Movement After Initial Compromise

all right how about a little quick trivia for bitcoins in the movie sneakers what is the name of the character that Dan Aykroyd plays nope who's that alright big coins okay all right in the movie Back to the Future what was the name of the school principal who was played during both Marty and his parent school days anyone the principal's name Back to the Future come on up this was easy okay who said Strickland first somebody you oh you guys don't count you gotta just I was good all right well you're gonna have to come find John for a big coin then [Applause] alright I'm gonna introduce our next speakers our next talk is called

movement after initial compromise we have two speakers Matt is a red team security engineer conducting red team operations and penetration test for six Jen he has seven years of experience in the information security field and operated on a an NSA certified DoD red team he's also US Marine Corps veteran that specialized in signal intelligence to our veterans and also Colin Hartley Colin is a persistent cyber operator for NSA certified DoD Red Team enough said thanks guys all right Mikey said our talks on the movement after initial compromised Harley and I met he was a well he still he's still active duty you can't say where he's currently working right now if I was contractor there and

uh we hit it off and I learned a lot for many I hope he's learned something for me and we've worked together for a while now I left him to work at 6 June but I'm saying that to us because we're both newbies and babies it's our first time presenting you know we've gone in a few conferences and a lot of people spoke about a lot of things we're talking about and then they didn't have video examples and they didn't go into some of the detail that I wanted so we only have 45 minutes we can't deep dive super deep into all of them but I hope that people learn a lot and take a lot from the information

all right so my name is Matt batten goodbye sleep zero which there's two meetings a cobalt strike that means interactive mode we might use this call ball strike which is a sea to write command control and it also means I don't sleep a lot and then I have a github I've created some Python scripts for a logging of cobalt strike as well it'll take it all then output it to CSV you know you can import it in whatever you want and it's super useful you can edit it to you do whatever you want to utilize it however you want so I currently work a section it's the best company in Java ever had my team is

amazing all brilliant minds and they really look out for me and just super happy it could work from home to was just really nice it's a big plus so my husband I was recently married in May and red teamer pentester develop and I'll you said marine Corvette and also cat dad and there's my wife hugging r2d2 thought was funny us married I don't know she knows from this picture in there they made me really happy and pissed her off she's up she's up there so it's funny and then there's my cat who's always looks pissed off I drink coffee I love dogs too but yeah it's true it's probably good word all right my name is Colin Hartley um as you can

tell by the spine spelling of Colin I normally just go by Hartley because of the military and because it's hard to understand a man is a certified red teamer and acted read military I promise I'm not spying on you or in your computer's I promise that I'm not married but I'm older brother I take pride of my little sister's bacteria and penetration tester he's the cat man I'm the dog man and all right so what we're gonna cover is a initial recon with some compromise system so once you get that initial call back we're gonna do immediately after we're gonna talk about loud movements I have moved to other systems once you're on that network port

forwarding so how to send data through a system that you've already compromised to make it look like it comes from the compromised systems of target so they don't see your attack machine right your attack platform you want hide yourself how do you like tradecraft and I get call all moving so a lot of stuff is showing you the tradecraft isn't you know top notch there's more involved like utilizing like invoke KO crafter like invoke obfuscation to obfuscate your power so one-liner like stuff like that like not just running you know your upx against or whatever but this will give you a good baseline if you can you indicating a red team or if you're a

blue team or understand what red teamers are doing I think this will help out a lot and what tools are being used today all right so say in the stage so we're saying that you already compromised the system so most likely it was a phishing email or a statistical access right everyone brags and talks about normally so they utilize a rubber ducky or bad funny rubber ducky is seen as a keyboard they plug into USB that most likely will execute powerful one-liner or wherever you set it as that will clout to your situ which is command control that you would then connect to from your attack platform and then you can say whatever you want through the shell that you now

have access to example would be I've heard a lot and I've seen is they speak to a secretary will say the Secretary's names Bob Bob I need access to servers you're not on the list how about gilling the list Sarah the IT directors has to put you in the list what's Sarah's last name you know Smith Sarah Smith can I give your business card Bob sure you take the business card you step out you take a picture send it to an operator in hotel room yeah you go back in by that time he's already sent an email to her as or to him as Sarah stating that you get access to the servers because he already has a system

