Red Team Keynote by Holly-Grace Williams
Show transcript [en]
back cool uh so I was uh given thankfully the the red note slot and absolutely no information on what to present here and originally what I thought was with this being a b-sides and it's quite a range of audience I'll try and do something quite upbeat and talk about um students breaking into the industry and ways of thinking about uh penetration testing red teaming all of that kind of thing into a really upbeat talk that that didn't work out very well at all I tried to write some notes being a bit about cyber security but computers are awful seems to be a running theme throughout throughout my career as we'll see and I have photographic evidence of in in just
a second but that was that was my intention if I don't quite pull this off um I also was looking online trying to help trying to find some uh content around like how do you write a good talk and how do you do like a good presentation like because Keynotes are supposed to be special and I I have no idea what I'm doing here the only information I could find out was that it'd be graded on style control damage and aggression which I think I was looking in the wrong area for that but we'll see how aggressive I get throughout presentation the more computers infuriate me as we get through for people who haven't seen me before
and uh I haven't spoken to me my name is Holly Russell I break into computers for a living I do uh penetration testing so physical security cyber security all of that kind of stuff pretty strictly on the offensive side so I'm in the wonderful team that's like hacked the things and I go oh man that's really broken see you next time so uh so we'll be talking about offensive stuff and breaking things throughout the day uh and uh please feel free to follow me on LinkedIn on our Twitter or what is your uh chosen social media especially if you have questions at the end that either we run out of time for or you don't want to ask in front of the group
please feel free to fire uh questions at me over social media that's no problem as well because I do feel that when I finish talking Andrew's probably immediately going to take the stage and I won't have any time for questions uh if your question is can I have a fox the answer is yes inexplicably surrounded by Foxes if you haven't seen the foxes on social media I'm in charge of the marketing budget that's the only explanation you need so if you would like a fox you can have a fox but you'd have to be very quick because there is a small number in the backpack that has no content other than foxes in it so I've got some with me for
those who would like one so I started trying to do this presentation I started trying to be upbeat and thinking who have we got in the audience we've got some students right let's Inspire them to get into cyber security in the correct job which is obviously fantastic we've got some people who work in Blue Team try and give them a shoulder to cry on get some shakes already a shoulder to cry on in terms of I know it's not your fault you try really hard at cyber security it's the damn users try and give them uh something to to go for and then also for the the pen testers in the room you're probably just going to nod a lot at me
and go yes it is this but no nobody ever believes me so uh when I was coming up with this presentation I titled it something that wouldn't get me in trouble uh I had I had to change the title because the first draft would get me in trouble so this presentation is held it's not all Lee hacks what I basically want to talk to you about is pretty much how much of my job is um to some degree very very simple things breaking into major organizations can be very very simple things and something that I don't think we talk enough of about as as pen testers and maybe even blue Timbers is actually how much of
comprising organizations is just good luck I see this the most when it comes to things like physical access testing where I could imagine that if I tried to break into the same organization physically gain access to their office first on different days I would have different degrees of success and there's only so much as an attacker I can control that and sometimes with penetration testing with this idea of putting time aside to do a security assessment um it just depends on the current threat landscape because things change if any remote code execution vulnerability comes out for Windows systems tomorrow I'm gonna have a really easy week at work aren't I but if one hasn't come out
for a little while it's going to be harder that kind of thing so this is this is um something that I think maybe it doesn't get enough attention to it is the fact that if you have a pen test and it goes through and there's very little picked up that doesn't mean there's very little there you should take a look at how was the um test put together and is there any just aspect where the tester was unlucky for some reason or vice versa if I compromise you on the first 15 minutes uh How likely is that that could be done on Demand by an attacker really simple example just to get the point across so what I mean here is if I
do a password audit of all your user passwords they might be all very good today and then you hire a new person they come in tomorrow and set password one is their password it's that kind of thing that I'm talking about when I say look I don't mean like I'm a gambler I'm just like uh threat uh threat landscape changes over time your organization stands for change over time anyway starting to get to the part that makes me really angry uh yesterday I was in Milton Keynes I was down as a in a big warehouse for a few hours at a vehicle parts manufacturer uh just just hanging around down there I wasn't even doing my job I was just I
