My Pen Test Toolbox

okay welcome everybody i have a few brief announcements to make before we start the talk we'd like to encourage everybody to stop by the sponsors area which can be found in the expo channel of the platform if you visit a sponsor page there'll be people and resources there to talk about job opportunities etc also there's an open invite to the happy hour tonight at punchbowl social in arlington virginia it's between six and nine pm so we'd love to see anybody with the b-sides nova ticket there the address is 4238 wilson boulevard and finally i'm excited to announce the next talk my pintest toolbox by octavio alaga and you can use the chat window to the

right to put any questions in so we will have a q a session so as the talk goes on just fill those up and i'm handing it over to octavia i think you're on mute octavio thank you daniel uh thank you very much daniel for the introduction uh my name is otago pawaga and welcome to my pen test toolbox uh just to kind of give you a quick primer as to what we're going to talk about uh this basically is the equivalent of going through my actual toolbox at home and looking at my channel locks my pliers my wrenches my table saw so on and so forth we're going to go through the various tools that i use at for pen

tests preparing for pen tests or some some phase of of the infosec offensive realm so now that we go we have that let's go into who am i a little bit more cool so who am i um most importantly i'm a father i have uh two kids i have a daughter who's turning three years old in august and then i have a small little son who's seven months old i am a senior security consultant for trustworthy government solutions i've been working there for about two years great place to work at i also remove cicadas after hours we have a pool in our backyard and our cicadas aren't strong swimmers apparently or i'm sorry strong flyers or swimmers

so i ended up having to pick up quite a few dead ones each to each day after work so quick thanks to uh steve borsch steve borsch is the my boss at tgs he's the principal security consultant uh he's taught me a lot over the last two years uh he goes on twitter on twitter by reverse shell he's big in the uh open source tooling world you can find him on hack to planet discord uh you can also find him on the bloodhound slack channel which is the third bullet on the slide uh you jimmy bain jimmy bain also goes uh is on twitter he goes by bo hops him and i have crossed paths we work together in some

capacity probably for the last five six seven years maybe even uh but jimmy's a really smart guy a great guy to have in your back pocket for questions and just all around good guy uh the bloodhound slack channel uh the bliss bloodhound slack channel's been around for about two years uh what i've found it's a great resource for people who have questions at all they talk about bloodhound there but they also have various channels for kerberos red teaming and a variety of other topics everyone there is usually pretty eager to help and willing to help which is awesome and then last but not least patrick young for the the last minute uh image on the

right hand side so we'll start off with the sexy stuff first uh grain green screenshot flame shot uh for as pen testers red teams we have to have screenshots for everything uh it's kind of the saying of screenshot or it didn't happen so prior to learning these tools existed or even snagit existed i would go with microsoft paint i'm sorry i would hit print screen go ahead and paste it in microsoft paint and then i would modify my screenshot there having multiple screens means that i had to filter out quite a bit one cool thing that green shot has uh is the ability to go ahead and select the region so i can just select a particular

region and then i can go to copy clipboard which is probably my number one option and then from there i can paste it wherever i want to paste that i can paste it into word powerpoint onenote whatever i'm using to track my screenshots for this pen test another option i use quite a bit is simply save directly using preferred file output settings i use this a lot when i have to record multiple steps so like yesterday for example i was doing a multi-step acl attack against a client and i would hit a command take a screenshot and hit a command take a screenshot so it's just really easy to do save directly too and you know

you have a collection there i also use that option when i'm ticking doing pen test of application well applications you know i i it bugs me beyond belief to not have a screenshots of the application when it comes time to the operative because it now because photos go so much further than actual uh words do so it just helps a lot uh one thing to clear up i didn't cover green shot is for windows flame shot is for linux so just choose your tool accordingly uh amsi so what we have here is a someone who attempted to run a powershell script called inflect invoke reflective pe injection.ps1 uh and then we see in red which is pretty hard to read so

