Pentests: The Jason Bourne Approach Turning Regular Biros Into Weapons by Andy Gill

shut the [ __ ] up thank you good morning um so yeah so anyone who's not seen me talk before I definitely swear um that's probably why you're all here to listen to The Glass region dancing monkey do talks on security and before we get started uh I've been not I've been told by the scam drug that I shouldn't put this slide up but if you're doing the scavenger hunt there's a 30 points for getting my signature so here is my signature if you take a picture of it and submit it to the scarf on you might get 30 points [ __ ] it anyway um so this talk came about oh sorry someone wants to see that picture this talk came about because uh Glenn came to me when besides leads was being blind he was like Andy I need a talk and I'm like that's great I say you problems like no I want you to talk I'm like cool what on he's like just pick a title I'm like okay cool cool so I got one of my good mates to pick a title and uh here we are so um it's not Jason Bourne it's just Danny um fair pre-warning so I go off in tangents quite a lot this talk is probably going to be quite uh tangential is that the right word um it happens I sometimes swear I'm not meant I'm not trying to purposefully offend you unless you're being a [ __ ] and then I'm definitely trying to be trying to offend you um I don't know everything so if if I can't answer your question like if you've got questions at the end I can't answer it I'll go and find the answer for you and if I still can't find the answer then we'll never know the whole [ __ ] walk in front of the camera um so yeah if you've not seen me present before um you're in for a treat I hope anyway so five slides before the first that should take the top and so this is pen testing the Jason Bourne approach uh turning regular buyers into weapons the original top plan was going to be I was going to go through low risk issues and then um Step through and be like oh this is how it's a high risk issue and I thought well that'd be a great idea if I had known about the description more than a week before the talk because I asked the b-sized organizers I was like folks uh what did I submit as a talk time they're like this I'm like oh great cool so instead we're gonna go through um Jesus Christ that's Jason Bourne um no it's just Andy and we're gonna go through War Stories and things so for those of you for those of you who don't already know me I'm Andy Gill I am the UK EU adversary engineering lead at Larry's Consulting so we are our Consulting Farm based in States I run the European team um I've been slower defensive but mostly offensive for over a decade I've written two books uh learning the ropes 101 and learned in ropes 102. they're not about bondage despite what you Google um I'm known as their profession on most platforms and all of my slides will hopefully be pretty and all the photos that are from okay all the all the photos I'm gonna walk away for a second but all the photos are going to be um after the slides on that blog there which is my blog that I take photos anyway so the original title for this talk was this one time on a pen test and I'm gonna go through some more stories so this war story here is hiding in plain sight what um typically happens So the plan for this talk was to look at techniques that are harder in a pen test than a red team than a typical threat actor would have and generally speaking that's mostly the case anyone who does pen testing behind it do you handle for the red teams yep so a few of you you'll know that going up against a good blue team is pretty hard and in this instance uh what I found was or what my teammate team and I found was we were masquerading as a legitimate company inside another company and for the purposes of these watch stories I'm not going to name clients because obviously that's a bit [ __ ] stupid um hopefully someone's keeping count of how many times to say [ __ ] um Alex is wonderful so yeah hiding in plain sight we were essentially stations inside a company masquerading as another company so we came inside um as a legitimate develop developer and applied for a job got a job there um and the objective of the engagement was the access the privileged information and access the sensitive information so this company who were the target where a large manufacturing company and the objective was to go after plans for their next biggest product so what we did is we applied for a job we got a job I got a job as a developer I can't write code for [ __ ] but they didn't know that past past the interviews I got got through to the kind of the stage where they're like here's a laptop and realistically speaking anyone who's done an Insider threat most companies will give you a laptop and be like right you're gonna you're gonna masquerade as a malicious employee your objective is to go after X Y and Z well actually in this case I was the malicious employee they'd give me a laptop legitimately and my objective was to go after X Y and Z so what I did was first couple of days I was getting get into grips with HR um was was all my best behavior I wasn't all I'd call people [ __ ] and no matter how much I wanted to and I was learning about their internal environment and what I found quite quickly was being a developer they give you local admin on machines which for anyone who does pen text or anyone who's in Blue Team knows that's probably not a good idea because having admin on a machine gives you more access than you probably should have so anyway I had this laptop and I was playing about with it and I found that with local admin I could turn off their EDR product now because it was the first week of the job and this engagement was eight weeks long I wasn't just gonna disable the EDM like right right why is the game The Game's done you're [ __ ] instead I I kind of went through everything that they had on the laptop and what I found on the laptop was um for some reason I don't know why they were doing this they were backing up the sander system and the security files to the C drive and because I had local admin I could access it at the C drive if you if so top tip if you're locking down end points um restrict access to the local C drive to normal users because if you don't and you're stripping off the back up the sound system and security files what I can do is attackers take them offline and disable all the security controls in place on the laptop so what they had was they were blocking USB access so obviously what I wanted to do was take the Sam's system and security fails off for those who are not aware of those files on Windows they make