty basic level talks so give the slide out of the way first impostor syndrome right if you're in this industry and you hang out with people in

the industry everyone knows things you don't know and it's daunting I guess to be the best word right like everyone everyone's got something to teach you so you should keep that in mind when you walk into them and why and meet them and not let that you know affect you personally you know I shouldn't be up here right Who am I I'm just some bad I do security stuff but again we all got something to teach each other right so that's why I'm here the other thing is don't let one bad experience whether it's in the community or you know online or at work you know set your your own level of expectations don't let other people do that for you

don't build that out for yourself so to the to the meat of the story the meat at the talk here Rumpelstiltskin so the story originally originated was originally recorded in 1812 by the Brothers Grimm the story there's been some research the story itself saying that it's dated back you know past four thousand years or so the research itself was kind of questionable so who knows but it's you know essentially a story of Rumpelstiltskin which translates from German to literally little rattle stilt back in those days you know it was entertaining to go chick posts cuz fortnight wasn't a thing there wasn't a lot to do but we can tuck in and I'll kind of kick off the story here I'm

gonna give a brief version since we're times but the story of Rumpelstiltskin so there was a farmer and he had a daughter and she was an excellent human being smart you know funny clever beautiful and she could spin straw and the guy you know just kind of a land farmer he you know we're in Iowa right he made corn why not and as as all fathers do he wanted to give his daughter the world ya wanted to provide everything he could for but he was a farmer and this was you know four thousand years ago not exactly an easy thing for a farmer to do so we need to go out to town he'd you know

talk his daughter up to everyone he could mean anyone that would you know sit and listen for any period of time you know ah she's beautiful she's smart she's funny she's great she can spin straw hell she can spin straw so great she can spin it into gold and eventually that word got back around to the king of the air and the King thought to himself so lady out there that can spin gold out of straw ha ha and it came knocking on the farmers door and again this being four thousand years ago said hey I'm the king so I'm taking your daughter and he did and he took this farmer's daughter and he locked her

in a room and fell with straw and said you are going to spin all this straw in this room into gold and if you don't get it done by the morning I'm gonna chop round this is a bedtime story great for nightmares and so you know he shuts the door takes off and yeah thirteen year old girl I'm sure it's 4,000 years ago sitting there just bawling freaking out she's dead where she doesn't spend stronger gold she has no idea what the Kings talking about her dad's never brought this up to her it's just his way of you know really gratifying himself in his children and the night search to where on and the impending doom is kind of setting in and

going to die soon so she starts freaking out I flipping tables kicking windows open and screamin and down on the street the street is the castle area there's this little imp leaf thing right gnarled little man and he hears her and he poops himself magically up into her room says hey and so she explains the story to him you know if I don't spend all that stuff at school hey die by the morning and the little implica is like okay that's pretty terrible yeah I starts walking towards the door and she said well we your magic right at you poofed yourself into this room you can help he says probably huh what do you got she

says well you know I I got this ruby ring makes my grandma's ring it's very sentimental in the magic times back then sentimental things held a lot of value could get some good black magic out of it right so he says all right you give me that ring and I'll spend this room and destroy so she does and he does and she goes to bed happy the King wakes up bust down the door and goes man Wow you spend a whole room strong gold this is an instant cash California and and says you know what we're gonna do we're gonna take you put you in a bigger room we're gonna do the same thing I'm gonna put

more straw in it and you're gonna spend it more gold some process repeats right she's sitting there you know impending doom and dread she's going to die and she remembers the little you know wilty man kicks the window open and starts screaming again right yeah come help me and so he hears and pops back into the room and same same situation again right I got to do all this for all this straw into gold what am I gonna do what else what else to value do you have and she says why I have this pendant my mother gave me you know she died years ago and it's it's the last thing I had to remember her by

