I Know What You Did Last Summer… I'm Still Hacking Your Small Business

good morning my name is Vincent the talk is title I Know What You Did Last Summer I'm still hacking your small business this talk is rated M for Mature because at some point I'm going to drop it off there will be some things that I'm discussing today that will be considered criminal activity should you not have the permission from your target who am I I'm a penetration tester I'm a small business owner and I'm an Air Force better the things that are important to know about me are that I've been in tech for over 30 years I've been running a tech business for the last 20 years started off as a break fix it company

or a concierge type business so small number of clients High Revenue about 10 years ago Cloud started eating into that model and what were once six-figure clients were becoming a low five for your clients businesses and scale that way so I decided to Pivot the business about security would be a good play it's a good decision and took the oscp course fell in love with offense and had been hacking ever since so let's just talk about I work primarily with small businesses so think 1000 employees or less um you know we think of big businesses like a Bank of America you know they've got security team they've got layers and layers of security they've got a sock

they run vulnerability scans pen tests red team exercises they got big bags of money to throw at the problem small businesses on the other hand are the low low hanging fruit and this talk is about my Adventures while working with small businesses so we're going to Target a small business like a malicious actor our Target is a 100 to 250 employees in size typically we find that they're not running EDR they don't have a stop they're not using sock as a service they're running traditional antivirus and they're on flat networks so no segmentation so probably not the only person in this room that has thought about how you would hack somebody and hide your tracks

my wish list consists of burner laptops going to operate out of a mama pop coffee shop because probably don't walk the traffic not worried about their cameras you know Starbucks probably long retention on those cameras don't want to be on that video um pretty as a privacy VPN but he was tour and Tails and then I'm going to get a virtual private server you know or two some of you may recognize this it's the logo for Kali Linux can't be a hacker unless you use Cali right should be told I actually use Ubuntu and I bring over a small set of tools but in the context of this talk I'm actually going to use Kali Linux because my

operating system gets fingerprinted I'm going to look like every other script video in the world from my VPN I'm going to use mult because they take cash and I think that's hilarious you uh send a cash in an envelope and they say send us cash but not but they don't see how much is too much so I threw 20 bucks in an envelope mailed it off to Sweden and I really expected that to end up in the beer fund but they're actually like stand-up people and about a week after my VPI got lit up gonna get a little granular just want to show you how to get from A to Z so we're going to install tor

we're going to make a modification to proxy chains then we're going to curl our IP address before and after what we see is that we have one IP and then we have another IP so now we see that we're basically you know going through Tor FYI those aren't real IP addresses because room four hackers I don't trust you uh we're going to sell them all that client fired up connect same exercise so before and after different IP address so you know this is uh you know a couple different directions we can go to the internet and basically add some layers of occupation so the question is are we safe is this good offset not from a three letter agency probably

not from even local law enforcement definitely not from like thread Hunters but from you know business it's maybe 100 to 250 employees yeah I think we're pretty good I don't know so now we're gonna go hunting you might be wanting wanting to know what are we looking for and we still don't have a VPS and originally I thought I would get some crypto and I would go to a shady provider and I would get a VPS um then I had this idea so I fired up a honey pot and I have a bunch of different ports open on this honey pot and what stood out to me is that almost immediately I was getting hammered with SMB traffic

uh so much so that after about 10-15 minutes I actually killed it because I figured I had enough traffic uh sorted it out had 62 unique IP addresses so here's my thinking these are bot controlled servers so probably they were vulnerable and the Bots compromised them and then and then the Bots took them over so I feel like there's probably some vulnerabilities still there so I can take a position in one of these as well so I run a reverse board scan and I see a lot of public-facing services some sort of liking my odds at this point so when I'm digging into the traffic I do a reverse lookup and I see that I've

got some that are in the United States but I've got a lot of them that are actually out of country and I feel like if I stay out of the United States I probably am adding another layer of obfuscation uh so when I dig in further I find that I have four Russian IPS so like well it Army of Ukraine and Anonymous packing the [ __ ] out of Russia pretty sure I can blend into that noise and just keep adding layers of obfuscation so hack the plan right like to remind you that that would be considered a criminal activity so we're going to pretend so let's say on one of those Russian IPS I find a vulnerable WordPress site