needed some vehicle parts that was what I said a vehicle that's manufacturers warehouse and as I was standing there I spent a long long time in their warehouse uh they're basically just I pressed the button to get into a section I said hi I'm Holly they said okay great come on in they put me in a meeting room they left me in that meeting room unattended for three hours not actually like verifying who I was and why I was there or something and like okay great there's an appointment when in my name but it's not great in terms of verification I spent three hours just furiously staring at this computer but I've had to black out
um but but this is not like oh sometimes users do dumb things and people write passwords on Post-it notes this was yesterday as I am preparing the slides for this presentation so a degree of it is things like that and it could be if you as an organization have procured a fantastic getting a cyber security expert to come in and take a look at hacking your organization and we are for example looking at external threats we're trying to see if we can compromise our organization from the internet trying to crack Microsoft 365 passwords and things like that might have a hard time doing that you might have something like Brute Force protection that makes that kind of
thing very difficult but then there's a password and a person on desk so there is to some degree that and also I think I originally uh titled the slide something along the lines of like are we getting better as an industry but that title definitely made me angry so there is a degree of that as well where it's like um maybe not you're not going to fix the industry as a single person but maybe as an organization how do you grad that your organization is getting better and if you're only doing something like pen testing a lot of organizations just do pen testing and they just do it annually how do you know is that giving you
enough data to determine metrics to say are you actually improving so so that's the first thing in cyber security that made me angry trying to put slides together and I'm like oh another consideration as well so before I get into talking about pen testing all the gym stuff I've got away with this year in the name of work another consideration is um how is your organization grading their security so if you don't have some inherent way of knowing how you are performing right now if you're not doing something like a cyber security charity assessment something like that be that internally or grading yourself or getting an external party to come in how do you know in 12 months time have you
improved I see a lot of organizations taking quite a basic approach here so one of the things could simply be something like oh we run vulnerability assessments so we have a vulnerability scanner something like uh nessus or uh qualis or something like that we've vulnerable run vulnerability scans and then we fix the findings and that's fine but that's kind of assuming that vulnerability scan is a perfect Solutions and I'm not going to go in just yet into the whole oh pen testers are better than vulnerability scanners because fantastic telling you pen testers are better than something is a bit of a bias but one of the things I do want to point out is something I think
is again underappreciated with vulnerability scanners is how they grade vulnerabilities now it's my experience and it might be a little bit of a negative but it's my experience with a lot of organizations when they run things like vulnerability scanners they start at the criticals and they work their way down the list until they run out of time which very often is somewhere around the bottom of the highs so of course as a penetration tester and I'll talk about this more in a second I'm going to start thinking about things like can I chain medium risks together and that kind of thing and can I take three mediums and make a high over that kind of thing talk about that in a
second but another consideration is just are the results that you're getting from that vulnerability scanner accurate to your organization are they accurate at all so there's a couple of considerations here one of course is your organizational's context we'll talk about that in a second but just specifically is the risk rating associated with that vulnerability correct so one of the things to consider is most vulnerability scanners when a vulnerability is identified they grade that vulnerability in isolation they grade it as if that is the only vulnerability you have what would its risk rating be and it might be the case that there's other vulnerabilities that can be used together to cause a chaining vulnerability composer higher risk but
also there's another aspect to it that I don't think a lot of people talk about and sometimes it might be the person who makes the scanners frustration that why haven't you fixed this yet and I have a good example of this and it's anything like SSL version 2 SSL version three and this particular one is three days being enabled on a machine those kinds of things so uh for those who don't spend huge amounts of time looking at vulnerability scanner outputs um well done you you've got a better job than some of us um sometimes the risk rating in my opinion are artificially inflated because please just fix this already so for example uh SSL version three we'll take that as
an example a lot of vulnerability scanners now a flagging SSL version 3 being enabled as a high risk vulnerability quite possibly just to get it up high enough so if you are one of those organizations where you fix all the criticals and you fix all the highs and you run out of time money or other resources you actually fix it because um when was SSL version 2 deprecated like 2011 when was SSL version 3 deprecated like 2015 something like that off the top of my head so sometimes you get issues like this where it isn't actually necessarily a high note to be specific I'm not saying that you're fine if you've got SSL version 3 running but I
