I came in like a wrecking ball

thank you

good morning can everybody hear me yes good my name is Vincent and my talk is titled I came in sponsor all right my talk is titled I came in like a wrecking ball stock is rated R it's about hacking like to point out that some things in my talk today would be considered criminal activity should you not have the permission from your target who am I I'm a penetration tester I'm a small business owner I'm an Air Force veteran and when I'm not in front of a computer I'm out in the desert training for 100 mile ultra marathon the things that are important to know about me I've been in tech for over 30 years

I've been running a small technology business for the last 20 years it started off as a break fix I.T company and about 10 years ago Cloud started eating into our Revenue decided to Pivot to security took the oscp course fell in love with offense and I've been doing that ever since so what's this talk about I work primarily with small businesses so think a thousand employees or less The Sweet Spot is like 250 because they're big enough that they have stuff but they're small enough that they're still very immature when it comes to security so when we think about a big business say a Bank of America they have security teams they'd run penetration tests they have

continuous volume scans they run red teaming exercises they have layers and layers of security and they have big bags of money to throw at the problem small businesses on the other hand are the low-hanging fruit and this talk is about my Adventures while working with small businesses so it's story time probably not the only person in this room that has thought about how they would be a malicious actor how they would acquire infrastructure how they would remain anonymous flying under the radar so big picture as I'm probably going to acquire some Wi-Fi I'm going to use a privacy VPN I'm going to go through the internet I'm going to attack some infrastructure and compromise it and set up command and

control and then I'm going to attack a Target so on my wish list I'm going to want some fake accounts some burner laptops burner phones for your stolen Wi-Fi and I'm going to use tour and Tails and a privacy VPN privacy VPN providers say we've got your back we don't keep logs we're not going to turn you into law enforcement like is that really true because I have my ass basically turned over the logs for this LOL SEC hacker who is hacking out of his home on a privacy VPN then I saw this on the on Google it says can please uh track your VPN traffic can they uh break into encrypted traffic and the thing that stood out to me was that

if you were using tour Tails or privacy VPN from your home your ISP cannot see into that traffic but they can see that you're using tour Tails or a privacy VPN and on that ladder point they can get the IP addresses and they can figure out which provider and then again go back to that provider and force them to give the logs that they say that they don't keep I'd like to remind you that hacking is a crime so I thought it would be really interesting to get a hardware wallet and to put some crypto on it and maybe acquire some infrastructure truth be told I don't own any crypto and so this was kind of an

exercise for me so I fired this thing up and then after many many steps I got my Hardware while it's set up now I needed to put some crypto on it and I found this Starbucks gift card in my card and I looked it up and it had 25 on it and I thought oh if I could convert that and get that into crypto then I could put that on that wallet and then I could buy my infrastructure so I found this website where you can convert gift cards to bitcoin is going to work out great for me so when I dug into it and actually tried to convert it it says we need to verify

your ID and basically it wanted me to take a copy of my driver's license and send it into them sort of defeating my purpose and what I was running into is something called anti-money laundering and kyc know your customer basically the government doesn't want people doing bad things with crypto so they're forcing these companies to get identification on the people that are trying to use their platforms now at this point I'm trying to remain anonymous and I've got some ideas of how I can get crypto onto this wallet without giving up my driver's license but I felt like I was crossing a line at that point and I feel like this slide kind of emphasizes what I was thinking

and ultimately it's about opsec so I'm trying to fly below the radar and I feel like I'm going to draw attention to myself and so this path was a dead end for me so I decided to go to movad Mo vad is a privacy VPN provider out of Sweden and what I think is really interesting about them is they take cash you can take cash stick in an envelope and you can mail it to Sweden and in about a week you get VPN service so the next thing I'm going to do is I'm going to start setting up fake accounts now mail.com is not an account that I would use for phishing because they would get uh you know basically