that he compromised inside and there's their mail server and it's really easy to sin spooky email so then she gives me access and I just plug a bash money in every system I see right you know yeah so first things first grow the system who am i if I was really deep it's really deep questions so Who am I on the network where am I in this network how do what can I move with my current permissions how do I get system so like systems would be like your highest level permission on the the box of your own machine you're on obviously you want to get administrator like domain admins your probably your end goal depending on

what you want to do and beginning systems you know important so you can steal processes on your current machine hopefully have that opportunity an example that I like to say is utilizing these commands is really important because what if the target machine your own is not within the scope of the network you're attacking what if like when I was taking osep a lot of times I actually exploited my own box and I just got excited I got a shell and I would you start running commands and then 20 minutes later I realized that I was running all those tools and attacks on my own Callie beaume and well I people were honest about that and I'm very

truthful about when I messed up so that happened quite a lot and I learned a lot from it though and that's why these commands are important ok so kind of going into what Matt just said we're gonna go into some commands that can answer those questions right well you will see later on in the talk that we do have the outputs and it's actually running these on a target system through our c2 so some commands I like to talk on are like net group domain admin / domain like you said system is the highest privilege you can get but that's all in the local system itself your end goal is gonna be exporting when those domain admin

systems so you can move to the DC or wherever you want on the network they have high permissions and on top of that it can go pretty much anywhere they want another one is going to be like net user / domain shows you the users on the domain it's not as important as domain admins but still they have the ability to move to whatever computer they want to this is just another list of commands like IP config like in his OCP example if he would have an IP config within his a phone this box or if config he would have be able to see the IP address was not his target host so if he saw that

that he saved the time he ran all those other tools exploits and commands the next one is gonna be Who am I this would have told him right away also who he was on the network who wasn't a target and when he got the output back he would have known that he wasn't who he desired okay like I like I said before we're gonna show you something just some of the outputs of the commands I'm looking the top right net group domain admin / domain as you see in our network we're Batman fans so our domain admin is gonna be Joker for our sandbox environment net group domain it's gonna show you the domains that are on the

domain itself on the left here we have net start this is just going to show you the windows services that I ran on start they don't start up that are started and then that local group / domain it's gonna show the local groups actually my domain itself top left this is actually one of my favorite just recon commands net stack attack a you know a is for TCP and UDP it's gonna show both protocols and is gonna put them in numerical value by port and then o is gonna show you the page run ads so if you know like you've been compromised you've been caught and you're trying to get off the system you can see our connection right

is running under pit three three four four I believe and we can go in and kill that process so they won't see that we have an active connection to the target host

so again net nests age firewall show config you can see if something's like operation in the it's disabled you can get a lot more information about your firewall your route print you can see all the pathways right you can see your gateway and all that task list as soon as she all the service information for each process right your process ID and everything driver query that's a really important one you can actually do a driver query space lots of EE and then it's yeah it's fo /fo space CSV and you carried it out and you can actually get a whole list of all the drivers for like future post exploitation you can mess with that data

yeah so our tech a so address resolution protocol you note a case for all so it's looking our cache the systems that's previously seen your set command shows you all your environmental variables so recently if I'm going to target I just run set right away normally instead of doing a system info cuz I'm lazy I want to wait for all that data and I just want to see the main controller right away I'm like what's the DC set boom there's a DC I know that a scheduled task it's going to show you all scheduled tasks the slash B is going to you know verbose there's gonna show you more information so you actually know what user that scheduled tasks is

running under ass which that's important information for future you right yeah yeah disrespect your surroundings but who am I so Who am I on the network so I'm Kay Batman right echo log on server that's that's another command I run usually we're off the get-go but in L test it's gonna probably work better so you might get the the DC but due to configuration changes on the domain controller or just the Active Directory in general can affect that so you wanna do it's an in LTS des get domain name but if you just do an NSL test help you can actually see that and that will give you the DC right away that's you so our first demonstration we've we've

now at this point in the you know in the test we have pretty much who we are where we are what we're operating against so now in order to start the lateral movement we're gonna run power sploit and module within that it's called power up this is going to do it all checks on the target system and this will give us the ability to actually see if there's any method if there's any method for a privilege escalation right off the bat so all of our commands are going to be typed into the bottom left corner right now we're doing that PowerShell tech import because obviously we want to import our PowerShell script that we're good end up