i'll read it out loud the script contains malicious content and has been blocked by the antivirus software what has blocked this script from running is called amsi or anti-malware scanning interface so up until powershell five which came out about two years ago there was no visibility whatsoever into powershell code so it was possible to write a self-contained let's say cobalt strike launcher in powershell go ahead and run in powershell two three four hit enter and it would bypass any av because there was no integration with av that feature had been built yet with powershell five came out amz what happens now is my same c2 launcher gets loaded into powershell five it gets decoded all the code gets ready

to go but before it gets executed it gets handed off to an av product uh defender has amazing integration uh cell phones has av integration um and i believe cobalt strike has their own i'm sorry crowdstrike has their own amz engine and this gives the opportunity for these products to go ahead and give a year or name here's where amsy fail comes into so for as long as we've had amsi as a feature we've had amg bypasses i think the first one that i know of was by matt graber and then fit into a small tweet so it's pretty good there's not big stuff it's not the big stuff you can see here but amsi fail

in short is a collection of mz bypasses and it goes ahead and obfuscates them as well for you so what you will do is if you find yourself in an environment or on a machine that's run in powershell 5 or powershell 7 you would go ahead and you would paste go to amg fail copy and paste this code into your powershell window and then from there you would go ahead and launch power view or whatever uh tools that you wanted to run i will say i've been using amg fill for about nine months give or take and i've had great luck until the last month in the last month the amz bypass did not work for um

sophos caught it and windows defender caught it but because it was worked for the pre prior eight months before that i went ahead and mentioned it into this presentation so the next slide we're going to get into the ntlm relay portion of our of our talk and the best way to do that i want to go ahead and just break down the tools real quick before we jump into anything so when you do ntlm relay in essence what you're trying to do is you're trying to first encourage someone to talk to you so i need first i need somehow some way to get into a conversation between um a client and a server so you use man in the middle six and

responded to go ahead and do that basically it's my way of enticing a client to talk to me instead of the actual entire target i would then use the ntlm relay x tool to forward those credentials off to somewhere else uh where those clients are depending on my on my use case i can go ahead and forward it to it ends workstation just fine or i can also go ahead and forward it to an ad server i find myself forwarding more to an ad server because the ads are the kingdoms of the kingdom uh it's kind of tells me the password policy the number of users everything i need to know ultimately if i can take over an ad server and get da

i have access to whatever i need and then we're going to perform the action so once we authenticate onto that machine what's next are we going to try to trigger a cobalt strike payload are we going to try to run a different kind of a dcom lateral resistance what are we doing next uh and infer yeah so here we have man in the middle six uh before we get into our first screenshot uh mandolin middlesex was written by a gentleman named dirkshan uh he is the tool can be found on his github page the reason why the problem that ip that man in the middle 6 creates is that since windows vista and windows server 2000

windows has actually preferred ipv6 communication over ipv4 which means that despite system administrator's best intentions there was this whole ipv6 communication going on in the back end uh we've actually used ip we've actually had cases where responder has been caught by an ids of some sort and we've moved over to ipv6 to man in the middle six and we've gotten around that ids because there is no visibility so because windows has now integrated ipv6 into their os it's actually not recommended to go ahead and disable ipv6 as a whole what they recommend that we do is to simply configure the registry key at the very last line to prefer ipv4 over ipv6 and then once you do that the attack

you're going to see in the next slide is impossible

so before we dig into the command i'll kind of walk you through how i use man-in-the-middle sticks so the use case is as follows we've shipped our client our our client is a small portable computer they've plugged it into their environment and we don't know anything about their environment whatsoever so we'd go ahead and power on man in the middle six without any flags you know no tac d no attack hw uh none of that just go ahead and power on man the middle six and we'd start seeing the traffic we would first of all tell us of ipv6 is being used at all because this attack might even work but secondly it tells us which domains are

being communicated with so once as we start convincing clients to request an ip from us we can figure out where they're communicating to they're communicating to us like google uh facebook and then we will figure out eventually what their domain name is and in this case their domain name happens to be attack the internal dot corp so we go ahead and hit control c we run man in the middle six this time won't attack d flag for internal.court and we'd run again the reason why we use attack d flag is simply because man in the middle six can go ahead and and bring down candace in a environment we can make it so it's on