identified as spam but I need a backup email address for some other accounts and mail.com is really good for that and mail.com will allow you to use the sketchiest of sketchy email providers like a disposable email service such as this one and then I can get mail.com set up and then at that point my registration is set up and it says hey thanks for signing up next thing I'm going to do is I'm going to go to LinkedIn and I'm going to go to outlook.com now LinkedIn is owned by Microsoft and in recent times they are requiring an actual phone number for setting up accounts so you can't use VoIP you can't use um you know Google Voice you have to use

a real phone and the reason why is they know that they have fake accounts and I have a whole bunch of them by the way so I went and I bought myself a burner phone off of eBay I found this unlocked iPhone and the thing that I discovered is that it wants Wi-Fi at once email and it felt like I couldn't set this up at my house because it was going to send that back to the Apple Mothership and then that would tie it back to me ultimately what I wanted to do is I wanted to put this mobile card in there because I can get seven days of mobile phone service with a real phone number

for 99 cents and then I ran into this chick in an egg situation so in order to get mobile set up I needed to have the app installed on the phone in order to have the app installed on the phone I needed a phone number and an email address for Apple so I was sort of stuck and then I started questioning am I really a hacker because when you look at what I use I'm an iPhone user Mac OS is my daily driver and sometimes I use Nano instead of VI what I ended up doing was I had a second burner phone I found this phone and my box from when I went to Defcon in 2013

and apparently you can't go to Defcon with your real phone because hackers are scary so I pulled out this old Android phone which is probably what I should have used in the first place I installed the app on there and then I was able to get mobile setup next thing I want to do is I want to acquire some Wi-Fi so I could go down to the mom and pop local coffee shop or I could hack some Wi-Fi and because I call myself a security researcher I decided I would use my flipper zero I got one of these recently and I got the Wi-Fi Dev board and I thought how cool would that to be to be

able to put this in a presentation but it turns out the dev board only talks 2.4 gigahertz so unless I'm going back into the 90s I won't be hacking any Wi-Fi so at that point it decided to use the Wi-Fi pineapple if you don't know what this is It's a tool that automates hacking Wi-Fi and it makes it really easy and it works great and I use this in the real world oops sorry so the next thing I want to do is I want to enable Recon mode now I find that two minutes is actually a good time any shorter than that it'll grab access points but it won't grab connected devices any longer than that you're just

looking further out and you're getting a more comprehensive look so after two minutes I find an access point and I find a couple of connected devices so I start a capture now at this point I can hit the D auth button by the way not a lawyer so if you do not have permission from your target I'm pretty sure hitting D auth is a crime I actually have permission so I hit the D auth button and after that I captured the handshake and I downloaded the pcap so we need to convert this to something that we can crack with hashcad and if you didn't know what you were looking at you could go to the hashcad

examples site and it would tell you that mode 2500 is what we need to use to capture this handshake so when we run mode 2500 it says 2500 is deprecated use 22 000 22 000 doesn't work by the way but we can use this flag deprecated check disable and then if the client has a bad password or it's weak which they did we crack it which you see masked at the top so at this point I'm ready for my attack now I want some infrastructure and there's no shortage of infrastructure on the internet this is a recent NASA scan and I found log4j it's been 18 months since log 4J has been uh discovered and

yet I'm still finding it and if not there's always WordPress there are plenty of vulnerable WordPress servers on the internet and you can hack them and take them over for your command and control so this is how I feel I'm in the center I've got my tentacles out I've got my command and control and I'm ready to go to work first thing I'm going to do is I'm going to start fishing now my day job I fish for offense and for defense and for defense I'm talking about security awareness uh basically running quarterly you know campaigns kind of that bottom of the barrel you know the fake DHL that kind of thing so some clients don't really take

fishing seriously um this client got popped and then they decided to run some awareness training but they didn't really take it to a real level where it worked this was their version of security awareness training this is over the past few months we've been running an internal phishing audit campaign and has been brought to my attention that we've had some pretty close calls they did they got fished and this is more of their security awareness training don't click on links this is super helpful and this is the kind of fish that we're talking about so here's this financials report has been shared with you it's kind of generic comes from Corp Dash internal dot us and there's this guy