would go as far as saying something like if I found three does for example this screenshot example being enabled on one of your systems is not likely to get me a foothold into your organization probably not it's definitely something that we can compromise and there's other encryption issues like rc4 being enabled and things like that that are easier to exploit but is it likely to to actually lead to a machine being compromised probably not or if it is it's going to be a lot of work on the part of the attacker the attacker has to be positioned they have to be there during a login or something so they can still control those kinds of things but
another couple of examples that I think any pen tester will be familiar with would be something like these two so this is a medium and an informational risk for those that are unfamiliar um SOB signing not being required this is a default configuration in Windows where file transfer traffic SMB traffic on Windows machines is not protected against modification in transit by default and you can do some really cool things with this you could do SMB relay attacks which you know if you're having a good day if you're having a lucky day that could lead to code execution on a box so if again physical access to somebody's office first I plug into the network I see that they have this
default configuration that could lead me to compromising a box so sometimes those gradings are as I say in isolation not taking the wider business context or the other vulnerabilities into account and sometimes they're just kind of wrong because they're like hey fix this already so it's a consideration um cool so that's enough kind of Preamble around like hey uh we might not be doing so great as an industry because yes I do keep finding 3DS on pen tests and you should have fixed that by now and yes if you keep finding us a celebration sorry um another thing to bear in mind when it comes to security Assessments in general but I'm again talking from the pen
testing offensive security point of views the perspective the assessment is performed from and there's a lot of different ways that you can put together an assessment one of the things to bear in mind with these kind of point in time assessments if you get a pen tester and to do a security assessment of your organization uh it will be very representative of the starting point of the assessor so for example if uh the starting point is uh you invite me into your office and I plug a network Port into the network and then I see what I can get to when I do all of the standard methodology username enumeration user compromise private desperation that kind of thing that will
be representative of somebody walking into your office and plugging a network device in that can be a genuine risk depending on how secure your physical office space is for guests visitors and contractors they might mess with your stuff and that will give you an understanding of how far they would be able to go if they did that but then if you consider something like well all of our staff work from home and the more likely could be more likely uh possession of an attacker getting a foothold would be something like phishing an end user and compromising again and use a device and they're coming over the VPN great that could be a legitimate risk for your organization
but that assessment of me coming in and plugging into the network is not going to be representative of that so the reason that I added the slide in here is um it seems that uh post covered the amount of travel that I do is significantly reduced so do a huge amount of travel like something like 40 of my time and we've been going to customer sites and doing internal infrastructure assessments so either plugging into a network and seeing how far it can go or they'd give me a staff member device and I'd do a desktop breakout and then see how far I can go and these days the organizations are saying oh no all of our staff work from
home or at least at some point work remotely so let's do that kind of perspective and that's fine it's fine but it is a very different assessment and that report is only going to be representative of that perspective that we do also just another thing I'm not saying I don't have any of the Pentacles are companies paying a lot less attention to things like the security of their wireless networks they're way more bothered about Premier risks and VPN compromising cloud services and those kinds of things so it's just another thing I think there's a running theme throughout the back half of this presentation where as uh defense people as blue team is we need to think about
our own bias and what are we paying a lot of attention to and what might be missed um a good silly example of that one of the companies I work with their head of it is a former software developer so he actually started with a company like 10 12 years ago as a software developer worked his work he's now the head of it so all he spends his time thinking about is like software packages secure development life cycles and those kinds of things and every time I go in I compromise them through something like lack of system hardening or something that's just outside of his perspective so that's the thing to bear in mind as