he said great you know again sentimental value good GG we can make some black magic out of this do it spins the room and the gold takes off Sam situation wakes up and kicks the door in and goes holy crap I am so loaded this is gonna be excellent so he takes her and the third night puts her in the biggest room he has in the castle packs it floor to ceiling full of straw same deal except this time he says not only will I not kill you I'm gonna marry you and I'm gonna give you everything I have kind of a weird proposal but whatever and this situation ensues again she starts howling and screaming they in

pleaded pops back in and she says you know wall I had the ring and I had the necklace like I don't really have anything else right once the guy goes well how about if you give me your firstborn baby that'll work right she's you know going to die in mere hours and says sure yeah that works fine whatever let's let's not die and he spins this giant room and is draw again the King kicks the door open the next morning he goes whoa we're getting married so they have a grand celebration and you know a year later or so they father a child or they have a child this baby beautiful little boy beautiful heir to

the king's throne right and the mom all she can do is just freak out because she knows that this little imp lead is gonna show up and snatch this baby it's him and a week goes by and she's still kind of freaking out a few more weeks go by and she's freaking out a little less and months go by and she's kind of forgotten about it at this point cuz she's got this gorgeous kid and he's the queen of this kingdom and everything's rockin for her come the year of the child's first birthday who is to show up at the door but this little employ guy again this nice juicy sentimental connection to the baby give it a year to bake right so he

walks up and says hey you know uh everything we talked about and you're gonna give me that baby quince is like I can't I can't really do that not really right so she goes to the king and talks to the king and the Kings like yeah if he takes my baby I'm gonna kill you - and just get another wife in a new era because he's the king why not and so she's kind of left in this catch 22 of she gives up her baby or dies so she comes back to the little guy and says you know what what can I do to get around like what there you have to have another option and he says you know all

right um it's your kid's birthday I'm feeling kinda generous I'll give you three days and in those three days if you can guess my name didn't keep the baby he says deal board so he heads out you know she starts thinking and writing down every name she can possibly think any anything she can come up and he shows up the first day and she starts naming off names you know Jeff Jim John Jen actually he's just smiling the laugh and shaking his head today one goes by of wasting all the names she could think she spends the next night thinking of anything she possibly can day two comes around same situation yeah Bob jams Joe

whatever goes through a whole other list of names nothing he's just laughing giggling the whole time so third day comes around and she spends the morning kinda just walking around the courtyard and you know trying to catch her breath thanks something fresh get out of town or whatever and she passes by the guards house and as she passes by the door the guards house she hears one of the guards kind of telling her stories from the night before he's he's just gonna hang it out and chatting with a guy blocking talk right last night it was wandering around the forest great I came across this little like key thing and there's a fire and there's just really weird

little like raisin man dancing around and he was singing this song about how he's gonna make a baby for dinner the next day and let me find the exact quote here is that because I did pull the exact quote from the book see tonight tonight I plant my plans I take tomorrow tomorrow the baby I bake the green will never guess my name for Rumpelstiltskin is my name and as as the Queen overhears this she realizes that she's like dude that has to be the implica it of course it has to be okay so she devises this kind of counter plan to wait for him to come and she starts naming off all these names she can think

of again right Stacy James Philip he's laughing the whole time and as the son girl is close to the bottom of the horizon and you know he's gonna run off with her baby and bake him for dinner he goes you know what your name's Rumpelstiltskin and he just stares at her first second and then starts flipping out how would you know that you cheated right she said you didn't give any rules to this besides three days and whatever names I could come up with and you know she's not wrong so he loses and the King says get out or I'll kill ya because that's what the King does and he freaks out and he gets so mad that he

slams his foot into the floor of the castle right this giant granite stone floor and he shoves it so far into the ground that he gets stuck and he has to pull his own leg off just to get out of the castle again bedtime story for children though that's essentially the story of repla still skin right she guesses the name by over hearing it from someone and she walks walks away clean so how can this apply to to red teaming specifically or or security so let's kind of restructure things a little bit right so the farmer let's say he's an IT director right and he's got a daughter who happens to work in IT just kind of

