Movement After Initial Compromise

all right so my name is Matt batten we're talking about movement after initial compromise so we're talking about once you compromise the system you to call back we're gonna do right after that picture neither of us have babies everyone always ask that we don't have twins we're saying that it's our first time presenting so we're newbies and go easy on us yeah all right so there's a picture of a Harley and I had my wedding I just got married you may see next pictures yeah we've gone to a bunch of talks and then we realized that I talk like this would be beneficial and it's what I've wanted to see and hopefully you guys enjoy it so again my name is

Matt bad and I go by sleep zero in cobalt strike that's interactive mode so it's kind of a double meaning I don't sleep a lot either but I also in interactive mode which is not good tradecraft we'll explain that later so my handles sleep zero I have a github what I have on there right now my most recent ones I called mr. BSD why but it's a Python script that takes all the logs and a beacon and actually outputs it a CSV that you can upload to whatever you want like database later and then I currently work at six gen that's under a CEO my team is amazing a bunch of brilliant minds and I get to work from

home which is a benefit and I've never been around such smart individuals who teach me stuff every day I'm really blessed to work with them so I'm a husband again so there's my wife she didn't know I was gonna put that picture on the bottom right so that was I said Def Con this year her hugging r2d2 and our wedding in May I'm at dads my cat I love dogs too but he's just always angry I want to put that picture in there all right it's calling heartily I know I just go by Hartley cuz I'm still currently active duty military and my parents didn't know spoke properly so no one pronounces it um also I'm not married just older

brother chillip sisters must take pride in them red teamer penetration tester and my dog alright so what we're going to cover so we're gonna talk about initial recon once on the compromise system right so we're talking about after the fact of can I call that and talk about lateral movement it's how to move the systems around that network that your own 440 so sitting data through an artery already compromised system to a target right you don't want all that come from your attack by form you want to hide where you're coming from we're gonna talk about tradecraft while doing this and also what tools are being used today right so send the stage eyes on your computer soon your dadoes

so since stage you're already compromised system and to go into it so this is a bash bunny and a lot of people here probably already are aware of what it is you do a lot with it it changes colors when you plug it in so you'll know it goes from you know you go from red to green or purple and when you plug it in you can wait twelve seconds and your powershell one-liner will run or it'll go to a web server that you have a payload waiting on that will call to your situ right and I mean this sounds like a lot and the way it like an example would be a secretary at a

company you you show up Bob's a secretary Bob I need access to your servers Bob says well Sarah didn't send me the email was Sarah's last name Sarah Smith thank you Bob do you have a business card yeah here Thanks I take a picture I said no operate in a hotel room he already has a system compromising inside but we want more and then they'll end up sending an email spooky mail to Bob from Sarah allowing me access to the server room it's very common so phishing emails and physical access plugging bash bunnies and rubber duckies in its common way rubber duckies and they're seen as keyboard right as soon as a keyboard and it'll run through

my goats your power show and call out to your seats here the web server you can actually stop it from just by looking the manufacturer model of your keyboard a lot of people don't do that that's a lot of work for large organizations to new ones we're gonna save our USB right now no work so questions ask yourself so Who am I right so it's pretty deep but who am I on this network where am I what's around me can I get system of my the current box in one and an example in this one when I was taken to a CP a lot of times I had popped my own box and I even be aware of it and I would just run

tools immediately I'll get a shell I would just start running tools and just cause havoc in my own box and you know embarrassed I was by myself so 30 minutes later I'd be like wow I'm an idiot you know and like I hope people admit that here I admit when I mess up so he posed the questions the beginning of the talk the commands everyone go through are gonna be able what you're gonna use to answer those questions we will be showing outputs and shots of from them and so you can actually see the output but someone's I like to pick out cuz I'm my favorite I'll be having that group domain admins laughs domain

this will cause traffic amend network op is in a query the DC on the network so but that is very common because machines that works that works clearly doing it frequently on what it does though it allows you to see all the domain tab and that work is gonna be like your goal system is the highest privilege level it's nice to get but that's not gonna be moving box to box box to the DC it's gonna be very system moving around network is your according to its local the next one I like is the net Sh firewall show config because box the box like now if Windows Defender can be on each box there can be multiplied you'd

