Why You Need To Be Red Team'ed

so what we're going to be talking about today is red teaming um this goes beyond a little bit more than what a typical pentest typical engagement is if you were here for the manipulating gooey elements I'm sorry I'm not decaf I know it's a let down but close second maybe so a little bit about me I work for Del cure works I'm one of our the red team members kind of just hanging out uh specialize in apptech net Tech Mobile Security generally speaking I'm working with a team of two to four guys I've got guys on site that are breaking in dropping boxes on your network once they're in it's my game uh where you'll

find me Nate dmac on Twitter you'll find me on IRC on free node usually hanging out in the dc801 chat room etc etc etc just a word of note this does not endorse say anything for secure works I'm speaking on my own today so about you who in here are my Blue Team guys network security defense at your organizations couple you what about GRC compliance guys that who in here are my professional pentesters yeah what about who in here is responsible for your your organization security well first off the GRC guys get out of here no just kidding you guys make my life easy make user sloppy but blue team members thanks you guys do a

good lot of good work work long hard hours you're doing what you got to do for the pin testers keep doing what you're doing let's keep fighting this good fight and for who in here is responsible for your security I'm disappointed every one of you should have raised your damn hand because just because you're not an admin just because you're not involved in security doesn't mean I'm not going to exploit you to get break your company security by you clicking my link I win and you cost your company $191 million like what happened to Target last

year I forgot put all fancy animations in and not even use them anyways let's start with some quick definitions here about what a red team is and what's the defining factors and what's the differences so who in here knows what a vulnerability assessment is anybody what what's the vulnerability assessment Danny vulnerabil do you actually exploit them do you actually go in and do you do more with it great it's exactly right all I'm doing is I'm going to scan to a gentle scan look at what's running what's listening there you go how about a pen test who knows what a penetration test is what would be a penetration test what would I be doing

different definitely oh by the way I didn't say this I'm going to be asking questions please give me Fe feedback talk back let me know if you have questions concerns comments please chime in you know I don't want to be just standing up here to talk actually want to give you guys some good information something you can take back to your organization yep generally speaking I'm going to find a vulnerable service I'm going to find every vulnerability I can on your network I'm going to make sure I can penetrate those I'm going to document the patches the fixes here is everything usually limited to scope though meaning I'm coming in I'm doing a network pen test I'm not looking at all

your applications I'm not looking at your mobile I'm not social engineering your users oh it's a web app assessment okay I'm looking at just these web applications I'm not looking at the network I'm not looking at everything now here's the fun red team this is where it gets good who in here knows what a red team is how you would do a red team

yeah people to find problems and just make Point put your yes to an extent so one thing about it is especially in terms of it what is your environment so for example your users your applications your network your physical security your environment everything you have that is in scope for me so if I want to come in pick a lock at two in the morning walk in and drop a box great I'll do it I want a social engineer your CEO get him to click a link because there's new article out in Harvard Business about hey security is great you need to come read this article well it's a lace it's a lace PDF we win the other fun thing about

this is I am not looking for every vulnerability on your network it doesn't matter if you've got ms67 on 400 boxes sitting across the network if they're not going to help me I'm not going to explode it and I'm not going to put that in my report because I'm not going to be looking for it my job is to come in undetected so you don't know I'm there generally speaking I get onto your network you will never know I'm there unless I goof [ __ ] so danger I'm going to say this upfront with a red team engagement this is for companies that have an established security practice they know how to monitor their logs they have

patch management they have firewalls they've got security teams compliance teams so I can promise you if you don't have it you will never know I'm there and likelihood is you are going to be pissed off at the end of this report when I walked in sat down at a cube none of your users questioned me I logged into your shares oh wait a minute here's the master password list included your domain admin great where's that SQL Server bingo game over I W I walked out with your credit card database you [ __ ] up left it wide open for me I walked out I'm done in a day report's going to re represent that you're going

to be bitter and hurt because hey this this isn't fair you didn't give us anything and frankly it wasted my time so as I said this is for established companies this is your fortune 500s your large institutions that really need that but that's not to say that every company shouldn't be striving for this so you're a small company of 20 people big deal you've gotten established security practices you've built your organization you've gone through pin tests you've gone through vulnerability assessments regularly now let's get a red team in to tell you hey this is where your risks still are so a little bit of a creepy story time here how many you of you in here