security minded he appreciates it you know wants to talk her up get her a good job the Kings assist so some we're a big company X and you know he gets her a job and Kennedy tells that that's so so that you know she can spend gold mancell do all the red teaming stuff and how she's amazing it's the best thing ever and she gets there and realized that she can't do this hey might be stretching for talk here really have any applicability directly it doesn't one-to-one but the main takeaways of the story here right Rumpelstiltskin was was the thing that had power for her and and that was the thing that that released her from from

that tension from that pending doom and death but in reality her spinning straw and being skilled in the basics of what she was doing is what got her there in the first place that her dad Vantage er but you know with regards to red teaming specifically there is no real Rumplestiltskin there's no way to spin gold you just need to spin straw but that's kind of what we're gonna go over today is learning how to spin straw these are really the basics of red teaming the basics of IT in general right networking firewalls Linux web applications Windows and troubleshoot this is this is your spinning straw this is your straw this is your spindle this

is how you get it done so with regards you know just kind of work down top-down from the list here with regards to networking we need to know what matters with networking and networking is you know from an enterprise perspective this is where the meat and bones of business is now right what businesses can we think of off the top of our heads that don't use a network or don't use the Internet there are met I mean there are some but there aren't many this is this is how the world works so fundamental understanding of networking is critical you know bread-and-butter of enterprise plug things in and then go let's understand some basics of protocol levels protocols

they do change over time I think WEP to wpa2 WPA 3 but the basic you know I solar of the protocols those don't change that often the basics are still there you know we need to learn what the different protocols do and how how they operate we don't need to be subject matter experts on them but we need to understand how they work how that applies to what we're doing you know understanding some of the basics of networking in general the OSI model is a good one pepperoni pizza whatever that Hernandez what is it please please do not throw away sausage it's a bow yes that's the future where we go I knew his piece of something but you know again

you don't need to be a subject matter expert on the OSI model but you need to understand how the different areas of it can break away and where you're gonna be living depending on what you're attacking right from from the OSI model on you're gonna start to get into more or advanced levels of networking things like the landing which you know if you're not doing proper segmentation or ACLs within a business you're VLANs are essentially collision domains it's not quite the same but understanding how that works from again a red team perspective you know understanding some of the basics of attacking of VLAN VLAN hopping knowing that a number of different switches can if you flood the

VLAN too much essentially turn themselves back into a hub now you have full network access give me a little disruptive but hey you get you what you need and then routing right again we don't need to be subject matter experts to start and build our foundation understanding the basics of routing and how pointing to things at each other with a specific protocol around it is is where you're gonna be you know really getting into the goods the last one I'm here of course is beat cats with a sad face pickups are excellent but I know personally as a newcomer the first time I opened up with pique it blew my mind I had no idea what was going on and this

was after finishing like a networking book this big and it was just so much information it was incredibly daunting but knowing that you can pick certain information out of a peacock is critical you know these these are all of the ways that the network and encapsulates and builds how we can operate as red teamer at the edge of our network firewalling from a red team perspective this is a little less fruitful nowadays it used to be a lot easier to get around firewalls they've gotten a little better firewall you know there aren't very many like full-on bypasses for firewalls that you're gonna find they pop up every now again hey they're getting they're getting good bread and butter with

firewalls tends to be misconfigurations again the issue there is the firewall vendors are getting better at letting us not be dumb as blue team and defenders and you know you have yeah you're a sa you try and set up a rule that is a specific miss configuration and typically it's gonna tell you yeah you can't you can't do that we this is what it probably should look so unless you're going in unless that bet blue team's going in and setting specific like shields down any any rules firewalls are gonna be a little more difficult but really just understand how they work and what they're for everyone knows how a firewall like what a firewall is used

for on the edge blocking information and packets coming in and out filtering with it it's a magical beasts it's been around for ever and everyone who uses Linux is just a complete nerd we know all right like that's what they do they get together and they talk about action but learn it learn it and understand what its common uses are familiarize yourself with how the operating system works how to traverse things how permissions are set how it can interconnect within the network to others that bread and butter with Linux stuff nowadays is IOT devices are embedded Linux nine times out of ten so when you hit things or when you see things like that you're red teaming look