we've got a number of Wordpress plugins that I do for various things and let's say you don't know what a plugin is you go to a website it's got this pretty image and it Scrolls and another pretty image takes its place that's probably a plug-in plug-ins add functionality to the core product would be unusual for there to be a lot of plugins and say a WordPress site WordPress backdoor seems a little sus so we're going to call it WordPress CSS updater what we need for a plug-in is a few lines of comments so that WordPress actually recognizes that this is a plugin and then we need some PHP and that line down at the bottom is just a

remote command execution so we need to zip it up and then we get into WordPress we install it we activate it and then there it is it's sitting in there now I've managed WordPress instances over the years and never have I gone in and scrutinized the plugins uh that being said as an attacker I see that there are two updates available so I will patch those and the reason being is while I've never scrutinize them I definitely would as an admin go over into that section and and say oh this needs to be updated and maybe I would come across this and be like what is this so I would patch this so that if an

admin comes in they're none the wiser and then they go about their thing and I can take my position here at the end of the day what we're trying to accomplish that is this we hit the plugin we give it the command of ID and we get back dub dub dub data so we've now got remote command execution on this server and we also have ourselves now a Russian C2 command control server so I want to talk about fishing I run fishing campaigns for offense and for defense and for defense simulation education that kind of thing uh originally would take one fish would blast it out to everybody at the same time and then we pull the metrics and

what we found is that you know somebody comes in early they get fished and then when other people start coming in they start warning people don't click that link and so it kind of skews the metrics so what we've done is we've taken our users and we break them up into groups so we have accounting sales Finance Etc and then we take fish and we match those groups right so we'll take a fake FedEx email and we'll send it to shipping and we'll send a fake quote we'll send that to sales and that sort of thing and then what we do is we break our campaigns and we run them across the entire quarter and the idea there is we're talking

small businesses so rarely did two people get fished in the same day and rarely do two people see the same fish so I want to show you some fish I'm going to talk about variables for set date percent time percent email if you see these in the fish just know that they're going to get populated at the time that we send these out so upper right hand corner we see percent date and so this is your shipments on the way and it's this 1699 laptop the user's like oh [ __ ] I did not order that I'm going to click on all these links this was actually successful so here's one fake voicemail to email

the interesting thing about this is the client actually has voicemail to email except it has their name the company name and the VoIP system name this has none of that so people click on this all the time bottom of the barrel it's this piece of crap since we've received your order and it'll be processed soon you can view your order by clicking here it's got a link thank you customer service doesn't have their name doesn't have who came from doesn't say what they ordered people click this the end of the quarter we pull the metrics and we see that we had 10 users quick links and we had two that reported it I value reporting as much as I value

not clicking links and the reason being if an actual fish comes into the environment if they report it I can Purge it from the system if they don't other people can click that so we try to get users into the habit of not only not clicking links but with getting into the Habit reporting this client actually does not care about their fishing exercises they are doing it for PCI it is a box checking exercise for them this guy says hey we're doing our annual PCI security training hopefully they'll pay more attention this year went back in my email found a very similarly worded email from last year the one thing I would say is if

you're above whoever's managing those fishing campaigns you want to see those metrics they are above the average they're at a 20 click rate this basically stops at this guy this C Level in this company they would want to know this can't go around it it's who are report to [Music] all right so I'm going to talk about spear fishing who thinks they can't be fished so I assume there's people that want to get into security want to get a job or want to get a higher paying job I'm going to stand up a website Phoenix recruiters whether you need remote or on-site staff we understand the unique challenges of the Phoenix Metro Area job market in your life for Vincent we're

not in Phoenix you're right I get domains for twelve dollars got this template off of w3school it's modified it in about five minutes we understand the unique challenges of the Kansas City metro area Java to be anyway going to send out an email hi John I'm Vincent Smith and I work as a senior placing specialist at Phoenix recruiters or Kansas City I saw your profile on LinkedIn I was really impressed by your experience in computery things because computer things are in high demand right now here at Phoenix recruiters we're always looking to collaborate with talented people who'd like to work with one of our clients blah blah blah sincerely Vincent Smith nice little signature block generated