running against the target machine power sploit is the tool suite within there we wonder you what do you want to accomplish pretty esque is what we want to accomplish at this point and then what we want to use to accomplish that we're gonna run power up that ps1 so now that that's uploaded to Khobar strike we're gonna do a PowerShell invoke attack all checks and what this is gonna run you're gonna see it slow by pretty quick it's going to go through a lit a list of set checks that it will look for from misconfigurations on the network that it can take advantage of to cause that privilege escalation what you're gonna see ba here in a second we do

scroll back up to it it's a it's a ability to do a deal hijacking attack it's a very common attack used for the distillation what I like about power up is it gives you the abuse function so you have your right attack hijack dll command lit and a deal a path that you're going to want to take over in order to complete your attack it gives it everything gives you it right on the screen so you have to do is copy and paste are you talking about power up you have to have Goku because you know that 13 episodes deep of him trying to go saying but at home power up has built a module for deal hijacking you saw use

the right tak hijack deal out what that does is it creates a self deleting batch file on the target with the command you want to run for privilege escalation you can you can alter it and change it and then it creates using c++ dll and replaces the hijacker will do and then runs it and once that runs it calls your batch file that you have and after it runs you get your privilege that privilege privilege escalated beacon back it will self delete so there won't be trace of it unless they're doing active logging of like their DLL gol edits and batch files in the system so going going to we make so there's a bunch of ways to do remote code

execution there's great examples online as well we're just gonna go over a few them so it's a windows management instrumentation consoles this way of utilizing WMI to to get remote code execution of pelo that you already hit on target for persistence or possible you want to move to that target right so that's this is obviously an example for COBOL strike we're gonna do some Metasploit examples later on as well in other commands so there's a turtle that exe that I put in the system32 directory on the target machine right so obviously I wouldn't actually name a turtle and a real operation I would name it something that's already on there and then I would put 32 at the end of it

I would have pin 32 or something so it doesn't stand out now with time stomp it so they would have the same time as another executable or deal or whatever I put on the target right so you see Toby exit ease in there so currently I'm on the I'm on the dot 12 and you can see I'm an administrator my process is five seven nine six and I'm gonna run a remote Durer so I'm actually during it remotely to make sure my executable is there before I just kick off a women command against the target because I don't want unnecessary traffic you've never remotely during does add more traffic obviously but I don't want to try to

call something with women when it's not actually there so I remote I remotely Durrett I scroll up I see it's there yay boom there's my trail TXE I know it's a executable it's payload and I know when I executed it that I will get a shell from that target machine so we always start shell commands because it's through your command prompt alright it's windows native you can do powershell and other stuff as well but the node use classifier you say your target IP address so I'm moving to the dot a so something to think about here is when I do this it's gonna take me a second to realize because I used a SMB link herb I'm

linking with SMB and the reason I'm utilizing SMB and serve just 443 or 80 right so 4 4 3 is encrypted yes and he's another way I get the callback but you can use SMB because it goes over whoever I suppose or I specify two random high port for this this specific one but SMB is usually four four four or five right your domain controller speaks over SMB to all the other systems so because I'm talking the domain controller to get that callback you don't want traffic going out for 4-3 or 80 because a good blue team or a good siren you know network security team at a company would see that weird traffic you know you'll

see a beacon calling a minute or I should link to it so it's a binding it sesame bind so I actually have to link to the target IP so there's a link so now it's actually going through my initial beacon to the target and uh so that way all the traffic's not 80 or 443 because a lot of times you'll see a lot of operators as soon as they get access to soon as they get access to a DC or those credentials they get excited and they just run for 4-3 or 80 because they just you know they'll kick it off and they want that call back but you use SMB or you can use DNS tunneling as well

it's another way because 53 right because everything speaks over 53 and SMB all right sorry going in to go into another type of remote code execution one thing I want stage is all these types of remote code execution allow movement are either through stuff that's natively on Windows or within sysinternals suite which is or window sign executable so we're using stuff that's already there on the system machine we're not just downloading and uploading large amounts of data and payloads to the system itself so this is gonna be a schedule tasks as you said shall we're doing within Koehler strike again so slash create that pretty much explains itself we're gonna be creating a schedule and target system system

attacks name is gonna be met dotty exceed you got you guys gonna see a lot of Matt dot exe and a lot of stuff in Matt because he's all about himself joke but attached gonna run test you on a run is going to be a Matt da da see in this case we're going to run it once there's many there's many different ones you can decide to do you can do one Idol on start on start up run at once you can state a time and so you can actually use this as a method of persistence if you know that there's not a lot of traffic at a certain time of day kill it at the