for default credentials or hard-coded credentials those are great and they come across pretty regularly you know IOT if a vendor is not setting it up or they're setting it up in house set it and forget it that's that's kind of what they're so long so you can get some some good mileage out of IOT stuff outside of that yeah again familiarize yourself right know-how how to get around in Linux when you hit a Linux box and what you do it shouldn't be a stopping for you web applications is a huge topic and multiple multiple talks of itself but no no some of the basics of it what is a web app you know somebody says web app

it's a website that connects to a lot of stuff right goes from the internet usually to other devices to pull information and serve that out an application on the web bread-and-butter hear things like sequel you know find injection points that you can cross site scripting again the the level of depth and breadth of web applications is ridiculous Jared had a talk to toxic oh here that was like mind-boggling awesome with remote code execution was numbing it was so complicated the book the book for web applications is about the same size of the CISSP book like seriously and the CISSP is what eight domains and you can do Web Apps forever it's just good stuff to know Windows right the base of pretty

much every Enterprise now ever at this one but nobody knows how it works really like Microsoft experts give you different opinions constantly it's been built on top of itself since like three point five which is wildly evident now in Windows 10 with essentially two desktop environments on the same system and you know this this is a building on top of itself is is a huge boon for red teamers right a lot of attacks that revolve around things like DLL injection or or DLL proxying you can find because the open word and it looks for a DLL that hasn't existed in eight years but the process exists to look for it because it just keeps getting added on

top that's that's a good point right I can get DLL injection right from windows things called word that everyone has because word processing is what business is so outside of that familiarize yourself with the operating system you know I'm sure most of you have grown up on does or grown up using window it's a pretty base and operating system that we all know at this point understanding the basics of the operating systems are and get sidetracked now no you're good if you're blue teaming this is critical you know baselining making sure you know what's running on the systems that you own because the first time an incident happens and you have to go in and like

do Incident Response if you see how this is running oh my god you there's like 16 we're pwned it happens every time but from a Red Team perspective if you have that time to live on the land and to monitor the machine that you're on if you can build your own baseline you know what their good is supposed to look like you can operate and live off the land on that system itself and that helps you to really blend in outside of that power shell dude PowerShell is amazing it is so incredibly powerful it is too powerful and as a blue team they should be restricting it to pretty much nobody like nobody should have access to this

it's ridiculous troubleshooting this is not only IT are not only security but IT just in general troubleshooting you need to learn to troubleshoot it's critical thinking you know thinking outside the box whatever you want to call it but the key here is to build yourself a process that works for you right everyone learns differently so build something that you can work and focus on yourself and then you can apply under pressure for me my example is the 50/50 role and I learned this in engineering it's if you have a problem that's presented to you immediately cut it in half so you know the user comes kicking down the door and goes the Internet's off it's not dude

I'm watching YouTube right now so cut it in half 50/50 the Internet's not off I know I can focus specifically on the inside of the building at this point again I'm on the same switches Sally who kicked the door open telling me the Internet's off so I can now cut the switch off and start looking deeper in you know port wise yeah yadda yadda but this is something that I've learned and I've repeated over time and so when I have to use it under stress it just happens and that's that's the best way when you applied this to the red team you pop a box and you haven't been on the system yet you have no idea what's

going on you don't know if there's monitoring you don't know you know you have no idea you may have seconds to get something done or something pulled or you might just drop the connection like it just happened but practicing is the only way to get better at troubleshooting and the only way to practice is really to get in the trenches which is unfortunate before Jeanette I guess but those are the basics right like those those handful of things build those out and you can read to him you can blue tomb you can do security all of the vernacular and all of the standards that come on top of it are all things that can be learned right

that's let's see is as people go give you a handful of those things yeah thanks for turning my talk are you kidding ah let's let's focus in move fast but let's focus in more and figure out like where we can learn these things right if we're if we're all trying to figure this out books are a great place to start because they are written about literally everything that's that's what they're for great places for books we'll get to I have a whole bunch of resources then I just threw up on github so I'll have that slide at the very end you could just take a look at it but books online resources right cyber re has free