Stephen Stephen clicks on all the links by the way and what's really interesting about Stephen is Steven doesn't have anything to do with Finance so Stephen is just nosy and I didn't feel the need to bring that to their attention but Steven should probably get fired um and then here is more of their security awareness training bad email that was opened by Stephen he has received his hundred lashes for doing so this is a quality program they're running here all right now on the offense front I'm fishing to win and in recent times there have been some obstacles that have been thrown in my way in particular Mark of the web so if you don't know what Mark of the

web is this is a doc that I sent through email and down at the bottom it's stamped with this this file came from another computer it might be blocked to help protect this computer basically what that means for me is I can no longer use macros so I started packing up word docs and ISO files this is not an original thought I stole it from apts basically if you don't know what an ISO file is it's a single electronic file that contains the identical content of an optical disk so you take a DVD or a CD you stick it in your computer you rip it it's going to make an ISO file or an image file

so basically I pack up this word doc inside this ISO file and then when I send it the ISO file gets stamped with sorry with the mark of the web but it doesn't hinder its ability to function so when we launched this ISO it mounts resume.doc and when we extract it there is no Mark of the web which means I have macros again so now I want to talk about Microsoft Word ask myself what is a docx file and it turns out a docx file is a collection of files that are zipped up and it's named docx so I started reading into this because I wanted to know more about this and it turns out we can add files to this

collection in particular we can add these footer files so I decided that I could put in a URL for this include picture and I basically have it pointing at my attacking server where I've got some PHP hosted so we need to make this change in two locations and basically here's the second again referencing that that command and control server so this is some ghetto PHP basically it's just pulling user agent information it's outputting it to a file if we hit this street up we basically see the date stamp IP address users running Windows 10 architecture 64-bit and they're running Firefox and then when we output the file we basically see the same thing so I can

fish a bunch of users and I can collect this into a file and then I can go back and I can say hey I got all these users uh if I didn't care about my clients I could use webhook.site basically it will do all the hosting for you I just don't feel comfortable pushing my clients to some Rando site but if you wanted to play with this here's a place where you could do that and basically we get the same thing we get the user agent information you're saying so what it's true you can pull that information from the logs on the Apache server so I decided to weaponize it so what I have here is a UNC path and if

you're not familiar with UNC pass you work in a corporate environment you're on a Windows system you've got a Windows Server you're mapping to drives you're going to use a UNC path it's going to be backslash backslash server name backslash share name so I have this pointing at my attacking server so I want to take a quick sidebar sometimes I need to create a logo and Adobe has this website where you can create logos for free it takes about five minutes so I say my awesome business is called conspiracy Inc and My slogan is Birds aren't real and then it will give me a bunch of different you know logos and I find this one that I like

and uh and so now we're going back to what we were talking about before so game on and the reason why I brought this up is I have this email where I'm going to start my fishing campaign and I've got my malicious document and I say please quote the following and down at the bottom I've got this nice signature block with a logo I have found a very high success rate from putting a signature block and a nice little image like that it's it throws it through the roof so I will do this with you know when I'm getting serious this is what I'm going to do uh and in this client in particular I

was testing proof point so my document ended up in the attachment sandbox and if you don't know what this is the attachment sandbox it'll take the document it'll open it up it'll see if it explodes and if it doesn't it'll close it back up and ship it off to the recipient it actually made it through proof point which is what we see in the right hand column so this malicious document went through an anti-fishing solution and then it started raining hashes more hashes and even more hashes so let me ask you a question what is more impactful this pie chart where I have critical high medium and low vulnerabilities or the fact that your user responded to