end of their workday and I'm going to come back in at 7:30 your task kicks off you get your callback and you can kind of blend in with the network to a certain degree so here's going to be an example of us actually running the sched task on a target system again we're gonna go shell sketch tasks we're gonna run the command I read to you previously create task name in this case it won't be Matt it's gonna be turtle the tasks run is gonna be the trail that exe we previously utilized in our previous attacks we're gonna since we're we're gonna kick it off ourselves we're just gonna run it once and we're not gonna specify time so

after we kick it off this one time to start we're not gonna utilize this anymore just for the sake of example and we want to run it under system right so when we get this callback since we're going from administrator on this target machine we're gonna run a system so our beacon should call back as system next we are actually kicking off the scheduled tasks ourselves so slash run task name again turtle so we know the task is on the compromised systems we're going to the dot it again and specifying the tasks to run okay success the scheduled tasks turtle has successfully been created you're not going to one I'm not gonna want to run the command to execute it

obviously before you get that confirmation message that has been created so again there you go what I like is it gives you the success back success it's gonna attempt to run the scheduled tasks how much likes very friendly with giving you your syntax errors back pretty quickly and not letting you run faulty commands or commands wrong syntax against a target system okay and once you we are doing so we have a couple of our videos we're running SMB link still because we're exploiting the domain controller so a little bit times we pause and wait to link it so as you see we link it now we have system on the Joker the dot eight and we're going through our dot twelve

so the DC isn't going to be seeing our Cali attack box on the backside they'll just be seeing traffic from Oh hosts over networks communicating to the domain controller via port 4 4 5 or the random hive Court we specified the final thing we're gonna do obviously because we don't want it there we didn't use it for persistence in this case we're gonna delete it /f is force delete is what we want to do and we're gonna delete the task that we created and on the target we created if you delete the TAT if you delete the task itself it's not going to kill your beacons so you will have opportunities to interact with your beacon as long as

you want that day but the next day you will have to create a new task or remove a payload over the last form of remote code execution and going into right now is a service created another thing that's used natively on Windows so the command here with a service grade we're gonna obviously wanna know our target create here we go with Madigan and then we have our bin path stands for binary path and this is just path through you know your executable on the target machine and then for this once you create the service we're gonna kick it off ourselves and then make sure we delete it again you know for tradecraft so you're not just leaving started

services and leaving scheduled tasks running because those are easy to query for a blue team are on the other side so right now we're interacting with the dot 12 again we're gonna be targeting the dot Aden this example just because it's our domain controller we want to show that it works from host to domain controller in the payload will run on different boxes so right now we're gonna service create our there's our target the dot yet again that's gonna be the domain controller Joker this time he named it I love baby turtles and bin path is gonna be obviously the path to execute what we had on the target already this time we put the payload in

Windows 10 a good thing where I like about Windows 10 is that it's created like when logon and when the person logs all four systems rebooted temp will be wiped so you won't leave your executables on the target for a very long amount of time it's a kind of way to even if you do forget to remove it yourself it will be deleted so you kind of like see why a little bit this one did take a minute to come back so it should give us the service create like the success message just letting us know that's been creating on the target box oh I love you even when were in interactive mode it still takes a long

amount of time to call back to our situ there we go our create service success so we know the service is created on that target and so now we know that we're can move forward on our tests and we can actually try to kick off the surface itself so there we go service create this is us remotely kicking off our service and the date again we want to start it obviously start/stop it's pretty self-explanatory and I would baby turtles that's the service we created so if you what if you put spaces and the isle of baby turtles or any of your service create you're gonna have to actually wrap that in quotes because it won't it won't read it

we got really impatient here because we didn't wait for the success message so we just kept trying to link to it and the fourth time was a charm I didn't up kicking back a system which is what we wanted to run it under as you Joker there's our process ID callback time and our SMB link to the DC what I like about COBOL strike is everything's very it's a very visual and you get the command line the command line like access as well because the SMB link on the top left if it breaks or the callback dies while you're on the target that link in the chain will visually break on your screen it'll be separated also what I like