it's not possible to reach resources so be cautious of that just like you can with the good old fashioned layer two are but uh man in the middle you can bring down networks with ipv's with man the middle six you can bring down networks so we go ahead and do our filter for internal.corp and then after what we'll call it five minutes for sake of discussion uh we see that we've assigned the host icorp tech w10 a ipv6 address so now they're communicating to ipv6 and then shortly thereafter we see that they went ahead and did a request for wpad.internal.court and also attacker tech wpad.internal.corp so what have we done up to this point so

at this point we have a client on the left who's trying to talk to the right we'll say just wpad but because we went ahead and launched men in the middle six we've now interjected ourselves into the communication so the client is now talking to us because of man in the middle six and because we have ntlm relay nx relay x on our machine as well once that client provides their credentials for let's say their wpad for the for their proxy server we can go ahead and then forward that off somewhere else we can forward that off to like i said earlier a workstation and gain access to a workstation that they might have permissions to

or even more lucrative for us as the pen tester is that we can go ahead and forward that off to an active directory server now one of the big things that i like to use um i connect i connect to an aad server for is simply once you connect to if you're able to authenticate to an ad server just fine one of the first things that ntlm relax will do is it will go ahead and pull down the users the groups the password policy the main trust all into json and html files all that's useful because it kind of gives me a list of who are over my da's how many users are in the environment

and also the password policy because if the password policy is 14 characters long i'm not going to try to crack passwords at least i'm not going to put too much effort into it i might run them through a word list two one or two wordless that we have already set up but i'm not gonna go ahead and really spend too much time on it because it's 14 characters long other things we can do is what we see here for example so in the first green box we see that we've authenticated to host uh 10 209 240.5 as user octavio so octavio at some point has tried to authenticate to asset x and this machine uh

because i'm in the middle six i've been redirected to the attacker box and then from there i've been forwarded to the nclm relay i'm sorry to the ad server and then in the green box we see that there's been a computer account created that computer account is s-o-r-b-h-u-i-w dollar sign and the reason why i know it's a computer sign a computer is because of a dollar sign it's a denotation in ad for computers and then we have credentials the reason why this is possible is that there is a value in active directory called machine account quota which by default is set to 10 and what that means is that it's possible for any user in

the environment to create 10 computer accounts by default so unless in that and that also opens up people to another clients to another attack which is called role based constrained delegation which you won't get into but it's very very good and something cool it's very useful and very fulfilling so what we're doing here is we're going to go ahead and use the credentials that we've just created on our own and we're going to run bloodhound.pie so bloodhound is a tool used for ad mapping and that same gentleman dirk john also went ahead and wrote a python version of bloodhound for use on a linux machine so we're using the computer account that we created with the password that we

created to now run blood hell in the environment and from there we can grab users groups once again uh ac or access control entries the main trust um local admins information probably the local admins but a variety of other feature information as well without knowing a single password at this point we've just went ahead and uh played middleman between two between the vowel communication so what have we done up to this point how do i say quick review the review is we've went ahead and used man in the middle 6 to get involved into a communication between computer a and a server of some sort when computer a authenticated to us we went ahead and forwarded it off to

a ldap server so an ad server using ntlm relay x once we authenticate it to that host to the ad server we can create a computer account thanks to a ad attribute called machine account quota which allows any user to create 10 computer accounts in a domain and then from there we ran bloodhound so we've done all this just to reiterate without knowing a single computer computer without knowing a single password so how can this become more uh advantageous for us we can also create user account so let's go ahead and pretend that user octavio is is a help desk administrator a help desk administrator which i was at a previous life so user octavio was able to create user

accounts because i have to manage my users in my environment so user octavio's credentials get captured they get forwarded to the ad server and ntlm really says hey you know what this user can create account create a user account let's go ahead and create a user account so that's what we see highlighted in blue and that's and that's the username right there in green so it's we have a brand new user created called and beginning of ck xp fb for other characters even cooler is that because user octavio happens to have some sort of access control entry over the internal.corp domain object ntlm relay x is able to grant my user that we just created the