the attacker because they didn't think it was suspicious that they opened up a blank Word document he says hello there are no company part numbers appearing anywhere in this email or attachment please provide readable inquiry and actually went back and forth with him which was hilarious now I want to talk about shortcuts and we've all seen these they're on the desktops little image got a little arrow indicates a shortcut it's actually a file that ends in url and when we look inside of this file there's a reference for Icon file icon file is that picture that we see now what I want to point out we don't have to do anything to get it to look for the icon file it's the act

of opening up to that destination that causes to look for it so I threw in a UNC path for my attacking server and then I'm firing up a man in the middle tool called responder and so I test this out I open up to the location and I get hashes so now I pack this up into an ISO file now in recent times they've caught onto this trick with the ISO files so they've blocked this across the mail providers this is Office 365 and it says hey you can't attach this and I said okay how about if I zip it up so I've got the URL file inside of an ISO inside of a zip

file so when I open up that zip file it actually looks inside the ISO file and I get a hash and if it didn't it wouldn't matter because when I mount it I still get a hash so now I'm ready for my live fire exercise so I fire up responder and then I have my zip file with my malicious document and I say please quote the following and then it starts raining hashes and more hashes and I love hashes now I want to talk about proof points specifically proof point is an anti-fishing solution I have no relationship with them other than I use it and sometimes I frequently test it um but I was sitting in front of my

computer the other day and the proof Point quarantine digest showed up in my inbox and I thought for a second this thing hits my inbox every morning and I become so accustomed to it that I've actually stopped looking to see where it's coming from so I decided to clone the page started an email and I send it out to all the clients that we manage I fish 137 users and I got hashes and I'm obsessed with ashes and the reason why is because I like password cracking so in a Windows environment if you enable password complexity you need a minimum of eight characters you need an uppercase a lowercase a number number and a special character and I actually

believe it's three of the four of those and that is not complex enough so I will pull hashes and I have a very modest cracking machine it's an old Precision workstation with a single GPU and I'm still good for cracking about 20 percent so we've got one two three faith we got hot rock 65 we've got Friedman 895 and squats 185. so then I use a tool called crack map exec and I start spraying the environment with usernames and passwords now the interesting thing about this client in particular is they were actually running a Sim and it did not detect that anomalous activity so I'm like anybody home so I get a hit I get this user and

Fremont 895 as the password I start enumerating the environment and I find that this user has access to the accounting folder so I dig into accounting and I find accounts payable then I find AP passwords an Excel document and I love it when people give file names passwords because that's gold for me so I dig into it and I find a bunch of usernames and passwords and accounts for UPS FedEx and DHL and I know how I'm mailing my Christmas presents this year now I want to talk about me and my shadow so sometimes I need to get onto a user's desktop through remote desktop and previously what I would do is I would actually wait until it was after

hours and I would jump in because if a user is on their system and you hop into their system it's going to alert them and that's going to get me busted but I learned about something called Shadow mode so we enable this in the registry and then when we see an active session we can enable Shadow mode with no consent prompt so basically I can bounce into this user session and they don't know that I'm there so I'm basically shadowing this user and I watch them log into Wells Fargo and I screenshot that and then I launch log them or I watch them log into this or open up this document that has the general ledger account breakdown

and then basically heads were exploding now I want to talk about Defender if you are old like me you know the defender is a video game and it is not an antivirus solution and I'm not talking about Defender ATP I'm just talking about Plain Jane Defender so I started an engagement and I asked them what endpoint protection are you running and they said we're running Defender and I told them I will prove why that is a bad idea so I drop and interpreter reverse shell onto this system and it says the file contains a virus so did good there but then I convert that shell to hex and I drop that hex on the system and