like to know how their config are they operational and then what they are because you can do your OS are type of the network so you can get through it so the phone that this is just another list and I hope you guys understand and know that these lists are all gonna be commands that we're not uploading right they're already gonna be built into Windows built in the command line they have PowerShell equivalents so you're not gonna be doing anything yeah married that someone command I wouldn't be doing it is out of these commands my PO am hi exactly yeah my own his box he wouldn't spent that 30 minutes on a test it was a test rather than osep

wasting time trying to figure out is what is actually attacking and the arktech egg it's a very good one it shows you you know who who the box is actually the targets interacting with and back addressed and you can actually do a lot of exfil and get a lot information from that itself so like I stated before you'd be what so as you know we're in the command line pick we're looking shell before so these his commands and enumeration commands I don't think Oh ball strike so when you have a beacon you actually have to push up before your command because it's a window man like I said that group don't mavin splashed it man you said up there on the

top right Batman fans so as you see our dummy anthem is Joker that's gonna be our target for the rest of the talk will user examples we're gonna go after diminish or using like the Pope and try to accomplish that another one I like is a net user slash domain because if you can't always get a domain admin you know that's keys domain haven't but if you can't a regular user still contributes the network without looking it really suspicious because especially if you have roaming profiles in a job where you move around a lot and the same desk isn't always open you will be able to login to multiple work stations within that actual network and it won't look

alright um what the net start command is a big one we're on ear as a blue team or or red teamer um it's not like it's a red teamer is you can see everything that's starred me I was on that Windows target as it's being booted but as a blue team or if you're looking at it say we have a service it's our person it's named something silly it blend in there but it's bronze woman's about the machine every day 7:30 or whenever the whenever the machine is actually doing you will be able to see that there you'll see that there you be like Oh what is this I haven't seen this before I've been doing the job for a while

that's googling oh it's nothing known and I might be compromised okay my favorite part is the also out of this slide is the top left that's tak tak a you know this is a big command for both red and blue teamers the switches for that attack a is gonna be showing both TCP and you to be protocol the attack in is gonna list it in numerical value by port and the o is gonna show you your pit so as you see here we have our beacon we do this with our beacon so you can see our connection as a blue Timur why seeing a connection that isn't is from IP knob on your network that's pretty so that's pretty

self-explanatory you don't want that very suspicious but also as a red scamper if you know a blue team or a hunt team is employed to location or if you think you've been compromised you can see that process idea that your actual beacon is running under you can kill that and what do your clean up and then kill that and try to get out of there before you're getting caught with your hand in the cookie jar all right so an SSH firewall show config on the last slide as well or show state but you can actually see Windows Defender so I disabled right remote admin mode disabled but it's just well that means you won't run to see what the

firewalls configurations are and why and then a random thing I just thought about that on our slides I was talking was a net help message is actually a really useful net command a lot of people don't utilize and I thought about for my last test so when you do commands on a COBOL strike beacon or even I'm meterpreter with Windows sometimes will give you an error code that it'll say like 3 you can actually do a net space help message together a CLP msg space in the number and I'll actually tell you what the air is so it's like access denied which is the most common right it's like 5 to 3 or 5 you remember but you'll see that

it's super helpful so if you get that number back you do a net help message you know immediately a route print so it's going to show you the pathways or the route route table right and then you can actually do a dashboard as well just good ipv4 so I've shown ipv6 and ipv4 to the Gateway and everything there a task list so it's going to show all the tasks and process IDs associated with it so of all the services like what actually starts or tasks and then the driver query some share all the drivers on the target something cool about driver query you can actually like a driver query space /f space slash things like CEO

created see you're not / oh and you can actually output it to a CSV for like later on post exploitation so it me super useful and that that top one we actually found out from a Dave previously when we spoke I was a speaker earlier he point out that it's actually going well to a woman exploit and then uh going our tech a also um they point out some really awesome the first three octets and your Mac you actually will know from the UI organizational unique identifier right I'll actually tell you like what what type of um or where I guess the organization came from right what is specifies so you get more details that

way I'm just going to associate the Mac and our cash so what's around it set is your Scooby your environmental variables so the reason I you said the actual reason the truth is I run it because I'm lazy to do system info and I forget to you know find string and then do the specific OS I just mostly I just probably wanted to the LS and the domain controller so I just I run set I just look at the output and there it is it's got some tasks with query I'm gonna FL list but the slash B is important at the end because actually show you what user the scheduled tasks or running on your ass so that's why that B is really