Outsource your printer maintenance anybody printer maintenance you got your big multifunction printers copers scanners fax machines all in all do everything right how many so Outsource the printer maintenance you know okay or have to call in a third party repair company from time to time because you don't have the in-house staff and Technical parts to take care of it how many of you in here would think that your win will give away your entire network you're right so here here's something to think about cooworker of mine us this walked in wearing a Technicolor shirt to service a printer walked up put a box in line two ports started capturing traffic velcroed it to the back of the printer you know pulled the

printer apart a little bit put it back together walked out came back a week later grabbed the Box went home pulled the creds off pulled the traffic off it pulled the creds out of it less than three days later full domain admin remotely think about it we'll we'll kind of get back to that in a little bit stopping Red Team can it be done who thinks it could but is it easy no so what I'm hoping and this is kind of where I'm at is I want to show you how you would stop someone like me how you would stop my team when we come on site or when we're near you because if you're not paying attention you're

going to lose it we got three high levels of touch points we have physical security human security information systems security those are the three areas within an organization that make up your security posture as was said before a laps in one will lead you to a full

compromise I'm get into this a little faster just kind of a little diagram of what I'm saying here and they all interact humans and we as humans we use information security we use technology we go into that the human factor also allows for the physical how many of you in here have ever tailgated someone walking in or out of a building great how many how many of you in here have left a computer unlocked by accident and walked away didn't even think about it left it unlocked walk it away or how many of you in here in your organization bolt your PCS down bolt all your laptops down physically bolt all your servers into the rack with heavyduty cables and

locks nobody what would happen if I as an attacker walked in at 2 in the morning pulled the server out pulled all your drives out decrypted everything that was on there if you're even using full dis encryption took the data put it back before you got on site now I've just stolen passwords likely I've gotten a Dom M admin password or a server admin password you know what do I find oh I found a web app server great I've got something important there how about a SQL Server now I've got the sa password what can I do how many of you in here would know what I do with an sa password what could I do with

it even better how about log directly in as a myc or an mssql client and start querying the the database and do a backup to my own external box what can I do with that data well was that your credit card data was that all of your external users their usernames they passwords they're Phi you're a healthcare organization and I just stole all your Phi what's going to happen to you that's why I say laps in one will get you fully compromised so humans human security couple of things about us we like to be helpful how many you how many of you in here were taught by your parents hold the door for people be polite help them out you see a

guy carrying a arm full of books or carrying an arm full of boxes pushing a cart what are you going to do oh here let me hold that door for you yes okay we like to feel important how many of you in here like to have your boss come up and say good job or a client say you know what good job thanks for doing that you know it makes us feel good we like to feel good about what we do or you hear from your wife your significant other whoever hey good job thanks for doing that we don't like conflict as if human we our natural tendency is to back away from conflict we stay out of conflict as a group we're

okay with conflict because it's safety and numbers but in a one-on-one scenario I start getting up in your face start getting real pressing with you well no I'm done no I don't like conflict so the other thing about us we're emotional we aren't always logical we do not always follow things through through step by step by step and make the best decisions we let our emotions play with us and as an as a red team member I love it we are the weakest link in security by far 90% of what I can do as a red teamer can be done by just a social engineering engagement the reason being we as humans are weaklings in our

organization security fish emails phone fishing fishing I mean it doesn't matter what you do as an organization if I can get you to click a link open a file give me your creds recent engagement just a fun story about this we're doing a red team engagement company we fished 135 users we had 90 [ __ ] people give us their creds wow what did we do we played off the fact that there was a recent large snowstorm in the p in the Northeast up in the Boston Philly New York area right we said hey we're looking at a new experimental work from home program so when things like these happen we can allow you to work from home we can give