stuff YouTube has all the things more to the point with getting your hands dirty CTFs right again I'm at the end of the day so I can't say go right over and play the CTF because it but see Jeff's are a great way to get your hands on things that you wouldn't have the opportunity to without going to jail so do it right if you're going to a conference and they have a CTF jump in there you don't have to know everything about it and then conferences right there's trainings galore every conference has a training book specifically again everywhere in every topic or us O'Reilly us and the technical industry the O'Reilly stuff is great it

can be a little dry it's not quite a textbook but it's damn close but if you want something a little more lighthearted a little more written by tech people for tech people rather than like a technical manual no starch books are fantastic I probably have more know Serge books that I've acquired from humble humble bundles then I will ever read outside of that anything for dummies I know it sounds terrible but they're actually really good crash courses and they usually have some good applicable like examples in them so you know if you're feeling again imposter syndrome right if you feel a little self-conscious about it by Mileva Amazon nobody will have to see it and Barnes &

Noble checking out I don't even know but really for dummies books are great there's networking for dummies fantastic book I bought it back in college and I still use it every now and again cuz it's well yeah again more books are on the resource slide itself online resources you pick everything everything's on the internet that's what the Internet's for again I have a handful of things that I find useful is a red tumor on the resource list it's by no means anywhere near an exhaustive list at all because CTFs these are again a great place to get your hands dirty you can jump in on learning cryptography learning network analysis learning steganography anything that you can

dream of there's usually a CTF around it again we'll have rooster I have resources at the end here but there you can do a CTF any time it doesn't have to be at a conference there are ongoing and ongoing training CT apps to again we'll get to that ask questions you know a lot of info sector or technical people tend to be a little introverted you know we like digging into stuff and I in our basements but if you can if you can sit down at us there'll be a starter table they're almost always or a starter team if you can sit down and they just ask this it down you don't even have to ask the team

if it's gonna make you uncomfortable just sit and kind of inculcate yourself with what they're doing and listen and I guarantee you're gonna pick step off pick stuff up I have learned so much from CTS that's incredible and then conferences right besides Iowa you're you're here besides KC is next weekend besides conferences again tend to be low cost and great value in training that might be debatable after this talk say another great one you know there's the bigger con story cons and def cons and they're good too they have value but for the same price of going out to Vegas once a year you can hit like three or four of these and get better training

sorry Def Con Circle City con it's an Indianapolis it's like a six hour Wow seven eight-hour drive from here we're over in Iowa City so but fantastic conference they have they call it free training I think you pay five dollars to reserve a seat but if you show up and no one's there you can just sit in it and and they're I mean world renowned people come in to Train it's awesome fantastic Lobby con I've met a number of amazing people in the industry there and again it's like right Indianapolis it's right here it's awesome they have a fantastic CTF as well gert con that one's a little more blue team focused same with Burke

on so if you if you're looking to really break into red might not be as great for you but learning blue stuff is gonna be a good way for you to learn to get around blue stuff right but again Burton's free and it's essentially the little brother of Burke on Wild West hacking fest bread and butter right like that's Black Hills put sit on it if you wanted your red team stuff go it's really good and then there's there is a soon to be dropped on that's that's coming in the works to replace derbycon and again derbycon was you know on the larger side I do have a note in here conferences more show SEC DSM they have a black

badge what's the name for it like scholarship like this yeah a scholarship where you can so both both suck ICF dsm go out to these conferences and participate in the CTF to win black badges for those that don't know black badges for a conference is lifetime entry just free thank you you participate you win and you get to go again forever so what set gear summit suck I see I'll just stop sight tech I see take the SM has done is they send a team out to win these conferences bring those badges back and then you can go and apply to go to one of these conferences on a free ride on that black patch for or you know SEC