well you can address it in the same kind of ways I mentioned earlier if you're doing things like maturity assessments and taking a look at how well are you across the board for Spirit you can identify in those kind of ways but I wanted to point that out because I think it's the kind of thing that um we're not always conscious of our own bias so something to think about another really annoying thing and this happens way too much and this is just in here because it annoys me and I want to talk about it in public is whenever I do this from what kind of assessment said like oh what if you're a VPN account
if I can go from the there's always some fall over how are they going to send me credentials and it's always like oh we're going to encrypt them and then print them out of a DOT metrics and attach it to a pigeon and there's this whole like thing and then letter down the line I find that they've just got like a ticket management system or they're just emailing passwords to users or something and it's like they send it to me securely but none of their other processes are secure oh they got I had one it's wonderful and thank you to the help desk worker who helped me through this process last week um companies set a user account for me
to to do this over the VPN type assessments and the guy rang me up he said I've got this password for you and he obviously hadn't like opened the email before he rang me because I could just hear him like audibly sigh when you open the email in the password like this it's like I'm gonna read out over the phone the best part of it was the guy didn't know the phonetic alphabet so it's like uh sugar Eddie boxes you've got to speak to him an hour later and I thanked him profusely the reason I got to speak to him was he didn't give it to me correctly so uh so we get this kind of thing we do
a assessment overview pen or something the assumption is you know a VPN account or a user and end user device has been compromised and then we're assessing into the organization to see how far we can go and then I get in and I guess the domain admin password or local admin password or something and it looks like this this is like half of my life and one of the things to bear in mind with um presentations like this is I'm not saying that like I'm fully compromising organizations through really dumb stuff I'm just saying on pretty much every pen test I do there is something dumb there's something silly and I think very often those things get missed another
interpretation could be simply that well that's the reason that we test is it's the reason that we perform these kind of Assessments because we want to find the dumb stuff and that's fine um but yeah how you how you handle those things uh is really important so when it comes to uh penetration testing suddenly infrastructure testing that kind of thing foreign actually I should say whilst I called it dumb and I might write uh not nice things in your penetration testing report like this organization puts the fun into fundamental security flaw we are all on the same team remember so when I say that's the point of pen testing that's the reason we do just
find these silly things we can remediate them we're all on the same team we're all trying to make the organization more secure so don't worry don't worry I'm too much but yeah it is a little bit of a thing at the moment where I'm spending a huge amount of time trying to kind of get in the head of the customer and understand where is their bias and what are the things that they might have missed and I've had some some huge successes through that recently just by looking in areas that they might have missed and huge success is just doing dumb things like compromising just any domain user and then scanning all of the network shares and just seeing what are
all Network shares that are exposed and I think very often penetration testers are focused quite strongly on on their methodology and I think there's maybe some pen testers out there who are focused very strongly on get domain admin as soon as possible and then I can chill out I think definitely when I was like a newer fantastic that was something that I wanted to do it's like you don't consider you've You've Won until you get da and then as soon you get there like okay I can chill out now probably the things I always like there's a lot of stuff that gets missed I was working for an organization I I talked about this in my last
presentation actually second for an organization a compromised a member of the finance team because the head Finance one is their password scanned all of the network shares and then I just found a share that was exposed that was it was called something no doubt there'll be a screenshot in a second it was called something like HR slash ID documents and it's just like passports and driving licenses things like that because you might not know this if you've never been an employer but organizations have to hold documents like that on you for the right to work in the UK type things so even if you don't have many customers if you have employees you'll have that kind of data
um and that I think that kind of thing often gets missed in pen tests where we're trying to focus either on just get to Da as soon as possible and then chill out or we're trying to focus on on things like the technical attacks the cool attacks you know you want to do stuff like uh hypervisor breakouts and stuff like that and you don't want to write a pen test that says I guessed the word finance and then found a load of passports but the truth is it's still risk so um yeah so a lot of a lot of what I've been trying to do at the moment is looking at organizations and trying to find out