that logo on adobe's website for free across me nothing and maybe five minutes worth of my time nothing malicious about this I'm going to establish a relationship with you I'm going to tell you my client loves you they want to pay you a half a million dollars a year because you sir are worth it and is not real and it's not my money eventually I'm going to get to a point where I say my client would like to take this to the next level and they need you to sign a non-disclosure agreement that's what I'm going to send you a link or a document and I'm going to get you to do something if you don't want to do

is that pay life can be fished all right felt a little heavy gonna transition everybody meet Jake 's got her CD posted up on this website when we dig in we see in her work experiences she's currently working as a bilingual customer service rep at Therma Fisher Scientific prior to that she is an Engineering Systems technical sales engineer at Johnson Controls and prior to that she was a technical sales engineer at spirax she's got an MBA for pepperdunk he's got a Bachelor's mechanical engineering from Cal Poly she's got some skills Office 365 Salesforce visby and zoom she speaks English and Spanish fluently a little bit of German John LinkedIn she real or fake excuse me

once a person does not exist that is AI generated photo and then because I laugh at an imagination I got her name address and phone number off of the fake name generator thank you [Music] I was demoing this talk for time in with some friends and you guys like well I would just go to LinkedIn and I would see if she had connections the same week that I set this up immediately she had three connections from Thermo Fisher Scientific and one from Pepperdine she's gonna look real to what what why am I doing this start my engagement website at the bottom of their page I see employment technical customer service reps needed went to the Wayback

internet saw that this position had been sitting there for a long time so I figure it's either hot churn or they can't exactly fill that position so I pulled it down and I made jade look exactly like the requirement at the bottom of their website they've got an info at company name.com address Jade's got an outlook.com account turns out you can set up an outlook.com account without the backup uh email or a phone now two weeks after setting up the account they said hey we want a phone and I said no and they said we want to backup email so I went to the Disposable email site generated a fake email gave it to Outlook Outlook gave me a six

digit PIN I gave that back and they said cool you were good forever now I'll throw in a caveat since then you actually cannot do this I've moved to mail.com FYI the idea stays the same the products may change Reverend James CV site I embedded a canary token if you don't know what Canary tokens are they're these little web bugs and when you click or open or do something it triggers an incident so I fire off an email to info at company name.com a two of it may concern I found your job posting for technical customer service rep and my qualifications are not an exact match it's not true she's an exact match however I'm attempting to scare

employment in the Bay Area to be closer to my family and I would appreciate your consideration blah blah blah kind regards Jade in the signature block I've got the CV and Linkedin the CV has the web buff LinkedIn is just LinkedIn it's sub I don't know that they're going to click the link to the CV spoiler alert they click the link to the CV had they not I would have gone around and around with them like I did with the recruiting website and eventually I would have got them to click the link or open it up and attach it bottom line what we're trying to accomplish is this we had five hits on that CV we see the

locations we dig in We did an incident list and then when we dig in further we get an IP address and we get user agent information when I start an engagement it's like I'm on my heels I'm I'm uncomfortable because it's like moving into a new house and you get up in the middle of the night and you don't know your way around and you're stumbling and that's how I feel when I start my engagement so anything that I can get in advance of that is going to make me feel a little more at ease I already know that Windows controls 70 percent of the operating system Market but I have a Mac there's probably

somebody in this room that's running Linux I don't know in this case there are all one running Windows 10. there was a mixture of Firefox Chrome and Edge in this case with Firefox I might look up the version see if there's a vulnerability um so again just information that you can get for you know very little efforts in advance of starting the actual uh penetration testing all right calling this multi-function Madness this is tank is Real by the way that's my little buddy 75 pound pit bull got the prey drive I don't know what like skill one to ten takes like [ __ ] 15. tank is the kind of dog when you open up

the back door he's got to survey the perimeter so one day I open up the back door and Tank's doing his thing should add that I'm from Arizona I back up to the desert we got a lot of desert creatures that roam in and out of our yard so tank gets along the back wall and on the back wall there's this giant lizard [Music] tank sees the lizard the lizard sees tank the lizard starts running thanks and pursuit lizard doesn't about face this goes back and forth a few times the lizard falls off the wall tank pounces on it Chomps into it as well as a hope most disgusting thing I've ever seen I know