important so disrespect your surroundings I thought it's fine no one else well it's fine Who am I so shows you who you are on the current system echo logon server so that shows you your domain controller but so somebody's gonna argue with me or say buddy well you know that doesn't always work understand the time like you're right yeah probably 90 percent 80 percent and you can actually do a nlnl test space like get the DC name I believe is what is being you you do and I'll test help it'll tell you as well but that'll give you a hundred cent but I run heck along the server I could use me more actually show the user as well so you can see

Batman Batman okay so at this point we we were on a system we know what the environment is another firewall we knew everything so now we're gonna get into a method of just prove especially F privilege escalation just to I know the talk isn't about that but we're gonna do it once so because none of some of the protests collation I mean why don't move in later in the video actually requires higher privilege and just a basic user on the machine so what we're gonna go through using powerup it's part of a power school toolkit spec drops they've created it so here we're gonna go to power sploit toolkit provost is what we want to

accomplish with this script we're gonna import power up top ps1 and then invoke all checks it's just a command powerup what this does it's gonna run on the target system and it's gonna look for any misconfigurations by the administrator that I can take advantage of in order to actually accomplish a task of privilege escalation runs by pretty fast reduced bullet let's go back up to it but the Miss configuration in this video is to deal hijacking so after we run this it's really nice it tells you the abuse function you're gonna have to run through powerup it's right tack hijack DLL and then it gives you the complete you don't have to go and guess the past

so you can come in and run it and then you will it will populate a beacon for you with that escalated privilege level so the next we can't talk about power up without talking about Goku because you know if anyone's familiar with Dragon Ball Z that one scene takes at least 13 episodes so so what happens when you do deal out hijacking is first a self-deleting batch file is created with the command you want to import you can import any command because when you're when you're creating it you can do tax taxi command and that will allow you to import different commands so it creates a self-deluding batch file and hides it within a path on the network after it

does that at one the target box after it does that it creates a c++ dll which then append the abuse function that we saw earlier for the right right tak hijack dll and then once that deal executes it caused that batch file and then that is what gives you your privilege escalation callback back within coal strike because that is how we use it on this time alright so um we're gonna talk about different ways to do remote code execution because we're talking about lateral movement so Linux stands for windows management instrumentation console so to leave utilizing WMI and you and that's that's the command that you would actually put in a COBOL strike we're gonna show you

Metasploit examples later as well a different way so we're not just going to do one see - so I don't you think we're doing that I thought was funny Toy Story remote code remote fine but that's the actual command and we'll see we're gonna show you so I put Tori XE on a remote art on the target right I put in a system32 this is horrible tradecraft I would never actually do this things I would do instead would be to look what's there already and then I would add a 32 at the end of it I would time stop it probably I would time stomp another excusable or DL whatever I put in there and it would

get it would give it the same time because everyone right as soon as your starts acting up first thing you do is you know task manager whatever look at the time what's the most recent delete that that when this would get rid of that right so told IX e it's on the target so in this video I'm going to we make a shell so I'm on the dot 12 currently as administrator of the system I've already compromised it's called Batman and first I'm going to remote derp I'm a remote during the target to see that the file is actually there because I don't want to use women and it possibly got deleted already or they

knew or maybe I lost the beacon or a shell to that target and then I just want to call it again to interact with it because I need something off of it so I go through I dropped everything on system 32 right there yep there it is cool I know and then um I'm gonna go and I'm gonna do the command which I do you like shell women space node node I'm gonna classify the target IP address right and so I'm gonna come up with a second you can see I'm on the dot 12 sigh peas are important so the beacons are up top let me see they're compromised so specify and I want to go to the dot

eight and I'm calling on that executable that's in the system 32 directory

something to point out so I said this as an SMB beacon and does anybody know why I would do an S so not AIT's a domain controller so here's a question I guess I give stuff out for right does anybody know why I would use SMB beacon instead of a beacon on for 80 or 443 on a domain controller go ahead exactly yeah give you give him a book yeah I'll get to you later that actually we'll keep talking so I'm not walking around sorry but uh yeah so like I did you make controller you don't see traffic on you know 80 or 443 likewise it's too sad talking out on domain controller y'see why is he