what what is the kind of thing uh might they have missed and then demonstrated that to them and it's leading to this really wonderful thing at the moment my last few penetration tests have led people just like that's not supposed to be possible because a lot of this stuff and this is one of the things I wanted to include for the students is a lot of pen testing although you might see people talking online about exploiting buffer overflows and evading antivirus and that kind of thing a lot of cyber security work isn't that complicated it's just thinking about a system in an interesting way we're trying to find a logic flaw in a system and get somewhere
one more thing before I give some examples of uh more drum stuff that I found is uh I quite often complain when I do presentations I know that other pen testers when you talk to them complain about Scott restricted pen tests as well so I'll bring up my definition for what I consider a pen test and distinguisher between vulnerability scanning and red teaming in just a second but one of the things that quite often happens is we go to work for an organization and what we want is pen test is because we're nerds we want to hack things is there just saying come on in everything is in scope hack anything that you want to and then
we'll go and do the fun thing as opposed to like what it actually is the assessment we're trying to do here what is it that they want us to emulate if we're doing a red team engagement or what is the threats and risks that they're worried about and can we demonstrate those excuse me but some of the organizations we do work with we get there and they're like yeah uh we want you to just test this one web application and we're not going to supply you credentials so then you log in and you just go up for the week is that like oh this web application is a login interface and um just wanted to point out
um in part for the Defenders to say that like sometimes I understand this and also impact for the pen testers sometimes there is there is good reasons for this so as to not give you an excuse to do this and suddenly scope restrict all of your pandas to be like no Holly said it was fine nothing is in scope there's a couple of reasons that organizations might scope restrict things and one of them is fine and one of them is definitely not the one that is definitely not is where the organization knows or suspects that there will be security vulnerabilities there and for example maybe they're mandated to perform the security assessment so that might not be like a
compliance thing or something like that but maybe a third party it's telling them worked with an organization recently they've just been acquired as part of that acquired uh process the acquisition uh they're told to get a pen test so the scope for that was just like um this one filing cabinet drawer and nothing else because they didn't want anything to be found and that's part of culture because that's hiding risk and that's not appropriate but there is a time where scope restriction might be okay and before I bully all of these companies for doing scalp restricted contests oh there are bad things and you are trying to manage that fact so feel for the sorry ciso who's walked into an
organization he's just got there he's been there like a week he books a pen test and he's like this is going to go horrendously and what they're worried about is something like us coming in being open skull pack anything we want to getting a 300 page report and saying there you go and that is an unmanageable amount of information for them to deal with so it could be okay if your intention as an organization is well we need to start somewhere so we'll take a risk-based approach and maybe I'll start with internet facing risks first from an unauthentic head perspective and then you walk back to things like internal and inside a friend those kinds of so
it's fine in those cases um but yeah sometimes I get frustrated when we do scrap restricted assassins and a very very interesting assessment recently with an organization where um the conversation was interesting they rang me up originally and they said uh are we going to do an internal infrastructure assessment and I said okay cool um you know post covered a lot of these were just running remotely now do you want us to come to your office or do you want us to do VPN like what is the perspective of the assessment and they're like no no you need to come to our office right okay that's fine some organizations genuinely some organizations understand that uh when
you're a pen tester and they're paying like a lot of money from pen test they just want to be able to like point at you when the IT director comes in they're like that person that's where the budget has gone that's fine I can do that or sometimes it'd just be I worked with a logistics company recently actually one of their team was just like really into cyber security but he was right in the beginning of his career so they wanted me to come into their office so he had like opportunity to nerd out with the cyber security person as opposed to just like a bunch of normal it people you know once with like hobbies and things
they do outside of their job I suppose it was who are going to watch me talk and then go lock picking or do the BattleBots you nerds so uh so the adamant that wanted me um that's fine we start asking through the normal questions what's the reason for this assessment is it mandated by a third party or is it best practice that's a cheeky question trying to work out is there a requirement that you are trying to meet and you're trying to come underneath it kind of thing so that's going through those normal questions and it turned out one of the things that they were very very adamant about was they wanted us to come on site because