about the SMB links is the the SMB links only call back when you have traffic input to give the target host so it's not constantly going to and from you're not constantly seeing that activity and that traffic you're just gonna see data being given back to you when you're actually running and trying to exploit the target or XML data so just because we had a lot of KOCO strike to start you're gonna add some interpreter in there for people who are people who are enjoy meterpreter or using MSF console so we're just gonna do PS exec so here we go we're gonna load our actual module itself windows SMB PS exec obviously when you're doing meterpreter the nice

thing they have to show options so it tells you what's required our port we're doing SMS MB which works with PS exec so that's already set for us so all we have to do is set our our host this is again what goes into exploit on box we accidentally set the our host 2.12 so if you would have ran this we would have ran against yourself look kind of goofy so you know make sure we had it right changed it to the dot eight we had credentials at this point so we set our SMB user interesting be password you don't have to but if you have it it won't hurt you to use run show options

again to make make sure nothing has been reverted to default and all of your options are set in the exploit itself and then you can type run or exploit either way it will run for you as you see at the bottom obviously you don't want to do port for 444 that's common with meterpreter you don't want to specify your home port but the sake of the demo we left it by default you're going to see the meterpreter session start up and then you're gonna want to get UID because you want to see who we are you want to answer those questions that we asked in the beginning of the talk a process was created we go down on

hosting because once you're in meterpreter you can go inside the shell as you see on the Microsoft Corporation all rights reserved so we're within a Windows box we have our host name Joker which is been a dot eight and now we know where we are and we have our abilities start interacting as a shell or use other meterpreter payloads and modules against the target okay so we have to mention when our m4 allow movement or moving within network right so so windows remote management so it's on port five ninety five five nine eight six five ninety six is encrypted a lot of people will argue and I know that encrypted traffic can be sent over five

nine eighty five I'm aware and it's just it's just another good way to I would move and when there's over two thousand eight same thing it's a wrs now there's just something to be you know familiar with and there that's re you know it's only windows targets and I love that meme cuz it's true you know Windows Server security keep out or enter I'm a sign not a cop that's very true um so next one's a remote registry so register Keys right there just do run on the register so I put it on a remote or a target machine on the desktop just so you can see it obviously I wouldn't do that on a real operation again but it's for

pictures and stuff so so remote registry has to be enabled on the target under your services right so if you see that's enabled then you know you can move as well so for this one I used meterpreter and so I already have a shell and I'm gonna add a registry key to a remote machine and then I'm gonna kick it off so that I get a call back from it and I end up using the same payload that I originally got had this mature professional and that's why I'm gonna kill my section before the call back so um there is I added it so I'm going after the Batman computer so that's the dot 12 so my attack machine's dot six I

already have a shell from dot ten and I'm going after dot 12 which is the Batman so Batman calm that's the registry key location right I called it wolf calling on-the-go DXE you know so after it runs what I'm doing here is I'm shutting down and restarting the system remotely so I added that registry key to the dot twelve and now to get that registry key to kick off I restart the target machine so as to shut down the /m and then I'm calling on that system through the host name right and then um tech rft so time zero do it now I'm force right so I killed her I restarted target box I killed my session because my pail is

about to kick off and I started my listener so there's my listener so my callbacks : to the dot six I'm waiting and then you're going to show you that the the target machine what the user sees when I execute this right it takes me a second because I'm slow videos apparently it's a lot faster when we were first right but the the video is gonna come up the targets there's my VM which is a target go die XE and then you're gonna see me capture the shells going to come in so sorry sorry restarted I should pulled it up earlier and boom shell dot all right it's not access that system and that's what the

user would see if they were like currently on they see the Box restart and then we would just have a shell and be able to do everyone from that point you know establish persistence hide stuff in there and a laterally move you don't stay on the box once you initially compromised it yep alright decom so decom super technical and in-depth so Matt Nelson is one who documented it I just want you guys be aware that it is a way to do lateral movement I don't think I'm by far like the expert to speak on decom but it's really important you know there's there's a lot of good resources out there to perform it so so I'm sure

everyone here has heard of me me cats things do that's been on a v5h BSS mailboxes for a long time now we're going to go over a method how we've experienced and we've ran on tests where we don't have to put anything involving mini cats on the actual target box we're just gonna use a system kernel suite which is window sign you know PS execs in there we have in this case we're going to be using proc though right so once we notice that they have system Eternals downloaded on the target host we're gonna use proc Dom as you see in the top left-hand screenshot to target else SL SAS is what Nick has targets