talking to the system's like any blue team or network admin would see that traffic and like something's wrong with their domain controller we we need to do something awesome I call bat game I was explaining that so you see dot eight I had a link to it so it's just there it's a binding SMD beacon so I actually have to link to the target to get access so if I do four for three like reverse TCP or 80 it'll it'll actually call back to me I'll immediately get the beacon because I did SMB it's binding and I think I did a random high port yeah five five six five five so the traffic's normal on that network so no no it's a

little reason like like my twitter handle sleep zero which I got because I did that a lot and I got in trouble for it because I'm I'm super I just like getting things done and going through and you're sleeping you're jitter you have to space that out as well which sleep is how many seconds until it calls back jitter is plus or minus a second so like a good thing to do you know set your sleep to 10 minutes jitter to 10 minutes some still pretty short but I always keep things short normally I want to do this stuff so now that'll do 10 minutes plus or minus anytime between the next 10 minutes I next run a few more ways of remote

code execution just one of the preface like what we're going through these three types is because we just wanna show you the first two ways you know who we were we got the privilege escalation and now we're taking advantage that pretty late so the second day we're gonna do is a schedule and a score a remote system so the first the first line up there is a sketch - slash create this is obviously creating your task a slash Tina's gonna be your task name my partner made this slide as you can tell because it's Matt dot exe the tab /tr is gonna be the task what you actually want to run Matt dot exe and then that's gonna see when you

want to run it you want to run it once do you want to want it on idle on startup there's many ways you can specify so you can use this as a method of privilege escalation I mean uh persistent or lateral movement so the second command is gonna be us kicking off so the reasons we note I'm specified once because seasonless for a lateral movement so we're gonna kick it off get our stuff one time and then we're gonna go in and delete it because or what we want to use it for that's proper tradecraft you don't want to leave a task schedule you can easily clear that as a set so as I went over the first

command this is us actually going through creating the task itself tilde XE is the executor we want to call we're utilizing the same executable that we use in our last video like I said we're gonna do it once and start calm if you're only doing it once don't specify the time because in the beginning we specify the time it air it out like three or four times so we learned that and then we're gonna run this under system so we can run this a system because gives us privilege escalation and lateral moving onto a target box it completes multiple goals at once

this is us kicking kicking it off ourselves the task one arad the name of the task we created and then we want to run it on the dot eight yes that means it executes immediately once we tell it to so there is there is no time there's no time it's just we have to add the flag because when we weren't having the flag it air it out so we wouldn't had the start time flag we've read up on a little bit more and when we realize that if we don't specify time we executed ourselves that gives us the ability to an older systems easties at a lot okay as you see we're on the dot eight use

their system so that's we're running as in one computer Joker as you steal the enumeration command it gives you the process idea we're running under so if you have to kill it at some point we can and it s to be linked so obviously had linked to it ourselves cool thing about SMB links is the traffic is only to the SMB link when you decide it to so say you have your callback here are HTTP callback set to ten minutes that will call back every 10 minutes but unless we're interacting with the SMB beacon it will not call back at all it'll just wait it's just waiting for us to tell what to do waiting for us to send it instructions

it's not constantly hitting our machine back the next day we're gonna do it is a service create or SC the first command up there like our last prod this is going to be service create a target you want to go to we're creating mat again and the Bionic path is the path to our executable and then we're gonna kick off the service ourself but for time of the video and then delete it off the target so like I said in the beginning tie it back to the net start command it run don't start up this would pop up it's a service that's starting with a box originally turned off so if you want to use it for persistence box turns on

service is created hey we got our callback at the beginning of the day that's so it's not catching our listener for me this is the video example um we're gonna go in I'll create the service god I love baby turtles because we're still using our turtle executable I believe in this video we do actually change the path to the temp directory

the reason we use the temp directory is because when you log long temp directory stood up and at the bar when the box is like rebooted turned off you log off for the day that's just gonna be gonna be wiped clean that's good that's just good for tradecraft because say you know you've always been on a bike as red tee box before or you don't take all your artifacts all you don't do go through every single process of cleanup and oops I've started a service I left it on the Box my ex sees in the Box what do I do oh it's in the directory you log off it cya so it does it for you you don't have