and I'm like you sir or a bad dog and you are not coming in the house that was two years ago every day since that day I open up the back door tank makes a beeline to that spot on the back wall like a lizard is going to teleport in for him it is that kind of persistence OCD whatever you want to call it I have that with your [ __ ] copiers I love Communists because people do not appreciate what these things are they're like what hacker is going to make free copies no they scan to file and they scan the email so I started engagement I get into The copier and they're scanning into users home directories

those home directories are locked to the they're restricted to that specific user so instead of giving that scanner account access to those home directories they threw the scanner account in the domain admin script I took over the scanner account I'm domain Advent came over for you so in another instance they were doing scan to email and I get in and I don't see there's no credentials so in my head I think mail relay and so backstory is they were changing their passwords every 30 days and so every 30 days the scan to email function was breaking so I got this idea that they would whitelist an IP address to allow uh mail relay and uh instead of doing a

one-to-one mapping from the scanner through the firewall they just whitelisted the entire network so I did I see this and I'm like pop open a terminal send off a mail that goes through fish the entire company off of that mail relay and it was bypassing their security controls so then again this engagement and I find this Xerox versatile it's like Google what's the default password one one one so say right across my fingers upper right hand corner we're logged in as admins so a lot of times these are managed by outside parties and as administrators they're not like engaging with that and so outside company wants to leave the default credentials so we're in this

copier I get over the mail section student scan the email and I see that it has credentials but I get this idea I'm going to point this to my attacking server and I'm going to downgrade the port to 25 because 25 is unencrypted if I were to make scanner software I would make it so that if you made a change to the settings that it would make you re-enter the password I've never found that to be the case when I started engagement I fire up a tool called responder responder is an llminar poison it basically does men in the middle stuff with Microsoft what I'm hoping is that I cache those credentials from that uh scanner

so we get in here we've got my attacking server we've downgraded the port to 25 we throw it above this email we hit test and there we go clear text credentials coming across on responder so when I get on your network I'm going to scan for all those copies because I love them and if we're counting we've got 19 of them I'm going to go through every single one of them I'm gonna look and see if you've got scanned file scan the email see if there's something there that I could use or reviews now in the case of this scanner account it actually was not a domain add it but what it did give me the ability to do

was map to HR and accounting so for dividing impact HR personally identifiable information Finance equals money in my report every penetration tester used tools and techniques to extract data from the network simulating the actions of a malicious attack you got ransomware gangs that get in your network they exfiltrate your data they encrypt them and they say pay us we're going to take your data and we're going to dump it all over the internet that's what I just did I find it next one I'm going to call evil bookmark I need to give you a little backstory in my scoping document I asked how is the penetration tester obtaining access to the network could be over a VPN if they

don't manage the edge and they've got an IDs I might send them a little Intel Nook which is computer about this big send it to them say hey drop this in the middle of your network plug it in turn it on it calls back to me I can get back in and I can do my thing or a jump box so you give me access to your network and then you've got a box provided for me in your network and that's where this story goes so I get into my jump box and I realize my box is inserted into the domain and my account is a domain user and I'm like that is way more privileged than I

thought I was going to get but I'm like [ __ ] it I'm gonna run with it so I have this idea this is a bookmark a little picture well Arrow right you see these on your desktop we see them in in our browsers we look at this at the file system level it's a file that ends in dot URL and when we open it up we've got this four these four lines right internet shortcut points to the resource bottom line icon file that's what is rendering that image right tweets have had that little bird got this pointing to my attacking server [Music] if you recall we didn't have to do anything to make that tweet deck bird light up right it's

the act of opening to that location so I take this bookmark because I'm a domain user I can map to a comment company share I drop this bookmark into that company share I've still got responder fired up immediately it starts raining hashes moments later I get the administrator account administrator I'm like what is going on so I'm doing a postmortem on this engagement it turns out there was an administrator using the administrator account as their regular user account I'm like [ __ ] you should not be doing all right calling this tell me your secrets I start my engagement I go to Hunter i o if you don't know what Hunter i o is it'll give you known email

addresses sometimes it gives you like their job title um what I'm interested in is the naming format for the email address because most times if not all times it's the same as what's going on internally with their domain users so what we see here is that it's first name dot last initial so I take the 200 most common first names I do a little bash scripting and what I'm doing is I'm appending dot a through dot Z to the end of each of those names so we got Aaron a through o it goes through z i do that with every user I'm going to use a tool called curb root as an unauthenticated user I can spray