because that is where the passwords are going to be stored the sha-1 hash and tell'em hashes passwords are gonna be stored since the last reboot of this machine so what we're gonna do is when we have a proc dump we're gonna leverage it to target else a study XE and they give me you see right beside I also have study FC is the name of our mini dump file this is pretty much gonna be the output of the process else ass so we can then pull it down to our target windows attack platform and when you're doing this make sure that your windows attack platform is the same architecture in the same year as the target host you're

going after if not it will not work so once we have our once we have our mini dump in the bottom left hand corner and me me cats we have also you see on our desktop of a bottom left-hand corner we're gonna run me me can say X in Casa Exe and then you're gonna see we're gonna take our may dump file import it it's gonna say give me TMP and then we're going to run set URL sa logon passwords and it's just against the give me TMP the mini dump file then we're gonna see the output there was a there's a very long list of users so if you kept scrolling down on the

screenshot we had limited not space you will see clear text passwords here you can see the domain the username the ntlm and sha-1 hash of the targets of the administrator itself and this is actually really nice because you're not using meaning cats maliciously at all on the target system when me and Matt original started working together when he when I was the experienced one and he was the newbie um this is how he first got domain admin on his first domain controller what's a quick story because it's pretty cool and I think it teaches people lot of stuff so I ended up getting a Deepak credentials to RDP to a target she's like super bad tradecraft if you think

about it but there's only way I could get on that system at the time and then I couldn't uh use women or get remote code execution on any other targets I wanted I saw a file server I really wanted I knew a domain admin logged into it so I thought about it and I didn't think would work and it's really it was pretty ghetto it's funny though it was I already peed through RDP and I'm at my share I moved a window sister's rental suite to the target the file server and then proc dumped the else ass and created a mini dump file and then pulled everything back so everything's windows signs nothing malicious it doesn't look

malicious at all to anyone because the the SIS ads were using RDP so unless somebody was own while I wasn't one than that we've been bad but I pulled the dump file back and then the reason he said the architecture matters is because they actually took me a few hours which is embarrassing again Lee I admit when it takes me a while it was a x86 target and I pulled it back at a 64 Callie and I sat there I kept running mini cats with mini dump and I realized I had to move to another system or a new attack platform to then get the creds and then I got domain admin I'll never forget

that it was the first time it was really humbling and fun so alright oh yeah so me responder you can't talk about loud movement move around network without responder right super important super in death there's a lot of information so I love respondents a lot of fun any company ever go to if you get access to a switch if you ever walk in there putting on you know their port security everything they'll never have a lockout when you pull the ethernet out on the first try normally somebody in here will argue with me after I'm sure but most most likely network engineers are lasering that and they don't want if something like comes unplugged not be

able just plug back in and redo everything so a lot of times a lot of times when I've done pin test I'll go up to a switch and then we'll we have port security and I'll just unplug the ethernet from the switch I'll plug it in my attack machine right my laptop and I'll do a TCP dump or Wireshark and I capture their IP address in their Mac I cloned my Mac I clear my IP address I've been plugged into the switch through the ethernet port that I pulled the original one problem with my attack machine because I'm now that machine and then I would have run responder right and the reason I'm running responder is

to capture your hashes a pass or sent across traffic right so lmm M&R it's a link-local multicast named ROS yeah name resolution and NetBIOS name server is what the other one is which I just they approach the same thing just NetBIOS name so everyone's on ipv4 so here's an example of me capturing a hash from a target user so what's going to happen here is the target is going to try to access a network resource that isn't actually available so food right I was really hungry I think I was in this video so I try to go to food and it doesn't exist and because it doesn't exist it means it's not the DNS right

it's going to create it's going to a DNS is that there no and I'm like yeah that's me sameer hash and the commuters ready oh sorry language up oh yeah that's me that's me and then a thing and then I get is so the Hilsum use username in hash and I can take the hash offline and try to crack it you need a lot of things with it um I have an example later I mean utilize multi relay my my first script I've ever wrote that was super proud of was all nation of vibe leaders tool which was there was a responder to crack Matthews at 2:00 in T on relay you know and then a power shot

one-liner and I just got shells horrible tradecraft it was super cool so there so there's a user in the hash right now so everybody wants to pull it offline you can crack it you can pass hash all this stuff run finger tap py right Python the reason for this tool is to see if that see what domain and see if s to be signing and see the OS version of the target so when you run that you're gonna you're gonna actually see I'm gonna run against the three machines my lab environment your co 8's to be signings true so you know responder is not going to work against that so I'm sure everyone here for the