you an opportunity to do this so what we need you to do is go fill out this survey give us some details you need to log in with your credentials so we can log it every pretty much everybody logged in and gave us so creds we ran rampant across that Network they're like when we delivered the report to the customer they just shook their head and cried the other thing about it was 90% of these passwords followed a very simple pattern so for you Red Team guys in here little trick little pentest guys cracking passwords here's something to look for a capital letter followed by a predetermined number of lowercase letters followed by a couple

of numbers and some symbols so instead of trying to Brute Force the entire key space look for specifics generally speaking users will use a capital letter at first why they are required how so in your organization what is your general password complexity a number a capital letter maybe a symbol 10 or 12

characters think about that physical security how many places have you gone into that don't have bad Read Bad badge readers or how about no biometric access just because you have a badge doesn't mean I can't clone it we do it all the time Walk Up Walk by someone carry the badge reader stuff in our backpack we clone your badge we come back later badge in as you with Biometrics that would stop it cheap locks no locks just because your exterior firm you've got a solid exterior does not guarantee your interior is not soft and Squishy just because everything's set up nice outside doesn't mean that once I get inside I can't get that I can't get inside so you

don't need to worry about do you have locks badge readers biometric access to get to your data center or your server room at the location if you even have it set up correctly what about No cameras no alarms do you know if someone in your organization whether maliciously accidentally or you have something else going on walked accidentally went into that server room or went into your Telo room do you have an alarm there because if you don't one thing I might just do is walk in go to your Telco room plug in will you even know I'm there and how many of you on a regular basis go check your Telo room or your server room

for extra boxes or a Raspberry Pi for example that I just plugged in on your network how many of you uh no I want to see Hands how many of you in here go regularly physically check your server room for extra boxes do you have guys on site that do it you know in the in a data center yeah now that brings a good question up do you trust AT&T completely to know that they're not plugging something in or they haven't been compromised exactly exactly how do you know to trust these people people it's the old thing trust but verify you need to know hey wait a minute I've just checked this is out of

place here why do I have this little tiny box that's no bigger than that sitting plugged into my switch and who's is it what's it doing here or how many times do you go check that teleconferencing room where all your video equipment is for that little box that's plugged into the the back of the TV sucking down your wireless and just sitting there because you've left your wireless wide open and all your users use it and how many times do your users use the same passwords at home that they do at work because if I can capture passwords going across that Network on the wireless you can be damn sure I'm trying those passwords for their internal 90%

of the time it works No cameras do you review your footage information system security now this is where it gets fun here's a few points to look at that your network scanners your security teams your compliance guys your admins everybody they will not catch this so how many of you in here and again this looks a little bit window Centric because most corporations do have a large Windows base and just because you have some some of your most secure stuff is Linux Unix Based Services doesn't mean that passwords aren't going to be reused and there's not going to be direct ties so how many of you in here have shares Network shares really that's it not everybody

has Network shares okay maybe I'm maybe I'm doing the wrong type of thing then group policy got group policies do you check your group policies regularly to make sure that something hasn't been left over or checked your log on do bat checked your login scripts checked everything have you gone through everything I doubt it how many how many of you in here run a perfectly configured DNS service that I mean there is no possible way that that's going on and that all of your queries that may come out of every host on that machine on these machines now will get caught by your DNS meaning that if they fat finger instead of srv1 and they type

sv1 it'll get caught that your DNS will catch that because if not net bios will give your network away reason being if you're familiar with how Windows Works in general it looks at its local system look at its host file it doesn't have the name it then asks DNS it's going to get a DNS response back of a host doesn't exist so what does it do hey everybody who's svr1 yep I am and by the way here's the challenges here's send me your hashers I'll log you in what do you do as a Windows client oh here there you go and guess what I've just captured your hashes now let's go back to what I