to actually go and do it yourself create our service I love baby turtles up in path windows temp turtle exe we're very impatient so to see the certs created before you go and run yeah creation success before you can go and kick it off yourself so we're just sitting there like Twitter and say that here so this is our command to actually go kick it off right all the target target start this Turtles because that's what we named this time we were pretty pretty you know quick to the bleep up up to our first we were actually so quick quick the service we try to link to it three times it didn't work fourth time the

service actually kicked off and running on the machine so you see the child beacon there's our system callback on the domain controller and there's our process ID at the top right and just to prove it to well now we're going that's just to prove that target machine for dual even very last we're gonna go in and we're gonna delete of service I love baby turtles just so no one can see that when they're running start on the box so like we said before we're not gonna do all about strike we're gonna do different c2 because we know some people don't use that some people use interpreter because it's free open source so we're gonna do a PS exec

which is nice because most of what we're doing is already built into Windows or part of a system kernel suite so it's Windows sign execute how to use that via interpreter to move to a target on the Box SMB PS exec one thing to do with meterpreter I really like is your show options it's gonna tell you what you need what you want to add so it already has four four five because that's what pas exec works with we set the our host wrong the first time we were gonna target our own box so that's why we like to have that in the beginning of the talk I type that he is the one who typed that and then so you

don't have to use the username and password but we're just we had it so at this point why not use it show options because sometimes not everything is gonna populate for you so show options before you exploit it so you know it's gonna run properly and everything is populated you can type run or X accomplish the same task within as you see don't use port four four four four we didn't change it because this is a demonstration video but do not use that port it's what meterpreter uses by default obviously it's terrible tradecraft as you see our session is open well connected to the dot eight there's the port that it touches on the dot eight

and just for a proof of concept where you get UID or system we went in the shell so we're in action with the box of the man shell we have the host name and so just proof of concept we are on that target from our dot six all right so when are M another way to loudly move it so from those two ports of five nine eight five and five 986 I'm a nine eight six is encrypted you can send encrypted traffic over five nine eighty five a lot of people argue that randomly for some reason that's great knowledge to have I guess and so Windows Server 2008 wrs right windows remote shell there's command at the bottom we don't

have an example or a video example from one to win RM but I love I love this uh this I'm a meme I asked you to save your picture but 106 Windows Server security keep out or enter I'm signing out of cop it's very true it makes me happy alright so remote registry this is another way to establish persistence and move laterally right and we're actually going to create a registry key remotely to the target and then we're going to kick it off by rebooting it you'll see you next so I put goat exe on the desktop portal tradecraft let's just say you guys get a free picture I want to show you and then

um so the services actually has to be enabled right remote registry that's to being able and the services for you be able to do this and there's a dude running with the register because like yes okay so we're gonna use meterpreter alright so so currently a I have a shell right if you look at it so my attack platform my attack machine the Kali box was a dot six I have a shell back from ten and I believe I'm going after the dot twelve okay so that's kind of confusing so I'm dot six all right this is my shell with the dot ten and I'm creating a registry key using the host name Batman and calm

which is the dot twelve okay so I create the registry key I call it wolf and I'm calling on goat exe which is on that desktop and um after I created it asked me overwrite it because I did the video like a second time third time make it pretty and then and then I shut it down remotely so that's through command prompt right so you you do shutdown /m so you're saying the system Batman comm tech are ft0 so you're saying time now so that's you restart your box remotely you can do through PowerShell as well and some of the box reboots on the target so in the Box reboots it will actually kick off

the register key that we just created on it all right so the registry key stores all you know windows configurations and stuff and that's good to know it takes me a second I'm gonna show you so I kill the listener and I restart it because I use the same payload that I originally used we're just gonna call back 2.6 on the same port which is dumb but so I did so I'm waiting for the call back from the dot 12 so I restart my listener I'm gonna show you the attack machine and what the user sees there's like some people they don't I haven't worked to us before like what the user doesn't see anything there's a crazy pop-up reliable