company they have MS to be signing on their network which is a joke because a lot of people have legacy systems and they can't do two samba Linux but so respondent will work so multi real a it's a it's amazing tool for in CMD to right and it'll do HTTP and like nothing like if you have automatic proxy setting your if you if you have your proxy set to automatic for your W pad on your browsers right for your images then you're open to W pad which you can actually force W pad and responder which this means that certain resources I try to access to the internet when they query it I would just say yeah that's me

same thing get the hash so you don't want automatic set in your uh your browsers through your image you want to go back and set that manually and here's an example so this is a dot twelve again for you probably can see that so it's a dot twelve the Batman target and the users administrator and actually start I'm start over so important you have to turn off SMB in HTTP and the responder configuration file calm and that's so that you don't have a protocol conflicts right so you're gonna turn this to you all because multi relay is going to utilizing that right not responder but so you're gonna start responder or I'm a set multi relay first so a multi relay

you can do tack you can do that you can do the target so you can specify multiple targets are arranged or you specify one so say you're going after one machine that you can specify user you can specify all users so for this example I'm saying I want this guy and I'm only going to use this user let me use all users sorry this guy I'm use all users so anybody that passes their hash any users I'm just going to relay it to that target to try to get a shell which the shell is the end goal here right you know so here's me start responder I think I'm gonna try get a share called

hi everyone which doesn't exist okay so it's listening I know it's listening I know multi relays currently running as well and then I'm gonna go to hi everyone it's horrible you can't read that good so I try to get a hi everyone boom shell right I can dump ashes I can you know get over meterpreter coal strike wherever I want whoever see to I want to do so responds really useful next one of the last things we're going to is going to be a port forwarding there's many different types of port forwarding we mostly go into proxy chains / forwarding socks with coho strike and then Metasploit port forwarding the good thing about performing is it's a not like it's not

like the SMD links we were having earlier this is using a compromised host to tunnel traffic through yes you're doing that when you push a payload obviously through SMB link but this is just for anything you wanna run from your cali box so in our examples we're doing scans of a target system from a system within the internal network so we can see what ports are open on it and anything we can target so the first video is going to be property changes with porting with socks to klaustreich the file on the right I'm editing is proxy change Kampf as you see in the bottom there's our attack box IP port 8000 and then in como strike we're gonna

do Sox and then make sure the port links up so everything on port 8000 is gonna be given through cohort strike it's going to go through our beacon that we have on the dot 12 and then for proof of concept we go we're running proxy chains and maps just in maps can so we're gonna be scanning the dot I believe that we should get into dot ten the Batman box or the sorry the dot ten the robin box from our dot twelve so if you're running back to capture Wireshark you know you're not going to be seeing that in that scan coming from our dot six or Cali box outside your network you're gonna see it internal if you are in fact

running it so we're looking for ports 22 4 4 5 or 3389 as you see 4 4 5 is open and 3389 or RTP and 22 as stage is closed which is good first this admin but eternal blue to target like SM hit target SMB 4 4 5 so we can leverage that using pushing exploits through our port forwarding to target that and the end host so we can move further into the network portfolio through meterpreter at the top you're gonna see us obviously you have to create our payload we're using MSF venom to create our payload in this one attack peas the payload we're using we're first TCP I'll host and also gonna have to

match up everything on the payloads you have to match up with everything on a listener so our Kali box is listening report 86 86 attack F isn't the format so executable cat dot exe is the executable itself we're creating and then we're setting up our multi handle versus our listener just to catch that callback once we run it on a remote host the next slide this is important because if you especially I used to have insider threat or someone on the internal network we're using Python attack em module simple HTTP server on port 8080 to host our our Etsy tack F directory that's where we're holding our cat exe exploit that we want to put on the host

box so say you have someone inside inside the thread or a cat team or something that goes out they can browse to our 192.168.1 got six on 8080 and they can see that executable depending on the security settings of the target network they can download that and execute it and give us our callback back as you see the get request on the left hand side they are hitting our attack box from the victim this is just showing you us running on multi handler so we're running our listener and we kicked off the cat dot exe on the target box we just did proof of concept within shell to show you our host name is Robin and