they had a system like a network access control type system well if you plug into a network port in their office it puts you on a guest VLAN and then you have to be approved by the IT team to move over to like what they call the corporate VLAN kind of thing and that was the focus of the assessment that was what they wanted to demonstrate and it seems to be something that happened such as a member of the team had plugged in an unauthorized device that had freaked them out to spend a lot of the time they paid a company to come in and implement this uh this access control system where you get stuck on
this gas wheeler that makes sense and I also got the impression that it wasn't like a data breach they hadn't like they're not like hiding a beach it's just like a member of Staff plugged a laptop in Anna to go on Facebook on their personal device or something they didn't want that to be possible so they paid a company to come in and prevent that so I went all the way down there and I don't know if it's if it's just me or if it's just because I live in the wrong place or something but I live near Preston and all of the companies are like no you definitely have to come on site are in like Kent so I'm gonna try
and spend like most of the day on the train going all the way to Ken and I'm trying to think like for anyone who's come across like properly implemented network access control before it's done well you know how that assessment's gonna go I'm going to plug my laptop and I'm going to get access to absolutely nothing I'm gonna sit there all day and be like well it works and whilst that might be a good assessment for that organization because they had a risk and they've addressed that risk it's a boring day for me and uh actually turns out that I've walked down to their office I plugged my laptop in immediately gained access to all corporate resources and within about
15 minutes as a domain admin and then I had like Echoes of this phone call that of the guy going you get put on the guest VLAN and then you have to be approved to go on to the corporate VLAN vlans are not security boundaries I think this is one of the problems of terminology isn't it sometimes when we hear VLAN we assume there is like a firewall in between it kind of thing I know just into VLAN routing you plug into the guest VLAN yeah you're in a different subnet but you know you can still reach everything so that was an interesting engagement I don't really write you put the fun into fundamental security flow in reports by the way that
would make people upset but this was a difficult one to write where I'm like this is a pretty big flaw like this thing just doesn't work I didn't actually do any hacking here there just wasn't a Protection Plus um so I wrote this instead as a lack of network segmentation between guest and corporate Network just with discussions of the IT team has determined that Network filtering should have been in place but testing demonstrated that it was likely misconfigured this is me politely saying like yeah because of course I don't know in actuality what is the backstory that it could be that they appeared in MSP a lot of money to come in and do actual
network access control and they just didn't it could be that they implemented it and it worked well but it was currently disabled for some reason maybe they're testing something or something like that which disabled um or it could just be that we have this kind of common use of the word VLAN and they said hey put some vlans in and a network engineer came in and put some vlans in and as far as the specifications concerned he's done a good job they asked for the wrong thing so I don't know what it was but this is if anything and this is what I'm talking about when I talk about like silly things happen on fantastic
um a more common example because I don't think many people are going to be lucky enough to go to an organization plug-in and just be like oh but yeah um especially if Network segmentation is in place um I do find this kind of thing quite frequently though what I actually find is where organizations have uh devices that are on the guest Wi-Fi network and physically plugged into the corporate Network so at some point in that device's life it is connected to the guest Wi-Fi it's remembered those credentials and automatically connect when it comes into range and then they dock their laptop on their desk and it's physically cable it's corporate a whole bunch of ways that can fix that so if
there's any network engineers in the room like that should never happen I know past isolation that's a thing that exists so this is a risk that worries host isolation is a good thing you should have land you guess Wi-Fi and also through group policy you can do um you can prevent devices being multi-harmed you can prevent them having more than one Active network connection so as you can fix it but that's the thing I find all the time at the moment I mean I'm specifically looking for it now because it's good fun and when I talk to those organizations very often they'll say things like the previous pen tester never found this and that isn't that isn't because like oh
I'm the best pen tester pay for us next year we'll come back we'll do more cool stuff and like I said it goes right back to the beginning of what was the perspective of the assessment when the when the pen tester came in what did you tell them the kind of assessment was what are they optimizing for um so that's an important characteristic I mean there's also just like was the Wi-Fi even in scope last year it was the Wi-Fi brand new is that why the last guy I didn't find it so the first things as well but uh yeah I am finding that an awful lot at the moment and whilst it's a lot more work because I still have to