ckx user get changes all permissions over the internal dot corp domain so what this means is that this user has now is now able to do a dc sync of all the credentials in the domain for the internal core customer as far as how often this happens this isn't very pie in the sky i've actually had this happen to me twice in the last year uh and the first time it happened i was i was stunned like i just couldn't believe i went from having no access whatsoever to being able to do a dc sync and if i didn't explain what a dc sync was or if i did i'm sorry for repeat myself but in short what a dc sync is let's

pretend we have a multi-domain environment so we have three domain controllers i changed my password on dc1 well we need a way for dc2 and dc3 to also have those passwords as well so throughout the day i'm not sure the exact interval these servers all talk to each other dc1 goes ahead and pas and pushes down their their the ncds.did file the database file to the various uh dc's and then that way okay that can indicate to server one two or three well what also can happen is i can run a tool called secret stump and with secret stuff i can say hey dc uh user x is i'm sorry this computer is also a dc and i would like to pull

down in this screenshot the credentials for octavio underscore dadm i apologize uh using once again the credential that we created and then if we look at the three lines right here we have the credentials stored in three different in three different formats we have it stored in ntlm or rc4 aes 256 and aes 128 and i'll explain why this matters in a few slides so there are some rules to relaying uh to ldap so depending on what language or what protocol your ad server speaks uh determines what functionality or what the commands you can try to execute or what kind of what what are you trying to execute so what i mean by that is if you have

an ldap s server an ad server who has ldap s configured meaning to have a certificate file a talk over ssl you can add a domain a computer and you can create a domain user and give dc sync rights so in both screenshots uh both of these past examples if you would have noticed it's always been ldap s of some sort now if l.s doesn't exist i would rec on on this on the instance you're trying to talk to i would recommend you find a different instance but if you can't because only one dc for whatever reason or they all talk only in clear text your options are now limited to only escalating the permissions

of another user i think of an existing user pardon me and if you take a step back this is all pure luck um and you the the fact that i was able to get uh da from ntlm relax was pure luck in that i was able to have capture the credentials for a da while i was on their same love subnet so when you're only stuck talking when you're stuck talking to only on the ldap protocol there's an extra layer of risk of chance now we'll call it you have to not only have compromised the user account right now beforehand but you also still need that da you still need to capture those da's creds

to be able to escalate that user to uh da so a little more work but once again if it pays off that's phenomenal so review of this uh man in the middle six for redirection uh nclm relay x to an ldap s server a user was created that has deceasing privileges

so how can you defend against ntlm relay so first of all when i say ntlm ntlm is not tied to uh smb as those two examples hopefully should would have conveyed uh ntlm is a ssp which stands for security service provider give or take it might be wrong but the first word and the last word definitely right so what this means that the environment is using ntlm for authentication you can have kerberos you can have a cat card you could use two other options which i'm familiar with but basically this is the the authentication scheme used by by this domain happens to be ntlm so you can attempt to use ntlm to authenticate to the smb protocol

and you can use insulin to authenticate to the ldap protocol so there's there's a feature for both protocols called signing so smb signing in ldap signing and when smb signing and i presume ldap sign is enabled there is basically a unique mic field which is that very last line in the ver uh with the red highlight and there's a uni this mic which is a message integrity code uh value and this mic is derived based on the communication between the client and the server so we'll say between daniel and the aad server and there's a and the ada server is going to use the unique challenge key which should only occur uh for that one

client and as well as daniel's unique i forget what it is but basically the result is it's a unique mic value so if i was to interject my commute myself between daniel and the ad server and try to for that somewhere else that other server is going to say hey wait a minute this mic doesn't correspond to something that we've talked about so i'm going to go ahead and drop it this has been for smb signing and just another side story we've did a pen test for tgi tgs did a pen test back in august of last year where this environment had smb signing on every single machine but one and the moment we found that

guess what one machine we went after because once we got onto that system we were able to dump credentials we were able to move laterally onto other machines which had smb signing configured uh ldap signing and ldap channel binding are the security features that microsoft has rolled out to basically prevent uh nclm relaying to ldap servers so stepping away from ntl and relaying i will say for for full disclosure responder can do ntlm relaying so i'm just using it not to cover it for this example because i have a particular example i want to talk about so responder is also a redirection tool responder will go ahead and take advantage of weak layer 2 protocols such