said earlier what are humans the weakest link what are their passwords likely going to be not that bottom password there hell no that's too hard to type what is it going to be something like bides 2015 that's likely what their passwords will be which means hashcat set a couple of masks 20 minutes later I have captured and cracked every hash that gets sent across this network and so here's a question by default who in here has their DNS set up internally to have the name host Wad and has a valid record for it think about this for just a second what did I just say happens from a Windows client so and if you don't know what wpad is

it's windows by default when browsers fire up they search for wpad looking for their proxy settings if you don't have a valid response for that in your DNS every time someone starts a browser on your network guess what I've just captured their hashes and and now if I want to be a real dick and have even more fun with this I'm going to say yes and here is your proxy settings all traffic comes through me oh and by the way to help you here's an executable you need to serve them give them an executable to run that will now be my interpreter payload who in here besides you Danny and such knows what meterpreter is

for those of you who don't know what it is it is a very powerful shell that gets leveraged on your box that allows me to do whatever I want dump the hashes if you've got administrative privileges I can dump them clear text I can start to use it to use your box as a proxy to get to other boxes just because I'm isolated to one VLAN doesn't mean I can't get elsewhere because of your box because it has access some more your printers so let's go back to that question I asked earlier what about your printers how am I doing on time I'm a little early so who in here knows why your printer gave you a away

your big nice multi-function you know the $25,000 printer you bought that does everything who in here knows why that gives it away

n anybody else have any ideas as to

why no how do you log into them what do you do with

them you're you're close but let's go one better how many of you in here know that with your nice multi-function printer you can configure a username and a password in there to scan the email or scan to a PDF on a share right or you print to that so let's think about the this generally speaking those devices have elevated privileged accounts not because they should because most organizations do not know how to configure their shares correctly so what do they do they give that user elevated access reason being is Bob over in marketing needs to scan to his share Rob over in it needs to be able to scan to his share the CEO needs to be

able scan to a little special share just for him so what do they do they don't know how to configure either multiple users configure it configure the shares correctly to give just this little low privileged user right to scan here so what do they do here here's domain admin here's service account admin level give you access to everything right so what happens I plug in line I capture your hashes I capture the traffic going from your printer out and what's coming back so I capture everything that that's printer doing and how many of you in here know about SMTP what do you know about SMTP by default what does it do when it sends an email when it logs in is that

encrypted no it's plain text have you configured a different user for your SMTP than you're what you're doing to scan to share because you're using your same internal domain right so what happens you log in it's clear text I've been capturing traffic what do what did I just take I just took that password clear text off the wire I come back a week week later take that box out do something more with the printer I'm gone how many of you in here actually would have caught that on your Network caught me putting a device in line passively sniffing not sending a bit of traffic other than forwarding it on an inline bridge and just sniffing everything as I

go anybody no what about the tools your it Department installs by default or they leave over by chance how many of you in here have used the PS exec tools the power shell tool not Powershell tools the PS uh what is it you know the old you know Microsoft's PS tools CIS internals thank you you know you've got the ability to shut down run commands do everything from those I your it Department builds the golden image what about I need to manage how many different machines oh I'm going to leave these tools around not because I need them right right away because I'm lazy so what happens they leave them installed just because as a regular user I won't go

look and see colon backs slash random folder backs slash tools you know oh we're safe nobody will know these are here me as an attacker I get on your box first thing I'm doing I'm going through every damn folder and drive I have access to and I'm going to suck every every document you have on that machine off and I'm going to read it I'm going to play I'm going to look at it oh wait a minute can I modify it and put it back to you great I've got more or can I exploit something with them or even better you you just left PS tools installed with passwords or you've left history for what these users have

done great now I'm going to use that against you so another thing how many of you in here knows what secm is couple people how many of you have ever validated every package that's on your seccm and how often do you do it how many of you know anything about it to where the fact that with secm its admin creds are left within the configuration a lot of times so that you can push packages to install with administrative Privileges and the user has to click oh okay I accept to install your desktop deployment stuff it gets left guess what your creds are left now good story happened to a cooworker of mine just recently they busted sec in