the domain controller with my list of users and curb root will come back and tell me whether that's a valid username or not so that's a bunch of users there that we've got and that is uh one half of what I want the other half is passwords a few years ago there was a blog post written by pen tester I was talking about commonalities that he found across his engagements in particular with the help desks so you go on vacation you come back you get locked out of your account you call the help desk hey got locked out of my account help desk is wanting to be helpful says uh We've reset your password with

password complexity uh welcome one exclamation point capital w uh another thing that they're doing is uh the seasons of the year so spring summer fall Autumn throughout the year at the end of it exclamation point right so we got welcome Autumn winter spring I'm lazy I bash script everything so I got welcome winter spring summer fall Autumn uh 2019 through 2022. the reason why I'm going back in the past is uh a lot of times you find that people will uh disable account and then open it for a manager and then forget to close it again or sometimes they just forget to close accounts so it would be unusual to find say a summer 2021 exclamation point

I'm going to go through my client's website I'm going to see if they're in an industry or if they make a product I'm going to grab stuff from their address in this case I'm going to grab Fremont City I'm gonna make my list uh welcome Fremont Autumn winter spring it says lockout proof I find that nine is a good threshold I have run into five typically lockout's like 15 to 30 minutes so even if I hit that lockout I just come back in and do the rest of my list kids so I'm going to use a tool called crack map exec we're going to spray the domain controller with my list of users and walk on one we notice status login

failure come back in with fremont1 and we get a hit jody.o we're going to use a tool called Hydra hydra's brute forcing tool typically you have a username but you don't know the password The Brute Force I actually know the username and password so what I've got here is a little for Loop in the front I'm spraying posts 1 through 100 with Jody in Fremont and looking for a remote desktop after covid a lot of users have been given remote desktop access to their desktops because they're doing work from home so uh see here that uh connection failed to establish so we're not getting a hit uh we come over here dot 62 we get a hit

so we got a valid account on a system with RDP open so the question is now what bro bro strike pack the plan right you could or we could use connectwise control so if you're not familiar with connectwise control it's a help desk product basically you call the help desk and you're like hey log into my computer my icons are all upside down I don't know what's going on help desk is like wow that's really weird can I like jump on your computer and share your screen with you they're going to use a tool like connectwise control to do that turns out you can set up a connectwise control account without a credit card and just any old

user so I use Jade would point out that if you bounce into somebody's desktop while they're logged in you're going to kick them out and that's going to draw attention so what I'll typically do is I'll figure out what their hours of operation are might call into the desk see if somebody picks up in this case I came in in the wee hours in the morning got on the desktop install connectwise control see Jody PC show up in my console bottom left hand corner trial expires in 14 days which is super convenient for me because that's about the length of my engagements at the end of the day what we're trying to accomplish is this we execute the

command who am I and we get back into the authority system so I don't need minus Floyd or Cobalt strike I would have to go through you know evasion techniques I can just take a legitimate application and I can install it on this desktop and I can accomplish the same thing I'd like to point out that this dumpster fire was brought to you by local lab if you give your users local admin to their systems I'm going to wreck your ship so it's enumeration time there's some offensive Powershell called power supply I've never used this in the real world gets detected um but because I'm local admin I'm gonna harp on that I can install the remote server admin

tools legitimate from Microsoft so I get rsat and salt and I start enumerating uh the environment first thing I'm looking for is password never expires now the reason why I'm doing that is I've actually been in the middle of an engagement or a compromise account and the password changes to the middle of Engagement I get locked out so I might cut for accounts that never expired and in this case we've got a couple of them they look to be service accounts SVC SQL svc3cx oftentimes what we find is that people will automatically take service accounts and just dump them into domain admins group simply query you see that surface SQL and service 3cx are in the domain

atmosphere another thing I'll do is I'll hunt for descriptions because sometimes you find things like this where the password is in the description field so we've got a service account that's in the domain admins group and the password never expires and we have the password game over so this is really small I know you can't read it just kind of pointing out that this is all the native Powershell that I've written to live off the land uh I could give an entire talk on Powershell and active directory you can totally live off the land and avoid tools like Powersports all right I want to rewind for a second so we're on this Jody system and I query