as netbios name servers ll mnr and mdns to encourage users to talk to our computer so i skipped over it but if you recall on the who am i slide if you notice the big dog that's my 135 pound dog burner a milo so what's happening here is someone is looking for a file share called milo the burner milo the burner doesn't exist so the computer is going to go ahead and try to resolve that computer name first by browsing through 80 or it's local cache host file part of me then looking through ad and then it's going to shout on the network hey does anyone know where mile the burner is and it's going

to resolve it's going to it's configured it's going to use those weak to layer two protocols so ll m r coordinate bios name server and our server our responder server is going to say yes i know exactly where mile the burner is come with the i am it please authenticate to me so what you see in that top window is you see in green llmr poison answers sent to host 10232 80 31 for name milo the burner that hosts indian.31 has authenticated to our computer using ntlmv1 a couple minutes later a couple hours later whatever time frame um that same user dedicated to our system as ntlmv2 so we have c miller's credential both as uh v antelone v1 and nth v2

so what does that mean to us that means that i can crack either hash i would choose so i would go ahead and choose to crack the ntlmv1 hash over v2 because the speed differences so in this example in both in both screenshots i obviously know the password for c miller so i went ahead and created a hashcat mask which is what you see right here so it begins of a digit no i forget what it stands for but i create the mask for that user and then i go ahead and try to brute force that entire range and you see that i was able to crack c miller's password in 32 minutes and 56

seconds the ntlmv2 version of that password it took me 7 hours and 43 minutes and then the speed of the cracks are right here 61 million hashes and four million hashes now a really cool thing that i stumbled across um after so i guess a little context part of me i gave a talk at a dod conference avenger con sometime early last year and it was on angelum relay nx so i had done some research on this and i was on a pen test and i was looking i was running a responder and i noticed this come across the wire dollar sign so computer name we'll call it high value zero one hvl1 dollar sign authenticated to my

machine using antelone v2 and ntlmv1 and then host dc01 dollar sign authenticated to my machine using ntlmv1 as well so if i can crack this password what that means is i have a computer account and domain controllers by the domain computer account has the ability to run dc sync so if i can crack this password i have d a the problem with cracking the uh computer accounts is that they can be massive in length uh they can be for some reason i had 30 characters in my mind but it's a more modern version of windows used i believe it's 120 or 200 character passwords and links so you're never going to go ahead and guess it

unless you use another service there is a service out there called crack sh which has in essence it started off being funded by eff to be a desk cracker but basically they have a massive rainbow table where they can do they can do brute forcing but they have a massive rainbow table where if you can retrieve the ntlm hash with a certain challenge key which i'll explain in a couple seconds they have brute force the entire two to the 56 des key space which means that they can crack ntlm v1 hashes in 25 seconds 99.5 percent of the time excuse me if you don't provide this challenge key this challenge code they can still brute

force it for you but number one it's going to be slower and number two there's going to be a cost so kraka sage cracked this password for free for me so what i had to do was go back to go back to responder.conf i'm sorry go back to responder and open up responder.conf and i change the challenge key which is right here from whatever random value was said or a random variable it was set to to one one two two three three four four up to eight eight just like the cracking stage guy had said and lo and behold there's there's my key there's the challenge key part of me and this challenge key the ntlm protocol

when you try to travel or talk over a network uh it's gonna be unique that's why if you have a ram responder before you'll notice that you'll receive the same password for this multiple passwords for the same user because as far as responder is concerned each of them are unique our unique password but in reality it's the exact same password hashed with a different challenge code so here uh not my forte but we'll go ahead and cover the best i can so here we're using the script it's all explained to you via crack sh's guide but we're converting from an ntlmv1 hash to an nt hash and that very last line is what you're going to go ahead you're

going to do a direct copy and paste nt cache and everything you're going to copy that into crack sh and then you're going to go ahead and hope it works so i went ahead and i i submitted it and 31 seconds later after i hit submit after my job started processing its password cracked now the the problem in this came that i simply didn't know what to do with this with this key so the token was what i submitted to the to crack sh the key is what was brought back to me so i assumed incorrectly that this key was the unencrypted password hash i'm sorry unencrypted password for the hash i provided i was incorrect