movement and there's not so user go die you see and watch the other side you're gonna see my shell pop and it should be for the dot 12 boom and there it is yeah thanks Goods 6 is exciting when I happens when a row operation it's super funny and yeah gives you that high yeah this is me showing you that's 2.12 on the target that's what the user sees nothing happened I'm gonna do they're cool so decom I'm not the subject matter expert on this but I didn't feel like it was okay for me to do this talk without mentioning it Matt Nelson document in it and there's a lot of resources out there and it's it's really awesome and it's

pretty recent but I'm not gonna try to pretend you like I'm smart enough to explain it really detailed alright so next up we're going into me me cats I'm sure like everyone in the blue world in red world has heard of me me cats a certain point in their career whether they're doing with HP SS AV or it is theirs we're through a method of being able to run me me cats and utilize us without having to put the executable on the target box itself and so nothing will flag we're just using like I said before Windows one asana executables to accomplish our goal so in the top left you're gonna see praça dos an exe so

process something else apps because the vectors would me me Cass is gonna take advantage of you see our profile top left that's what we're moving like the target the dump is the mini dump that's the result of the target and then me me cats exe is being ran on our windows attack platform on the right hand side it within command line and the result is gonna be the clear text passwords sha-1 hashes and in Salem hashes ask to reboot me and actually kind of like our first test together this one our first test together and he kinda has a story that will explain more on what happens with me so it's a real real world example it was really cool

first time I got to main admin I'll never forget and it was utilizing this and a target it was a file server so I got default creds I knew would work I got in the system I saw a file server that hadn't been restarted and probably like a year and then I brought I knew that domain admin most likely logged in that file server right so there's this creds are stored in there in the else ass I couldn't get a remote code execution like we were showing stuff earlier I couldn't get that working so I actually already peed through RDP just pretty crazy I thought I was really dumb and I was just like I'm gonna do it when I waited

till the guy was with wasn't sitting next to me because it was embarrassing but I already p3 RDP and I'm at my share and then a proc dump is the windows you know it's windows sign so it's not gonna flag and I moved proc them onto the target machine the file server ran again CL SAS created my mini dump file right I pulled it off the target and went back through RDP sessions through the shares and a pulled it back to my box and I sat there for three hours and realized I kept running a mini dumb against dump file I had to get the credits and three hours went by and I couldn't get it working in architecture

matters on the target and I didn't realized that it was an x86 target and I had a 64 Cali attack platform so I actually had to move the dump file to x86 machine I just did XP I think and then I ran me cats against it and got clear text cries this is my first domain admin it's free it's free awesome alright so responder so you can't you can't not talk about responder with lateral movement it's an amazing tool and it blew my mind for some I use it my first Python script I made I actually automated a post or blog by a bike leader it was responder to crack map exact to Intel relay and I used a PowerShell

one-liner that I appreciated with invocation I believe which is a great way to obfuscate your power so am i right other than your own ways that no one knows about but so lmn are it's a link-local multicast name resolution right mouthful NBT and ask that's some NetBIOS name server and the the main difference that you want to get all those two is NetBIOS name server is ipv4 only and that's really they're pretty much the same other than that I thought oh so funny gift no one laughs yeah so hahaha so this is responded running on a party network right so I run responder and I'm gonna show you that on the target machine that I want he's gonna go

to food food is not an actual network resource so it's not Gina so when he queries for when he's like hey I want food since I'm gonna be running responder I'm like hey you know that's you know that's me like come here and then he'll say here's my hash cuz you know on the on the network you're not just passing everything in clear-text gets an algorithm it's hash you might not know that I shouldn't assume everything so I guess through a algorithm and it creates a hash for the user and then it actually passes that so I'm like hey man that's me boom username hash right just wait you know wait stop that has to be signing

you can go into that and like everyone's like yeah sounds awesome but everyone who has an actual network you know has legacy systems and you know you need Samba so you can't really turn on this to be signing but whatever sounds good so run figure uh py is and responding uh tools folder and I'll actually show you the OS domain and whatnot SP signs on or off because next time would you after this I'm gonna show you how multi relay work so I'm gonna put it all together I didn't want just talk about responder not show how to get a shell utilizing it you can pull that hash from the previous slide offline and crack it