they pushed a new package was a interpreter shell their servers by default pushed and installed these packages immediately workstations would give him a chance to do it he also thought hm better make sure I'm getting enough shells he updated the log on dobat for the domain to also include his meterpreter shell his attack box crashed when the just after his 8,000th shell came in he had 8,000 active shells to different boxes on this Network because of secn what could you do if you're an attacker someone maliciously coming into a network and you had 8,000 shells on the network had a shell on every box in the network how many of those boxes start up or run with administrative

privileges your SQL Server just installed my package I just took all your dat data and you gave it to me because of your secn another thing how many of you in here use something like secm or some of these other nice fancy desktop deployment tools and you can do PX boot so when Joe over in marketing gets a virus and screws everything up for the fourth time this week you can just tell them reboot hit F12 select this option any of of you ever done that desktop deployment stuff how many of you check those logs watch for servers boot or machines booting up and taking those images how many of you have ever gone back and checked your DHCP logs for it

to see what happens because I'll tell you what this just happened for me recently got onto a network that already had a few good findings but I decided I want domain admin so the admin credentials to join you have to have domain admin credentials or very elevated rights to install a machine to The Domain to join it to the domain so you're making domain level changes so now I boot up a VM start pixie booting it gets up partway right as it's getting ready to join the domain I disconnect it and stop the stop the VM so BMR how how does it do its memory what does it use anybody know especially when you pause a machine

what does it do with its memory it writes it to a file on the disk what's in memory when I'm trying to join a domain what kind of credentials are in memory when I'm joining that domain in clear text domain admin credentials are in that memory dump I just grabbed use another tool pull the credentials right out of memory wait I've got domain admin and you just gave it to me because of the fact you're using SCCM or some other desktop deployment tool and you're not checking your logs you're not restricting access to who can boot you've got it on your public vlines all your major vlines so anybody can do it you don't have to go through any

configuration to get that machine to take a new image so me as an attacker I'm taking it because also I if I can't get domain admin get unlucky I don't get domain admin out of it I've now got your standard build which likely is going to point me in directions it's going to have other tools installed it may have thick clients installed and again we go back to the old question of net bios on your network right like I said it's sending traffic out how many of you in here doing development work you know you wrote a big thick client that's an application but it's got to get something from the database right you got to be able to update data or pull

data down how many of you over the last few years have rewrote that to make sure that it's using proper paths you're not doing any insecure coding practices right how many of you in here have ever and if you don't want to raise your hand you don't have to but think about this hardcoded credentials into your application to log into the database happens more often than not especially you know you find an older application that was written 10 years ago nobody even thought about that I pull that application apart start looking through strings dumping it oh wait here's the here's the username here's the password to log into your database there you go sloppy housekeeping this is where

gets me fired up every time you're leaving logs lying around on the machines you leave logs lying around off your network shares you don't check your network shares and don't validate the that your users are following the rules engagement we're on right now just kind of give you an idea company thinks it's small I wish I had this problem by sloppy housekeeping left a bunch of pii credit card type data on a network share we went back to the customer and said hey look Mr customer here uh you got this they said oh yeah that's just a Child Company of ours not something we're really worried about they only do four billion in dollars annually that is

nothing compared to the 990 billion we do annually we don't care do you think the SEC or whoever else regulatory commissions that could be involved in this would care about that little $4 billion chunk because credit card data because very valuable very sensitive information is left on a network share and just because it's a separate Little Child Company it's under this parent company do you think they're going to Care whose it was and where it was nah what about one of these you know and you think about this what about you leave that information lying around and you work for something like on the Wall Street Stock Exchange or you work somewhere else and you've accidentally left around