so i tried and tried tried for a while it didn't work out so i figured i would go ahead and take a step back and i configured in my lab environment i configured a computer to use ntl and v1 i called its hash i submitted the i followed the exact same steps and then i tried that and then i realized that the key was not the password the p the key happens to be the nt hash of the um of the token i submitted so when i did that i was able to get the a i'm sorry they will logged into my machine and then i went back to the client environment tried a secrets dump using the dc

computer account and the nt hash that i got from crack sh and once again i was able to do a dc sync and then short get to my admin now where have i gone wrong um so ata is a phenomenal product uh if ata is now microsoft defender for identity but at so microsoft has seen the trend of off of the security uh folks going towards attacking a.d ata is pretty much just set to monitor um a.d so here are the three ways that i've been caught by the defender for identity number one i mentioned earlier there's when you do a secret stump for a user there's three kinds of hashes provided back to us

there's ntlm or rc4 aes 128 which is this bottom line and an aes aes256 ad environments these days only use a aes 256. so if you choose to use the ntlm credential and ata is being used it's going to trigger a flag

other ways defender as a defender for identity has caught me is when you do a dc sync if it's the product is tuned most organizations know what domain controllers they have so they know and then know that these things should only occur between those let's say five domain controllers the moment the sixth computer attempts to do a domain a tries to do a um a dc sync it's going to trigger an alert that's why when you do a dc sync depending on the client's reactions you may want to do just care btgt or you may want to do a user account that won't be easily a service account that won't be easily modified uh so it kind of buys you enough time to

persist in their network unless um in case they go changing passwords and then the third way ata has popped me is i created the golden ticket and i did not womencats by default creates a ticket that will last for 10 years no kerberos ticket will allow is supposed to last that long i believe most tickets renew between 8 and 12 hours and they expire after a few days after we re-authenticate so my renewal time was not we'll call it 10 hours 8 hours 8 hours it was a little bit more that was my fault when i was when i created the ticket using movie caps when my ticket went to expire the ata said hey wait a minute this t

this this kerberos ticket is not proper um we have an error here so how do you avoid using ntlm or the rc4 flag which would be the rc4 hash which is the first hash from the previous screen uh you use aes256 with boomicats when you're creating your pasta hash or you're creating your ppt token uh you use the enc type flag for aes 256 flag for rubius and then if you're working from a linux machine you can use ask tgt ask tgt is part of the in packet suite as is secrets dump as is ntlm relay x so you can ensure you can tell the the your machine to go ahead and get a tgt

from the domain controller and then once you do that then you can use the aes 256 key to do that and then that way you don't have to worry about authenticating to multiple machines using the incorrect password incorrect hash so one cool thing uh of once you authenticate with ask tgt is now you don't have to use a password anymore you have a kerberos ticket and it makes sense because that's how tgt works when you authenticate into your aad environment you are assigned a tgt and then from that ticket bringing ticket you're able to get request other tickets so you're able to request tgs as part of me ticket grading service so when i want to authenticate to

steve's file share i will get a smb ticket for smb service ticket for steve's machine when i want to authenticate via powershell to patrick's powershell service i will get a host type ticket to his machine so same thing is happening here we have our tgt because we did it in our previous screen and now we get we're getting probably a smb because it's a ps exact login and smb type tgs to authenticate onto that machine so talking about little nuances that make my life a little bit easier with responder so responder you run in a terminal window and you might leave a responder running your whole entire engagement uh which means it's pretty brutal to go

ahead and scroll up but that's what i did for a long time for a long time i went ahead and scrolled up and responded in my terminal window and god forbid my mac my machine would crash at some point or my turn the window would close and i would lose everything then i became aware probably about pure chance that there was a logs folder inside a responder so once you do that you have all the all the traffic that's created in handy to catch uh log files so here we have the responder session log the analyzer session log but we also have the credentials for host 160 91 219 201 for example and another host