Defender doesn't do anything so now I'm using a technique called process injection and basically what this is I take an existing process and I part the memory of that process I inject this Shell Code and then I execute it in memory and what I get back as a reverse shell and then I start enumerating the environment and I run a pink sweep and basically proving to them why they shouldn't be using Windows Defender as their antivirus another thing I need to prove is you need to stop giving your users local admin if you give your users local admin I'm gonna wreck you typically the engineers and the developers these guys are like hey if we

don't have local admin access everything's going to break we're not going to be productive that's not true basically what you want to do is you want to give your your users domain users accounts let them operate as regular users and then when they need to have privileged access they have a local account that they can use to log in and log out or sometimes you just get a prompt that's how you should operate and that's how you would stop me so here I am I'm on a system where I have local admin and I enable W digest if you don't know what w digest is it stores clear text credentials in memory so the next thing I'm going to do is

from task manager I'm going to dump lsas lsas is where these hashes and and clear text credentials are stored in memory so I go to create a dump file but I get 0k and I think that's interesting because this worked not too long ago but I feel like maybe they've sewed this up so I use a tool called proc dump because I can basically do the same thing from the command line but I get error writing to dump file like ah they're actually closing up my holes here so then I decide I'm going to use uh volume Shadow copy and I run the create command and it says invalid command so they're actually closing up my holes and

I'm learning it in this engagement so I tried process injection and I get a shell back but when I check my ID I'm expecting it to be NT Authority system but I'm not I'm this user audit which means I can't dump hashes and at that point I'm getting a little sad and I'm like womp womp and then my imposter syndrome kicks in I'm pretty sure I'm not the only person in this room that has imposter syndrome but I'm questioning you know am I really a hacker am I good at what I'm doing and I mentioned this to a friend of mine and he recommended this book called The Secret thoughts of successful women it's not about women it's about imposter

syndrome if you're like me it's actually a pretty good read I went to go take a picture of the book thought it was pretty funny that it was sitting underneath adversarial tradecraft and cyber security so while I'm improving on being a better me I'm also improving on being a better hacker yeah and then I feel like we're keeping score and it's Gates one and Vincent zero so then I decide I'm going to schedule a task I'm going to run that task as NT Authority system and I'm going to run that process injection so when I get my shell back now I'm system and I can run kiwi and when I dump creds all down at the bottom we see that I

have the clear text credential uh from that logged in user so basically proving you know why you shouldn't give your users local admin although it took a long way to get there and in my game I get points back and it's Vincent one and gate zero sometimes I'm asked to establish persistence so basically get into the environment but if we boot you out you need to get back in so this is some ghetto Powershell basically it's a reverse shell so I test it and I get a connection back so now I'm going to convert it to an executable and when I dump that to the system they're running bits offender gravity Zone which actually detected it okay

so how about if I can download that shell and execute it in memory so that's what we see here and I get a shell back okay so now what I'm going to do is I'm going to take that download and execute and I'm going to convert that to an executable so here's psdxe I output to the executable I test it and I get my shell back so now I'm going to schedule a task that's going to run every hour and it's going to execute that download and execute so I get booted out of the environment an hour later I get back in the environment so I've established persistence and that was kind of lame I know

so I'm going to use something called rid hijacking rid stands for relative ID I'm going to create a user account asp.net 4.0 now asp.net is a legitimate account and I've I was a system administrator for a number of years so if I saw asbnet 4.0 I would think that that is a legitimate account I certainly wouldn't delete it because I would be afraid it would break.net next thing I need is the ID for this account users start at 1000 and my user is 1008 I want to point out that the administrator account is 500. so I need to convert this to hex so zero three F zero now I need to launch a command prompt is