stock information or credit ratings for a company that have not been published yet and me as an attacker I see that I go oh wait a minute this company's about ready to explode in growth I go buy up as many shares as I can or I find something else and I get you to buy it up for me because we've done it we found a way to get your company to buy shares and put it to my account because you've had a vulnerability in your application now I just bought a million shares of acne Corp this rating is going to go from you know a very poor rating to they've got this new great Innovative thing they're

going to Skyrocket the predictions are the stock prices are going to rise from pennies to Dollars anybody know what that's called that's worked in the financial institute what insider trading everybody in that organization that may have touched that will be going to jail or will be getting sued and it's going to bust your company that's called sloppy housekeeping how many of you in here actually and I I want honest people please raise your hands review your logs on a weekly monthly quarterly basis religiously look through your LS anybody else besides one you don't look at your logs how do you know if I'm there how do you know if an attacker is on your network just because you're not your

antivirus your antimalware you know your IDs your Knack your Mac filtering all those things just because they're not alerting doesn't mean someone is on your network

so thing about it is just kind of give you here is a typical red team engagement this will give you an idea generally this will go anywhere from a few days to a week we physically break in or we do the Poof Magic Moment happens we don't want to have you do a physical assessment for whatever reason we're going to let you come in walk in we're going to give you unrestricted we're going to give you guest access on this network here you are you have no creds nothing now let's see what you can do generally speaking we start looking around on the network we fire up we start capturing traffic we fire up a tool called

responder start net bios name spoofing like I was talking about we capture creds we find your hosts oh okay can I log into your machine I can what do you have I'm going to start looking around you what's your neighbors okay great now I'm going to jump there I'm going to run responder I'm on that Network capture more creds more machines keep going around keep jumping around oh wait a minute I'm also now reading your email how many of you in ever here have ever been emailed a password or emailed someone a password thank you how many of you have a corporate password reset functionality that you can do yourself CA ident ca's identity manager

man some of these other fun tools reset your password users on leave because I found you know they haven't logged in in 30 days cool I'm resetting their password I'm loging in when they get back wait my password's not working it help oh okay here we go or here let me go reset my own password again in the meantime guess what I've read their emails I know what they're doing I've used their account to jump through your network how do you distinguish me impersonating that user and that user how do you tell the difference so okay now I'm jump around oh wait a minute I see which users I want to Target I've read your entire ad

infrastructure as a regular user we can do that I see the users I Target oh wait that they sit here can I get a another box can I get something else on this part of the network can I log into his machine even as a regular user okay cool I'm in I'm sitting there I capture his hash he may not be a domain admin but I've captured elevated privileges privileges I'll log into the servers do a little happy dance you know now I'm on your server Network I'm capturing live creds for memory on your server because likely you've got running processes that I've been able to EXP exploit as a not even exploit being able

to see inject into as a regular user or an admin user that has those privileges on that machine I dump the passwords for memory wait a minute now I have domain admin as a domain admin where can I log into on a Network anywhere I want so again I'm going to your database servers I'm going to your SharePoint servers that houses all your intellectual property I'm using it to create another user to give myself application access to your frontend system so that I can log in and dump everything because the database is too big for me to dump too slow for me to to copy everything over how I do time oh shoot I'm right at the

end so that being said couple of things in conclusions things as an organization you need to be doing check your logs watch them religiously know and distinguish traffic if you see Bob from accounting logging into your servers at 2 in the morning what the hell is Bob doing is it really Bob likely no likely it's me likely I'm slurping your data down why why is your sa account or why is your service account logging in and checking your databases when it's not backup the scheduled backup time and why do I have interactive login rights to your servers you need to be checking your logs you need to be vigilant just because you think you've set things up

right you need to be looking for you need to be looking for the anom nominalist traffic the other thing about it is you need to be the strongest link you need to become the strongest link because your technology will and can fail can and will fail we will find ways around your technology but you as the as the admins the users will find those things happening and can report it up to the right people so that they can raise that flag and say hey wait we're done we got to stop this thank you everybody hopefully I gave you something to think about and consider [Applause]