then we exit out of the shell and straighten back in the our meterpreter session which is where you have to run the port forward ad and we as you saw it based on nmap scan using socks proxy earlier we're targeting the for for 5:00 on the dot 12 so we then go exploit that because we saw that port 4 4 5 is open so there's obviously experts on bloodhound I'm for everybody's aware of this and this is what it is but we can't talk about without touching again right so bloodhound utilizes neo4j right it's a graph database management platform and that's how this logging or neo4j server on the bottom left server connect right this is bloodhound bounce

just ahead it's cute thought was funny no one lasts it's fine so it's important so you start you start when you forge a server and and the coolest part of this right so I if you've worked with bloodhound you've seen this so bloodhound runs it gathers all the user data and you get the grooves and the users you know you know the shortest path your domain admin or getting so whatever group you want right but a lot of people and like so drops the zip so actually drops the zip file to the target and you pull those back and up to the CSVs the neo4j you can actually they they actually set it up now where you

can do a reverse port forward and I'm using ass like rest API are like the URI right it's like a tack URI you specify using password or tech URI you specify your path so HP when sevens is your one some poor sap or whatever seven six something like that um you can actually have all the data go directly in your neo4j from your target so you don't have to drop that zip on a target and that's that's pretty fun and pretty cool so you just get you see your need for J just updating you can you can do a loop as well right loop looping is really important because you don't know how much data is going and when users are

active so that's that's a zip that I dropped on target because you know there's an example that looks like so these this is a source pass to high value targets right yellow is a the groups greens the users and then the rest of the box we compromise and it's super pretty those guys are brilliant obviously and now we're at the end so like I have to you references because I don't say all this information is mine because it's all out there and these these guys are again brilliant and I love learning from them and just being around them so all these websites they're super useful and uh you should visit mall Specter officer you know they're awesome and then people

that have influenced us and they might not even realize it so I had to put their Twitter handles or hint yeah handles because I follow them super closely I read all their posts and they're super inspirational to me they don't realize it probably so I'm just you know I'm just watching them from afar I'm creeping on them but it's weird I met a few these guys are awesome you know and there's Dwight I love the office again and like that's why I imagine the hacker on a network it's just like domain admin you know network engineer whatever like just the same person just bunch different hats I thought was pretty funny again Dwight but if you enjoyed this

talk like no more you know that's why I did a reference slide that's why we put the Twitter handle like in handles up there and that's why we're saying message us on Twitter I love I love feedback and I love getting questions and just moving forward with other people and like collaborating I love I write in Python I'm currently working on writing my own implants that and the big thing so to finish up something I want to mention is lots to talk about school ball strike Metasploit but for those super awesome red teams out there they're creating their own sea twos and their own implants and that's how they're not you know 80 is not going to

detect that because they're just crawling all those signatures as soon as as soon as cobol strike comes out with a new version they just you know they buy it or they'll pay their version and then they just crawl it and then they update the signatures and then you're gonna get flagged so it's great that we're utilizing this and it sounds really cool but creating your own and keeping it in-house is the way to go long term that's going to cost a lot of money upfront for development for companies so just a new that's our talk we're right at zero you may have questions yes

[Music]

we are Windows and Linux like that's our that's our niche and that's what we go to when comes exploitation but there's people out there that can exploit anything from like the kernels on the windows and Kali boxes or they can do server side exploits or they can do web web-based applications I'm sure if it's connected to any network on the internet there's someone out there that has has an exploit for it or can target it in a way we just our Kali win and Windows and Windows legacy base when it comes to the attackers also like nothing's really secure depending on like the value that's like a huge things like if if it's super valuable then yeah some eyes

going after it and you're not secure and like it's better to look for already being compromised then to just assume that no one will come after you all right yeah right hey any more questions sorry yeah yeah man defaults on Twitter I'm saying but we're good we're gonna post them I wish that I already uploaded them all before I should've uploaded before this I know I believe are you guys okay so they're gonna put slides as well for besides our to you and that's why I made these slides of people use them this thing like we would do a bunch of talks people spoke about stuff responder pass the hash you know all this you know port

forwarding like port forwarding blew my mind the first time I learned you're like I was I don't understand so I'm attacking myself and then it's hitting things and it's it's working I have a shell that's not me you know so now these shells these shells will be available we'll post on Twitter so it's shelf size shells I'm not hacking on it alright cool is that it sorry alright have a good one