up the local database of hashes for users on Windows so I took those off the machine put them on USB stick took them off to my right which was actually the side and uh load them into a tool called secret stump and what secret stamp will do is it will combine the three files and create you um essentially a block of ntlm hashes but then you can pass into hashcat and crack back to your text and by doing that what I found was the the local admin password had a hilarious password I think it was like password one or password two and I was like this this feels too good to be true so anyway the local admin password and passed it to my colleagues who had another machine on the network so I was acting as the NCAA threat I was the legitimate user and my colleagues had a Linux machine that was implant on the network so while this was a red team we were trying to remain under the radar and hide in plain sight so what we did was or what I did was I started to browse around their environment and make noise as a discounted employee or or more so could have not really not really know what I was doing of course I knew what I was doing but I was I was focused on going after their SharePoint things like that all the while my colleagues in the background were taking those local admin creds and spraying them across the network with topographic zip now what crap exec does is you can give it credentials or you can give it hashes and you can give it a list of posts and you can spray across SMB RDP mssql and ldap they were using SMB because it's most common now Warcraft map exec does is it logs into machines using whatever credentials you give it and it will allow you to do different actions now the actions in question for this particular attack was they were looking to dump the LSA secrets so for anyone who uses different EDR products if you try and dump the lse secrets there it is most good EDR products set in the one not being one and we'll we'll block it and they'll tell you that it's a problem but if you're up against the good if you're not up against the good EDR product which was in this case uh what we found was we were from the lse secrets which was able to give us additional credentials within the environment so we found the service currently environment that had local admin everywhere while we had the local admin hash this was a this was the main user that had access to servers it's worth missing at this point the local admin hash that we had sorry interrupting I'm sorry I can take off if you like yeah for YouTube police just walked in and ruined my talk uh for everyone else anyway so yeah so we sprayed that through the network with uh app exec we found credentials off of different machines and we got service account that had local admin because we had local admin or um from the laptop what we found was that was local admin for the watch stations this client was at least doing a little a little little thing well in the cigarette segmented segregated their admin privileges so we had local ad in the workstations but with this service account what we found is to be at local admin across the server state which obviously adding I can both goes a bad thing so because we were trying to remain under the radar what we did was we um black pocketed that service account and then from more spraying we found more sets of credentials and Western credentials from the character called the main Joiner and what what that account was able to do is in the name um by default in Windows any standard user can add up to 10 machines to The Domain unless you harden it and in this scenario what the client had done is they had locked it down so that only this one account could add machines the domain so by adding machines to The Domain we could essentially Act as a malicious actor for a Windows machine doing all sorts of malicious actions without being detected by the security stack now bear in mind I still had this laptop in this customer I could still do things but it had the full stack on it so we added a Windows machine to The Domain again we actually renamed it the host name that was matching the laptop that I had bit off by one so the the host name was like laptop zero zero one and we added laptop to zero two I thinking nobody's gonna have this I mean obviously it's a bit more complicated than that they had like um hexadecimal in their hosting so we just put put on the network and what happened was we started to perform malicious administrative action actions and by done logging into machines it's just a surface account dumping the lsas process which is where all the potentials are stored and eventually it got us a set credentials that were domain admin now once you get them in admin in pen test that's usually it came over it's like right okay got them in admin do the Da Dance jobs but in a red team you're not looking to set off too many alarms now granted we had to spread the network exactly we were pretty noisy but we were looking at what we could do from there so the way that I see the domain admin is that stage zero the way that my colleagues describe it is we are like Psychopaths and serial killers once we get domain admin we go after the debt so the ntds.net which is where all the hashes to the network are stored and if you think about serial killer they collect like the pinky tool from their victims the dips are what we collect so we pulled the debt off the network um cracked offline got got access to all the credentials and then we went after the actual objectives so the main objectives that we had were going after semester data privileged access and other things and we first thing we did was we went we went through active directory and we went right what users are likely to have access to these systems went through them targeted them popped their machines got into vdi and then rinse the repeat and eventually we got to the end of the engagement and we got all these things and we were like right okay both teams not seen anything I wonder why um turns out my colleague had popped the head of lithium was just sitting deleting logs from from the from the dashboard as we were in so yeah hiding in plain sight unconscious we're only a half an hour so I've got three War Stories here I might not cover them all but we'll see and the next one is uh va's so vulnerable assessments are not the BR and end-all and the original plan for this talk like I said was taking low risk issues and call them it's high risk issues what we found here was um 300 Fusion essence or terrible a lot of people um so nessus and Andor attainable have a really bad habit of marking things for compliance as high risk and critical risks and