the users and I see Jody but I also see this disconnected administrator account so there's a tool called bbcats and Mimi Katz has been neutered in recent times and we would typically want to dump else lsas contains uh password hashes and clear text credentials but because we're a local Batman we don't need Mimi cats to dump lsats we can actually right click on it and create a dumb file the dumps in his temp directory [Music] and then Defender pops up and says woo that was a suspicious behavior and I'm like oh [ __ ] it's gonna delete my fault so I go into the directory and I immediately zip a copy in place and I

drag copy to the desktop moments after that Defender actually deletes that file but leaves the zip copy and leaves the copy on the desktop so it's the act of dumping lsas and not the existence of the file so defender's almost there they're not playing and because of local admin I disable a Defender thank you now I can take meme cats and I can point it to that dump file and the first thing that we notice is an administrator account and an ntlm hash hold that thought we get clear text credentials [Music] and then I noticed this what appears to be in Office 365 generated password so I think I'm gonna log into Outlook web access

so I go to Oma give the username a password it accepts it but then it throws up it gives me this v64 and I'm like I don't know what that is so I base64 to code it and it says the mailbox being accessed doesn't have a valid account State protocol disabled like sometimes I have to think about like what's going on and I think they didn't want to roll out two-factor authentication so what they did was they disabled Outlook web access but you don't give users a mailbox unless you want them to access mail [Music] oh by the way just say no to security biops here so I'm on Jody's system I start a new

profile throwing it into a company name throw in the password when I see this I know I'm good you're all set so I get into the mailbox and I don't have permission to access this user's mail what I do notice at the bottom is something that I want to highlight it's from breathia DOD cyber secure deer supplier I think this is deepars government's tired to get supply chain hacked went to their vendors and said hey we got this list of compliance things that you need to you need to do and your vendors need to do that as well so the vendors of vendors need to do this now the thing that's really interesting is having finished this

depend test I know that they're not defars compliant and then the other thing is look at the date 2016. six years they have a minimum life all right so I want to rewind back to the administrator account I'm going in for the kill shot using crack map exec I take that administrator account and the password hash and it's ready to domain controller and bottom right hand corner we see pound so at this point I take the Jody account and I throw it into the domain admins group and at the bottom we see the command completed successfully Saturday check where are the domain users and we see that Jody is in the domain admins group fatality

so we've actually traded data we've taken over the mail we've got a mailbox domain admin we win so at this point I want to offer some solutions okay maybe first thing we need to do is we need to gamify fishing users do not give a [ __ ] about their work computers they're like why do I care if it gets around somewhere not my stuff so what we've done was uh pre-covered we were giving out these little glass fish bowls uh you successfully complete a campaign we were giving out rubber fish people were actually trying to compete to have more fish in their fishbowl uh post covid uh five dollar Starbucks gift cards so you figure a hundred

employee company we run our campaigns across an entire quarter so 500 a quarter it's like coffee and pretzels fruit tea people like getting free coffee um password managers and 2fa been beaten that dead horse for a long time um you had password managers unique passwords you weren't doing password reuse and you had MFA you would stop me a lot um antivirus to EDR EDR stands for endpoint detect and respond it's fancy antivirus um used to be Enterprise expensive now it's small business inexpensive so we've moved all of our clients over to EDR at this point and then seeing security information event management to log aggregate for all the devices um again something that is now cost

effective for small businesses um in the case of like the things that I was doing where I was like spraying the environment like from one location or spraying a lot of users things like that that would have generated an alert somebody would have gotten that alert and then I would have been detected so these are things that we're recommending not here to pick products if you want to know about some products grab me offline I'll talk to you with that say thank you and then throw it out for questions if you want my contact info grab that because I'm going to switch over to the sponsor slide here in a second any questions [Music] oh sorry did you get that I got it right

anybody Fielder oh sorry yes sir how much of anything would have changed maybe cats might have gotten detected and I I mean you know and honestly like I typically wouldn't run mimic cast on his system but it doing it for an impact because you can you could take that dump file and you could exfolio it to your system and just run it off there [Music]

what the dumb files yeah sorry the question was is the dump file plate test that it is [Music] no thank you [Applause]