NT Authority system so I'm using PS exec check my who am I system and now I can launch regedit and the reason why is because as a regular user and even administrator we cannot get to this portion of the registry but as system we can so what I have highlighted here is the administrator account and we see uh that we're a zero one F4 and then our ASP net account is uh zero three F zero so I'm modifying that to match the admin account and this this is showing you down at the bottom zero three F zero but we have the identifier of the admin so when we go to log in we check the administrator's group and

we're not in there but when we run administrative commands we can so basically I have what looks to be a user but it's actually an admin so this is kind of a stealthy way to stay below the radar now I want to update in recent times this stopped working in Windows 10. I think they figured this out and they've closed this up so another method for persistence is something called sticky keys if you were old and blind like me maybe you can't see when you log into Windows if you hit shift five times you get to accessibility options and that is tied to Seth c.exe so first thing I want to do is I'm going

to take ownership of this file then I want to modify access control on this file because I like my clients I'm making a backup copy of this file and then what I want to do is I want to copy command.exe to Seth c.exe but I get access is denied like that's interesting so I elevate my command prompt to system and I try again and I get access denied point I'm making here is that I've been doing this for a long time what I did five years ago is not what I was doing last year and is not what I'm doing right now I have this idea I want to use sticky keys and they've closed up this hole but

maybe there's another way that I can go about this and it turns out there is and it's actually much better first thing that we need to do is we need to disable antivirus and then what we're doing is we're tying the the debugger to test C and we're going to launch command prompt so basically we get to the login prompt and we hit shift five times now it's launching command prompt instead of accessibility options and when we check who am I we're NT Authority system so I don't even need any accounts on this system I can get to a command prompt before I log in and I can start creating accounts all right now I want to get into story

time so I have permission to talk about my own clients in my conference talks but apparently they don't necessarily know what that actually means and one of my clients was in the audience and was like okay you can't talk about us anymore so instead of using them I created this fictitious company called nortech.com I started my engagement I went to D hashed if you're not familiar with d hashed it is a large data Breeze breach collection I pay a hundred and fifty dollars a year for full access to this so I put in my client's domain name and I get 154 results and what you're going to get are usernames passwords hashes personal information whatever whatever's

been breached so I find this user Nico Bianchi and I've got a hash and I take all of the hashes that I find for nerdtech and I run hashcad across them and I find that Nico likes Pizza pass one next thing I want to do is I want to figure out what mail provider they're using they're using office 365. and because they don't use 2fa and because Nico likes to reuse his passwords I logged into Nico's mailbox the first thing I do is I fish everybody in the company because why not next thing I do is I start digging through Nico's mailbox and I find an open VPN connection pack and because they don't use passphrases or 2fa I

logged into their environment and I started enumerating and heads were exploding next thing I want to talk about is building a better password now that is a really strong password and you should put that someplace safe so I start my engagement I'm enumerating my clients environment and I find this Microsoft SQL Server I'd already compromised a user and so I looked at SMB shares and I found this E2 shop system if you don't know what E2 is it's like job boss Erp MRP so I dig into the share start digging in further and I find this DB scripts folder and the thing that stands out to me is user.sql so I open this up and what do I find that really

strong password and I'm like I can't believe you have this fantastic password and you just left that in the file system for any user to find I get most of my exercise these days from shaking my head in disbelief so I use Microsoft SQL Server client I pointed at that server I log in as the user and then next thing I do is I enable XP command shell I execute who am I and I'm NT service Microsoft SQL Server I run who am I slash priv and I see SE impersonate privilege that sticks out to me because if you are a hacker you are familiar with print spoofer and you know that SC impersonate privilege is what we need to use for

that

because I don't like running random stuff from the internet in my clients environment I've used that I've used print spoofer in labs and you know and like hack the box and it works great but I just don't feel comfortable running that in my clients environment so I pointed out to them in my report hey if I were a bad person this would be my next step my actual Next Step was I dumped the reverse shell to the system and I was able to get that on the system but I wasn't able to execute it so my reports I typically will show them things that are good and things that are bad so I said hey look it detected me so

that's great next thing I did was I launched squish SQL Server shell connected to the database and I dumped the user code database where I have usernames and hashes and I pointed this one out specifically because this is the vice president of the company and I figured that would freak him out and there were explosions as a bonus prize I wanted to show Insider threat so in this environment they actually restrict their users to regular user access so nobody in the company has admin access and even the domain admins operate as a regular user but they have an account that they will bounce into when they want to do privileged stuff so I couldn't install anything on this