another cool little script is a dump hash which is part of responder which is what you see in the second screenshot right here in the bottom and dump hash is an easy way to retrieve a list of all the hashes you've caught so bloodhound i alluded to it earlier but bloodhound is an active directory mapping tool written by uh andy and rohan so they go by waldo and captain jesus on on twitter and and the slack channel so one one cool trend that i've seen is that sometimes these these talks these tools get released in um security conferences so bloodhound or i'm sorry derby connor i think it was derby con but it might have

been uh deathcon but they kind of have they're kind of tied to offensive tur offensive um offensive world because they get released at these conferences but it couldn't be further from the truth bloodhound is a phenomenal tool and i've actually seen more and more clients starting to use bloodhound for defensive purposes to the point where if you're involved in the government space executive directory 2102 came out earlier this year and actually said hey go ahead and run bloodhound to evaluate the configurations of your exchange service now bloodhound cannot tell you if you're it won't run a stick check or it won't do any kind of evaluation of the security settings of your exchange server but what it can do is it

can tell you hey your exchange servers are da's so if your machine gets popped if your exchange river gets caught compromised pardon me and your ticket get here and and they're logged into the machine and their account gets compromised your whole entire um the main infrastructure is now compromised and they also went and said hey your no admin of your exchange in-house premise uh exchange servers should have access to your azure um uh oh oh well web interfaces so bloodhound has become such bloodhounds really trying really trying to be used by both both both sides so the fact that they came out with an enterprise version sometime this year and they can you that way you can do

continuous monitoring of your environment using their tool so the only thing i really want to talk about about bloodhounds are a few cipher queries and how to create your own data set so it is possible that there's a tool called blood a db generator which is part of bloodhound tools which allows you to create a blank uh a a totally non-customer-tied uh database for use of bloodhound so this is great for when you're doing presentations or great when you're just trying to learn how to use the tool because i can almost assure you that if you're doing a test a interview for a pen tester red team job you will get asked for about bloodhound

so the key thing about this tool set is that you have to use python37 and the reason why i say that is when i was trying to do my screenshots for this presentation uh a few nights ago i was not using python37 i was using python36 i got lazy just in python 3 and the tool was not working for me so i this i went ahead and typed python37 ran db creator tool and everything worked like it should have i've also had problems on other attempts so what i've had good luck doing is simply modifying some of the default values so there's this there's a value you can use to set the domain which is uh set domain so i set mine to

besides nova set nodes how many computers you want to have in your environment how many users you want in your environment i changed it from 500 to 1000 i type generate and then lo and behold it creates a um a database structure for me for use in bloodhound which is also cool is that it creates different configurations so you can go ahead and try to try you can try looking for different things uh it's pretty hard to read but the third line from the bottom says uh marking some users as kerberostable great we're gonna use kerberos the most almost pen test it goes ahead and modifies some access control entries which are basically acl terms and acls for for ad

so you can go ahead and try different looking for different attack paths so it's a very cool tool to use when you just need something to show to a customer or is to spend some time working on on your own with non-actual data data client data so this screenshot is the only screenshot i will show you the actual bloodhound tool uh how it works these days is you use sharppound to collect data that sharp hound is is the executable that will go out and query your ad servers your your computers and retrieve back a bunch of json files that you can import into bloodhound oddly enough sharp hound is now considered a virus from a

from defender so you go ahead and you import your your json files into bloodhound and you can start going and navigating the gui so what i want to show you here is that what i what i tried to do was i tried to create a graph of all the users in the domain users that besides nova group there's a thousand users in this group so bloodhound says hey are you sure you want to go ahead and do this not only will it take a long time to run but the graph is going to be pretty useless because it's going to be minuscule and it's going to be really hard to tell what's going on so excuse me

so what you can do is instead of connecting with the bloodhound client you connect to the neo4j server which is the backend database for bloodhound and you connect to uh 7474 via uh http once you authenticate you can run raw cipher queries on your machine on your on the in the web interface and you can return data in text format so mine is the gui so here we're running the equivalent to what we saw what what i tried to do in the gui what i'm saying is assign all the users to a variable of you all the groups to a variable of g and then where the group name is equal to the main users at b sides nova