more often than not like things like SSL and TLS unless you're Scott helmet have a hard-on for SSL it's not really a critical risk unless you're going through like PC I can find some things but what we found was in NASA's specifically there are a lot of informational risks that are raised that people often forget about and one of those informational risks in this scenario specifically was um Cisco smart install now Cisco smart install is a run it's not available this wasn't uh this wasn't a red team so we weren't bothered about being quiet and we connected to tell the switches download all the configs access to other things and added ourselves to the um network access control so we bypass network access control so moral story is there look at the informational risks now that's a short whole story I've got a little bit more of an interesting War story so they don't have a PCI yeah PCI payment card industry technically speaking you're meant to segregate segment segment segment anyway your networks are supposed to be separate and in this case they technically were separate but they weren't because networks were never separated they had essentially an environment whereby I was given access to uh Windows machine within uh within their PCI enclave and a Linux machine within the corporate Network and the objective was to see if I could pass traffic between the two now at a network level I couldn't there wasn't any route but what I found was they were doing Access Control based off of active directory so talking about doing Aden earlier on getting domain admin is often stage zero before you even go after the objectives so in this client environment specifically what I had to do was find a way to get them in admin to add myself to the specific group of active directory to access the PCI environment so what I did was I turned to the trusty old adcs active directory certificate Services which is uh um well adcs is used for issuing certificates within our Windows environment and the fundability itself is vulnerable certificate templates so you can essentially um you can enroll a certificate on behalf of another user or behalf of another group and what we found was there was a group there was a certificate that was vulnerable that our standards the main user could enroll on behalf of the domain admin so essentially using a tool like certify or certify or there's many other tools you can you can query the adcs server you can say I want this certificate but I want it on behalf of this user this user in particular was in the main items group so did that put them in admin I was like right great got something to happen What do we do next well typically because we're serial killers we dump the debt we go for the things but because we were looking at specific users what we did was we took an active directory Explorer dump of the domain and which is a assess internals tool and we found that it going through that we found two or three different um users that were marked as secure they weren't secure they just had secure in the name so we went after those we dumped their hashes we cracked them and we used them to access their other network once we were in the network I was like oh this is PCI there's a bunch of like stuff in here that I probably should have access to including stuff belonging to see letter agencies because they were doing investigations at the time and I'm like I'm just going to put that over there and not touch it client calls me up they're like oh did you get into The Enclave I'm like yeah like yeah we got a phone call from said three letter agency saying someone was in the network and I'm like yeah that's probably me turns out I'd set off one of their um honey pops a lot of the story is if you see that urgency don't touch the documents probably not a good thing so that's that's segmentation the um the the kind of last war story because we've got like 10 minutes this is an interesting one so this is from a while ago so I've been doing pen testing for the last 14 or 15 years at a while anyway and when I first started I worked for a large computer manufacturer I don't know if there's any here there's not thankful um who had a security and as a junior pen test I was like all right okay I'm going to do a lot of things I'm going to do things like web tests I'm going to do things like infrastructure testing things like apis and things like that and one of the things that came up was a large um Middle Eastern bike or like we want to do a pen test and I'm like all right great yeah cool cool cool cool but I don't know if anyone's dealt with um people in the Middle East they tend to have a lot of [ __ ] money like tons of money and what we found was um in what I found was in in the application specifically there was a bug what the bug allows you to do because there's always positive applications what the bug I wanted you to do was transfer money to other people's accounts sounds okay like you have to do the money it's it's okay but what it happened in this specific instance was the cutoff for anti-fraud now typically anti-faud the UK's or about 10 grand or something um in in America I think it's like maybe 20 grand um in the Middle East it's in the multiple figures of of money and what I or in this this client specifically in their snow so what I found was transfer but I could say I want to send myself five pounds all right cool there you go right we'll just step up a notch let's call it ten pounds now the checks won't do anything so I could just put a put account number in transfer the money across and have the money and we stepped a little bit more and I was like right okay what about like a thousand pounds because that should set something off nope nothing ten thousand pounds nothing I was like right okay I called it quite I was like just just double checking what are your fraud cutoffs they went oh it's like a million a million pounds before it's like a problem I was like all right okay cool but your testing account will let you to transfer more than 999 999 because that's a car I was like okay so um monzo have got this great feature of you can spin up a virtual card and it will have give you a new bank account that will be temporary so so what I did was I spun up a temporary bank account and I said the question well my test account's not gonna let me do this can I try this with like a legitimate kit they went oh yeah our fraud detection system they'll definitely catch that it'll be no problem like all right game on folks game on so I chat my chat my current details then I might write go through the normal thing so I'm like I wonder if this is a test system for like a penny and