system but Heidi's SQL makes a portable version that's an executable that they could launch so I'm logged in as a regular user in their domain and I fire up Heidi SQL and I point it to that SQL server with that really strong password and I start you know digging into the databases and then I find the user code database and I want to see how they designate administrators and basically it's this user group code where we have admin so then I send an email to my client and I said hey can you create a regular user account for me in E2 and he says does it need any special permission or anything or is it just to see if you can break

into it like if I already broke into it so there's my account and my designation is sales which is the bottom uh the bottom tier of the group codes so I changed that to admin and it turns out there was another field that I needed to modify user group code ID 2256 is how they designate admins then I was able to log into E2 and I have full privilege here so E2 for this company is everything it's their accounting system so I was literally showing them like hey here's my purchase order and I could change the price of you know my project or they didn't think that was great and they were upset now I want to talk about D hashed domain

admin so I start my engagement and again I'm always looking at D hash because you can gather information about the client in advance of the engagement so I search on the company name and the thing that stands out is it at companyname.com I tried to credential stuff this everywhere so every account place that I could find I was like trying to trying to get this in there and it didn't work but sometimes I feel like I'm building a puzzle and that felt like a special piece so I took that and stuck it over in this corner pile over here next thing I did is I used crack map exec and I'm looking for SMB signing set

to false if you don't know what SMB signing is it's a security mechanism in the S P protocol basically if someone tampers with SMB traffic it's going to know and it's going to drop the traffic so if you have signings set for true then I can't do man in the middle attacks now what's really interesting about this server that showed false is that they have a group policy that enables SMB signing but for some reason it didn't stick on This Server so this is a reason why you should audit your environments because sometimes you think something is one way and it's another but I couldn't do anything with that but it felt like another important piece to

this puzzle so I stuck it over in the pile I'm enumerating their environment and I find this HP pagewide color flow multi-scanner copier now if you know me you know that I love copiers when I get into your environment first thing I'm hunting for is copiers because people don't think

okay I won't touch anything people don't trust you know people don't uh like basically give scanners these multi-function copiers the respect that they need a lot of times outside vendors come in and install them and it won't put hands on them the reason why you should protect these things is because they have scanned a file and scanned email function they have credentials and oftentimes what I find is that instead of giving specific access to maybe user home folders or whatever they'll create a domain admin account make that the scanner account and basically that scanner can scan into the entire file system so I am hunting for these like mad so I find this and typically I can

go to Google and I can find default credentials so oftentimes you'll see that the credentials are one two three four five six or one one one one one the HP is actually a decent scanner it does not have a default credential it gets set up at the time uh when you install this however that piece of the puzzle comes into play and that it password was what got me logged into this system so here I am I'm logged in and I see that they've run scan to file so I dig into this scans and I find that it's pointing to a file server now the other interesting thing about uh these multi-function scanners is when you

modify the uh the path or modify anything in here it doesn't blank out the password make you put it back in it just saves it in there so I fire up responder and then I change this and I point it to my attacking server and I hit verify access now is expecting an inbound connection on responder but it didn't get anything and I thought that was kind of odd so I fire up netcat and what I realized is that they they actually have smb1 disabled in the environment so good for them and again something that I pointed out this is good so then I pointed to my other attacking server where I've got Metasploit set up

and I get an inbound connection from that scanner and I've got the scanner account and the ntlm V2 hash but it can't crack the hash and then I remember my puzzle because that system has signing disabled I can do a man-in-the-middle attack so basically what I'm doing is I'm relaying those credentials from that scanner through my attacking system to that file server where signing is disabled so I fire up ntlm relay X I enable smb2 support and what I get is a dump of the local sand database and I have the administrator account in hash so now I'm using PS exec and I don't even need the password I can pass that hash so I pass it to that file server and