compromise and then use the device and then pivot across that end user device into the Intel Network um yeah it's it's still a pretty damn thing so uh that is my uh current this year most like interesting pen test in terms of like I think this assessment's going to be terrible I get there and I'm like oh I'm done this is easy aside from an organization where I went to and um we've got a slide for this in a second but I went there and I was having a really hard time because I don't know if they're secure all the time or if they do that really annoying thing where the day before the pen test they install all
the patches and then don't do any patch management for the next year that's another problem with pen testing it's a it's a Time boxed assessment I don't know if they were doing that but they have like all of the patches were installed everything was pretty good having a really tough time um and then I ended up just like kind of clutching at straws launching a Brute Force attack which they have a common weakness that I'll bring up on the slides in a second where a significant if not all networks that I go to I can actually perform briefos attacks for Windows space networks with active directory and what this comes from is people will configure brute loss
protection on Windows accounts on active directory accounts but then not understand how Blue Cross protection actually works one of the things there's an aspect called the observation window and what that means is uh how many password attempts have to occur within what period of time before the account is locked out so the most common it's Microsoft's suggested setting is five password attempts within 30 minutes so that's a pretty common setting I think that's maybe the most common without checking all the data that I come across but to me as a pen tester that means I can do four password attempts every half an hour per user account or 192 a day which is quite a
lot especially if you've got like thousands and thousands of user accounts so anyway sitting in this office like well they've done all the patches everything's locked down they've got a new firewall it's been assessed there's not really a lot to go out here I just started a Brute Force attack kind of just like well if I can get somewhere it's better than here and also it's one of those really annoying customers how to share and dependences in the room get where like every three hours they come over and they go how's it going what have you got into and one of the reasons that's annoying if you're a customer of pentatives if you're a blue
team and you do that the reason that's nice I'm going to send it from your point of view because you want to keep an eye on like how things are going and if there's any risks like if I find a critical threat where you want to know about it you can start planning tourists I understand it but the problem is the first part of a pen test is like Network mapping using him enumeration understanding the domain not a lot happens for the first few hours in a lot of cases assuming you've done any system hardening otherwise the first 20 minutes says I'm a domain admin but for most well-configured accounts and not a lot happens because I'm enumerating I'm
understanding and those kinds of things so it's quite frustrating it's like I've been here three hours I've done nothing why do you keep asking me anyway so this guy keeps coming over and he keeps asking like how's it going I'm like clutching at straws I'm checking Network shares I'm just looking for anything to get into and then just suddenly like that pop domain admin account and the domain anime account's password was something along the lines of company name underscore email and uh immediately like going into the IT manager's office like I'm done but I've compromised this this person and told him about it and they were very very confused because their cough passwords is something that they did and
considered for a long time and it turned out that the password had been configured by a service provider he had an MSP and the MSP had made that choice and um there's something like the password is last set like 2015 or something so it's just like an account that's been around for a while but it got missed that kind of thing so so yeah again it's a it's a dumb thing I'm not saying you're gonna have domain admin passwords out there that a week but you've probably got some domain users that have got dumb stuff it's probably not password one but it might be company name underscore password or something silly but how is the pen
tester gonna going to find that is is the methodology your pen tester is using during your engagement appropriate to find those kind of risks or if you're not doing it during pen testing are you doing it through some of the mechanisms like password audits those kinds of things um so yeah a lot of that stuff gets missed especially where you're pushing your pen testers towards doing cool stuff looking for zero does and all that kind of stuff in the best experience I know I'll close out on this because I've been talking for about half an hour now and just a few things that I see all the time so these are common risks that I
consider a bit silly and very often when I write the pen test report it's like hey here's dumb stuff that we've had multi-home devices are like a fast isolation where we connect to a network and we can access resources that we shouldn't be able to this can be really bad in that example I spoke of that company where I plugged into Network it's a flat Network it connects with everything or more likely it's going to be something like there are devices out there that are connected to the guest Wi-Fi and the corporate Network physically with a cable and we can jump between the two that is a segmentation break it's going to be things like