as well right which everyone loves try do so so there's outputs my demon control has us to be signing on the other two don't right all right multi relay so we put this gift because we're you know since we're doing this talk we're gonna pretend like this we got on our first try was not true it took a little bit a few hours and we realized what we're doing wrong like what eighty-eights we were and we got it working so actually relay your hash is that it collects to a target to get a shell or you command the stuff to but this is this is it all coming together so in the beginning it happens pretty quickly beginning to see

me edit the responder comm file so the configuration file for responder right multi relay uses the SMB and HTTP to pass the hash so I have to actually turn HP and SMB off when the responder dot configuration file so you're gonna see that so there's a target it's a dot twelve Batman again and I'm the administrator on there right so that's the target and then you'll see I turn off HP and SMB because I have to use it for multi relay control ship T and Cali and the terminal will actually give you another side terminal like I have super useful tip I love I don't understand people that can do a million terminals so I just do control shift T and go

through it but so a multi relay you can specify the target so you TAC team the target you can do a whole you know Class C or you can specify a whole class C or you just do one target you can specify what users that you only want to pass the hash as as well or so for this one I did all users I did one target so I'm saying any user that passes a hash on this network that is vulnerable to responder and me poisoning it I'm gonna patch this target or pass to this target to get a shell so you'll see me I'm running on the interface I'm listening I think for this one I did hi everyone

so you trying to access the network network resource that's not there so hi everyone okay the responder runs there's there's my shell yeah all right anyways you need a bunch with it at that point you can pass off to mature pure COBOL strike wherever you want it's a really useful next we're gonna go over a or for this is a good way to kind of obfuscate your traffic right port forwarding for the most part is funneling your traffic through a callback you already have so no one will see your attack platform so like we've been doing we have our attack at dot six is our attack platform we're gonna be following through either the dot 12.10

Hyundai eight to get to another one of those boxes on the network so they can't see our any of the traffic from our dot six originally the different types are SSH Metasploit P link proxy chains about today are waiting proxy chains because there's a two of the most common SI toos that we see out there okay poor form of socks or your see on the right is there is a follow you have to edit on your cally box it's a proxy chance comm you're gonna have to make sure that the IP is your host box if it matches up with the port that you're gonna create the socks proxy lon within COBOL strike so as you see we

have port 8000 in our project news file port 8000 Sox command on cobalt strike just to demonstrate this is a quick video we're just gonna do it in map skin so proxy chains you have to type that before you want to do the command and the traffic you want to funnel through your beacon so we're gonna do in map we're gonna scan a target that we don't have a beacon on through and push that traffic through the beacon so the ports we're just can't forward just for demonstration r22 3389 and five that's gonna be the target IP open so you do get actual results back and um one thing I wanna point out from earlier

I forgot to mention so for responder a real life instant as well or something and companies they'll have switches and they'll say for security is enabled and we unplugged that Ethernet in a switch you know a lockdown which most likely probably won't after like three but you know if a different device plugs into that it'll know but due to MAC address right but all in any good operator a person has to do or hacker whatever you wanna call them they just unplug the ethernet from the switch plug it into their own laptop we run TCP dump for Wireshark clone their IP address and MAC address now they plug their laptop into the same Ethernet port and their that device they

unplugged and a lot of people that like blows their mind there's a lot of places where they don't understand that and then you run responder so I'm on the network now I'm going to responder I'm just collecting wherever hash this as they go across I wanted to mention that grout to earlier like I said the second demonstration at 4-4 is gonna be through interpreter thing a lot what this is a creating your payload from interpreter right we used MSF venom of the payload of verse TCP d2l host is gonna be your attacking host I'm your listening host sorry and your output is gonna be whatever you want all right and then you output that payload to the

document or the executable name that's very important and then you have to make sure we did this side by side because we started multi handler which is your listener all that has to be the same as what's in your payload because you will not be able uh if they're not the same for it not to see my people catch your callback once you execute so what we showed here is like we'd tie this back to physical access so if you have stumbling to a computer is very skilled to get onto a computer like infiltrates the actual company itself we can host a payload using Python attack in as a module simple HTTP server and what that

does is it whatever files from the directory you run the command so you have your insider threat in the network browsers to your IP address on that port as you see Kathy HD shows up you see the get request and they can go to go ahead download and execute that on the target