basically down at the bottom what we see is now I have a shell on that system they were not running endpoint protection on this system because they thought that because it's a file server that antivirus would slow it down and cause people to get angry now I want to point out that this server is running 20 or it's running server 2016. and the reason why that's important is because earlier I was unable to dump lsas on Windows 10 but on server 2016 I can run prop top and dump lsas so there's some inconsistencies in the operating systems and you know as an attacker I'm going to try as long as I don't think I'm going

to get detected I'm going to try everything because it might work I have no idea and so in this situation it didn't work in Windows 10 but I tried it on server 2016. it did work so I have the dump file and because they're not running employee protection I could pull Mimi cats straight to this system and I run mimikats on that dump file and what we see down at the bottom is the administrator domain account and hash I think I know where the demand controller is I think it's on dot 143 I do an NS lookup and I confirm that it's on 143 so I run crack map exec I point it uh to the domain controller with that

administrator account hash and in the bottom right hand corner we see pound which means that I've just compromised the entire domain boom so I've given a similar talk over the last three years and at the end of the talk I want to offer Solutions right because I just talk about beating people up try to be helpful seems like I've been offering the same Solutions the last three years so talk about gamify security your users don't care if bad things happen to their workstations or their corporate Network they're they're not concerned at all so what I found to be very successful is to get them engaged by gamifying it um so just specific specific example with like phishing what we'll do is

we'll say all right um we had you know this many users click links this many users gave up their credentials let's see if we can lower that by X percent or like get the overall number down and if we can do that then everybody in the company gets a Starbucks gift card you know back before covid we used to have these rubber we give them rubber fish put them in a fishbowl and then people would collect fish and they would be oh I'm beating you because I have more fish in my fishbowl anything you can do to get them engaged get them engaged um password managers and 2fa been beating this dead horse for a long time

and yet I still go into environments where where they're not using either um and if you did that you would stop me a lot antivirus to EDR if you don't know what EDR is it's endpoint detect and respond it's fancy antivirus um detects anomalous activity not just malicious and then Sim I mentioned that earlier security information event management it is a giant log Aggregate and it will trigger alerts on anomalous activity so a lot of the things that I did anomalous activity I would have gotten detected if there was a Sim so again I've been making these recommendations for the last few years see a little bit of traction um but not a huge amount what I have

found to be very successful over the last year is actually collaborating with the internal team so nobody wants a pen tester in their environment they think you're going to unearth their skeletons you're going to make us look bad try not to make you look bad but I'm certainly going to unearth your skeletons but what I do is I tell them hey look I'm going to come into your environment I'm going to run a pen test and then after that we're going to work together as a team and we're going to test your controls and then I'm going to give you suggestions to make this a you know a more secure environment because that's our goal like my goal is to make them

more secure so I'm trying to help them and I feel like that's actually been very successful in getting a little more adoption of some of the things that I'm recommending so with that I'm going to say this is the end I'm gonna throw it out for questions and there's my contact information so any questions

uh no actually I have not um and I'm just trying to think I mean most of the clients that we work with are really small uh typically a flat Network um and basically there's you know Jimmy the I.T guy that's the you know he's the de facto it guy um that's typically what we're looking for because we can show a lot of value in what we're doing

well I'm I'm pulling and I mean so I was pulling ntlm hashes when I was cracking them but I was pulling ntl mv2 that would not have stopped me

yes sir

I'm sorry I I caught heard flat Network

I mean I'm gonna try to Pivot through those segments and I have I mean I've run into places where there's where there are some you know different segments but I'm just going to try to figure out how I can get through if I can get through but typically again it's just it's usually just one big giant network uh a lot of times what I'll see is it's um you know slash 23 because they have so many IPS in the network but they're still trying to create this one giant Network foreign

all right thank you very much