Instagram protocols I mentioned this at the beginning stuff like SMB signing not being enforced or it's going to be uh weak service permissions those kinds of things really really easy local privilege escalation vulnerabilities on Windows devices I find these all the time cash domain cards that's a really big one in fact where we compromise one um domain device and then there's like 10 passwords cached people have previously logged into it cracking cash credentials Windows credentials is really hard but if they're cashed I'm going to pull them and see what I can do with it I mentioned that brute first thing a second ago and this is that screenshot that I said was coming up if you set a
threshold for account lockout it'll pop up like this and it says suggested value change because the value of the account lockout threshold is now five and valid attempts we're going to enable this and it's the bottom one reset account lockout counter after and it sets it to 30 minutes as the suggested setting that's that I can do four password attempts every half an hour per user account so 192 password attempts per day per user account there's no reason why you have to run it for one day right you just keep running and running it if I'm on site always I'll run it all week and see what I get um and then the last thing in terms of
just like dumb stuff that I find is uh where an organization has put in some kind of restriction but then hasn't actually tested that their restrictions in any way effective so that is again a hat tip to that one earlier you plug into the network and just access everything like hey nobody actually ever tested this after you implemented it but another example would be here I see this a lot on things like Citrix environments and restricted desktops where you access the end users machine you've got to open a command line or something like that and they say oh you can't access the command line because it's been restricted by your administrator and then you type Powershell and that opens
instead it's one of those like I see this all the time um so yeah you can access Powershell you can access FTP the FTP client on Windows can run local commands or one uh they're working with the company for a little while now doing repeat assessments with them effectively uh uh playing with their sock when I mean playing with their sock is like we try a bunch of capabilities let's see how well they're detected that kind of thing doing that kind of stuff so not a full-on red team but more like a uh Atomic red team and we were just saying like Hey how well is their monitoring implemented and now I've started doing things like writing
Visual Basic scripts and using wmi and all kinds of things because they've got monitoring in place for CMD and Powershell and those kind of things so this organization will detect if I run Powershell and it'll pull out the logs the exact command that I run but if I run everything over Windows management instrumentation they don't see any of it which is amazing in fact when we had the call with the sock there like what is Windows version expectation um if you haven't come across wmi don't worry uh nobody uses it other than pen testers as far as I can tell but it's been around forever it's been around since like Windows 2000 and it's for remote
instrumentation Windows devices you can do things like ask your Windows device which patches it has installed useful for systems administrators also useful for me trying to find missing patches you can ask it things like um to access the net API for logging into accounts remotely executing commands remotely all kinds of things and then the final one I mentioned was Finding Network shares that are exposed and have gun things in so here is HR employee records which is just an open network share with like driving license passport all that kind of thing a whole bunch of stuff um salary information utility bills all kinds of things so um in this particular case the reason this is interesting to the organization was I
didn't have to like get da and get really high pref and then steal data it's just like hey anyone in the domain can access this so that share is as secure as your weakest password on the network and that's it so hopefully in terms of style damage and aggression as we open this presentation I've not been too uh I'm not going too bad uh for that book yeah a lot of the stuff I think sometimes as pen testers we want to go in and we want to do the really really cool stuff because we're geeks and we want to do like hypervisor uh breakouts and Antivirus evasion stuff like that but spend some time talking to the
customer and looking for the simple stuff and as a blue teamer I mean hopefully none of this stuff's gonna be in there but think about your own internal bias what is the stuff that you're really interested in and then maybe hyper focusing on and then what are the other areas your network security that maybe you're not paying enough attention to or if you struggle to kind of uh assess your own bias and just start talking to other people or do like a maturity assessment or something like that and try and look at like hey what areas of the organization um have you missed and if you're a student and you're looking at getting a cyber
security and you're trying to pick between like should I be a sock worker no or should it be a pen tester uh it gets right cool stuff and reports and be like I am assuming that this is not functioning correctly and try and be really polite while saying yeah your network what and that's it thank you very much
I have four minutes and if it's okay I won't tear questions because some of you are desperately going to want to run to other talks so I'll stop here if you have questions I'm here all day please do come up and and talk to me if you would like a fox there are only about 10.
Related talks
22:11
25:36
36:38
11:50
33:15
5:25