so so first we're starting a multi handler we ran it ran our listener executed cat that exe on the target box I'll just perfect on Sept it's always nice to get UID she'll play my hostname just say who you are where you are make sure what you're targeting is in scope of your assessment and then last is the actual getting to the port forward ad so you're gonna run the port forward ad don't want this within shell run this within like your meterpreter session itself port for Dad you have your L port the port you want to go after and then tack R is gonna be the host you're trying to attack for so we tie this in with that

scanning we did earlier through our socks proxy we saw four four five is open so like exploit like a turtle blue that that can go after four four four five that's how you can get it there without seeing it come from our tack box itself so you like you could an example we just attacking yourself it blows people's mind the first time used port forwarding I'm a blue my mind where I attack the machine I forwarded my port 445 to a target port for four or five I was the first time I learned it and then you exploit your so in your medicine or matter procession you're actually or EGIS Metasploit framework you're actually saying I'm attacking myself

that's your that's your our host the target right you're saying you you tak you're yourself on that port that you forwarded so if you didn't pour that pour it you're just actually attacking yourself it's kind of a mind freak thing we first do it so can't talk about loud moving again without bloodhound spectra ops guys are amazing and I just thought was funny having the dog's head bouncing was about house but there's us connect here in neo4j at the bottom left right it's a sania for Jaso a graphical management and like platform so it just makes pretty pictures for all that data that you look like utilizing bloodhound so you start your neo4j it takes a lot

to configure it but they have a really good write-up to go to that and read it and then so this is actually me running bloodhound through your cobalt strike so when I run it through cobalt strike actually drops a zip on the target and that dot zip I was then pulled back and upload the CSVs into the neo4j console right and then it'll give me the pretty picture the issue with that is you're actually you know you're dropping a file on the target so if you drop on the desktop and users on there they're gonna see it and a lot of operators aren't aware of that the first time they utilize a tool and then something really

cool actually learn not too long ago was that you can do you use this like REST API you can actually do a reverse port forward through COBOL strike so you reverse port forward like it's like 7/4 m4 or 787-8 can't remember but you do reverse port 4th for that port and then when you run it you do like in the bloodhound right and then it'll be like tack URI HTTP colon 1 2 7 0 1 7 8 7 8 quotes space tech user quote or calling past space you put username password to your neo4j it'll actually take all that data and just pipe it in your neo4j without dropping the zip on the target so that's really cool and

super useful and uh I thought it was super badass and there's and that's what looks like the output right green or users yellows the groups and the Reds of the system that we compromised so this is an example of the shortest path for the high-value targets and it just makes it all pretty for you so you can click and no actually tell you the pathway you need to go and then I didn't want to say all this data and put it all out there without giving the references where a lot of material came from people smarter than me in specific areas and I do their work or the ones I really came up with this and then I just use their tools and

I want people to know about them and talk about it and we're gonna post all this later as well and then but so these are the people who influenced me a lot and who I follow on Twitter and they might not even know it so I on them a little they're awesome you know that's why I imagine hack for the network which is like funding me I love to I eat from the office he's my favorite so I just imagine like because you just pretend to be a bunch of different people it's pretty fun and then if you enjoyed this talk I'd like to know more these slides will be available we're not sure we're going to

posting me out probably on my github other things later and then obviously this video is gonna be available feel free to message us on Twitter I'm super interactive I love collaborating if anybody has any cool ideas you know I write in Python I'm currently writing some like implants and stuff and see and I'm trying to create my own situ right now just like super let's like on the side fun but if you might wants like work with me on that'd be pretty cool you might Internet sit and yeah some have any questions you have that one you ask in sorry about your end zone oh well with women W my commands that are the artifacts to let

the I from define off the top of my head I do not have to actually look into that I know like there's a blue teamers out there for me my itself I do not know the artifacts that are all left on the target that's why I do normally when I'm doing my red team assessments I have Google right I mean forth or something oh cool that so awful for women itself off the time no I do not know be shut down I mean you can walk down W mind pretty low but as for like tools like interpretation like how to set up your configuration like monitoring like processes and stuff that's that's a lot of information that we hard on the red

team and a super it gets super deep in a blue team yeah man mouse have any questions good man please

yeah it's awesome

actually thank you for that now I don't have to Google anything I can alright soon have any other questions yeah no all right thank you for calling oh thank you for coming [Applause]