Dias I'm on the team it's a great way for not only them to give back to the community but for you as somebody who is hopefully trying to break into this awesome industry it's a great way to get to one of these conferences at a seriously reduced price learn all the things I'll just power and our you know our industry IT in general will always change forever knowledge is knowledge is a half the battle right but soak it up learn everything you can and I'm a big fan of learn by doing that's how I learn best you know some of you might be readers some of you might be video Watchers everyone's a little different but I personally feel that

getting hands-on with things tends to help you learn it a little bit better and again that might just be my community community is huge right this is why we're here at B sides is to kind of help foster that community as well right SEC DSM SEC I see getting in with people that are in this industry sharing knowledge with each other I that's enormous and really have fun with what you do there's a lot of bad out there and what a lot of us do both red and blue and it can be kind of rough sometimes to think about like what we're doing right you're going in to hack a banker grandma might have an account a door or

a hospital that you had one of your kids at and you'd like kick the doors down and walk out as domain admin in 12 minutes that's hard to live with some days like that sucks alright and has a blue team or then I have to go in and read that to them like hey we destroyed all of your stuff that sucks for them to write and then they have to try and sell that to their c-suite make money to get or not make money get budget you apply to that stuff that's rough dude and we're the good people trying to do it right like there's other people kicking the doors down cuz they want that one

and they're gonna get however they they want to that sucks that's why we're here build the community issue and I I kind of lied right like I said names didn't matter I kind of do matter like that sounds fun right like going waterboarding and Guantanamo Bay I would totally be down for that except I know what both of those are and shit's not gonna be fun so kind of to wrap this all up right names do matter tools matter right they come and go they're not gonna make you a hacker or make you awesome right bro I got Kelly Linux I can have all the things now Kelly's just a tool set it just wraps it up makes it fast so

it does it's just tinfoil little black magic to it a fundamental knowledge it only grows the more you learn that stuff and the more you practice it that's where you're gonna get good so real quick ways that we can find our Rumplestiltskin's right because again the tools they're gonna speed things up for you and anyone in the industry now red tuning this is kind of more up to your speed rather than the previous stuff where you can learn about new tools social media podcasts cons cons and CTS right social media Twitter to rate curate your Twitter Twitter's really fun for shitposting not gonna lie but if you want to have like a dedicated feed specifically for InfoSec because we

should post a lot so to separate account out right like curate that how can you find people that gets on to the other kind of stuff right like back to the github and things like that and we'll get their butts like alright community that's another big thing right we have Secchia sunrise the sec i see has a slack get in there ask questions read stuff you don't even just lurk that's cool uh some notes them with Twitter like bot leaders that's that's a big term in my book that's that's a no-no but if you're calling yourself a thought leader that's cool yeah but just cuz you have a bunch of Twitter followers like that doesn't

give you any breath or depth knowledge in the field he's a lot of Twitter followers whatever so take that with a grain of salt just be conscious of who you're listening to you hugging in Magan you gonna Mugen Brandon Murphy add zoom equipped gave an awesome talk at sec TSM I believe we recorded when it suck I see as well but it's a tool that you can go out and essentially look for trends in things websites web feeds RSS you can tune it or Twitter and find out about new tools and stuff like that or if you're on the blue team side find out about defensive things you know I proof of concept codes that have been released

that you may have learner abilities for but you know check out the second DSM suck I see YouTube channels it's a really good talk podcast these are some of my favorites malicious life ICS is see ya is cease daily storm cast is good just to kind of keep yourself fresh on what's what a larger net is is viewing in the world at you know mmm kind of real-time daily ish dope panics by unit 42 a great great one dark net diaries recorded futures is good anything on here is is is good Black Hills InfoSec again if you're looking for red team stuff is awesome and that actually is the if you want to snap that I'll put I'll put the

slides up on slide post or whatever so you guys can have a link to it but that is a list of pretty much everything in the slide deck you know bullet pointed with good information that you can get cheap if not free and a ton of Red Team resources are in there as well that's it any questions not really talking at you go down alright so I think I got some time left I'll just sit here and set up word [Applause]