return the u dot name u being equal to the users and you see that we get like 1001 users back the cool operator i use quite a bit is type so in this case it happens to be type bar but r is arbitrary and i'll explain it once again so we have g for group so assign all the groups to variable g and the permission i am looking for happens to be get changes all set that to r set the value of d of of said say the domain as value as value d and then return the group names and type r r being equal to the relationship or i'm sorry they call it edge type edge

type is the correct term so what we see here is uh group name domain controllers so domain controllers can do have get changes to all permissions for this example not really a big deal but imagine trying to document all the aces all the access control entries that user dan has and dan has 50 access control entries you want to go ahead and save doing it this way via the cipher instead of trying to go into bloodhound and doing everything manually this will save you you know tens or an hour of every time so i use type r quite a bit and once again a quick sales pitch to bloodhound slack they they're there to help uh you'd be

surprised how much help you can get for your cipher queries on that channel so really worth going checking it out if you're not there already so other things leaving the whole bloodhound nclm relay x talk behind us we have uh how many times have you forwarded a ship to a computer to a client and realized oh crap i need to install this python library or i need to install this this utility or i forgot to run out update i do it probably fair enough a fair amount of times so what i used to do is simply create a socks proxy so i would go ahead and log into probably my jump box uh which in this

example is ssh1 as oak tree which is me and then log in create a socks proxy on port 9050 and then i will utilize proxy chains um let's script the tool proxy chains to take all my app update traffic and go ahead and forward that through the proc whatever configuration proxy chain has which would be localhost 9050. so it would enter that stocks proxy on 9050 get forwarded out to the ssh server host and then from there it will go out down to wherever app update has to go you can do it that way or you can simply modify your app configuration so you would add a file called proxy.com for whatever file name you want to give

it to your app config and then you would add the bottom the bottom bullet to that file with the server port server and port matching whatever you need it to be probably local host port 9050 if you're starting to default and then now you just do app update um i find the bottom one a little bit cleaner but i've only known about it for about a week maybe two weeks so i can't say i use it very often uh dnspy dn spy is a really good application for looking at the old c-sharp dlls and c-sharp executables or assemblies if you happen to find yourself quick note if you happen to find yourself on a web application pen test

which is written in c sharp or using blazer for example or written in c sharp you can pull down all their dlls onto your machine use dnspy and look at the source code being used by the application developer for the for the web app it wasn't a huge find but doing this uh maybe uh doing this we were able to find the um the sanitization that they that the customers application we did recently uh was doing uh they didn't take us very far but we were able still able to see their source code what we see here in in the screenshot is simply one of my harmless c-sharp scripts that will go ahead and add a

user to local users to a computer local user account and then promote that user to administrator but you can this can be done with any executable using dnspy so dnspy the debugger slash.net assembly editor and open source auto runs uh sometimes we get off we get asked to do pen test uh so we evaluate the security of a gold disk whether we're given a gold disc for a gold image for a client neither what we roll out by default to all our users what vulnerabilities can you find on a local machine there is a tool called auto runs which is part of microsoft's assist internal suite which will go ahead and list out all the auto start locations of of that

machine so it looks at the reg the run runs keys in registries it looks at anything explore starts up ie starts up schedule task services wmi and a few other ones if on using if you're on the offensive side and you're trying to find ways of persistence and you can use auto runs to kind of double check your your work you know if if the stock finds my work finds me on a machine will they be able to use auto runs to quickly identify how i'm hiding on their machine procmon if you're ever curious what your machine's doing and you have administrative permissions uh proc bond will tell you everything it will tell you registry keys being used

um files being written network traffic um i think cpu utilization but a couple other things but it's it's it's a pretty pretty um chatty program so what we're seeing here is simply a simple filter that i created for the screenshot where we're looking for create files we're looking for any files that have dll in the path name and the result is named not found this will be the first step you would take and looking for a dll hijack in reality all these files really aren't dll hijack opportunities because windows has a particular search path that it it looks for um one looks for files so these files right here base win uh mm and i believe even version dll are

all windows files which are going to exist and see windows system32 so if you go ahead and put your winmm in google chrome application it's not going to find it because it's already resolved somewhere else because of the search path but this is kind of the first step to doing a dll hijack process hacker process hacker is a simply a simple tool to do to monitor process uh processes running your machine um what what i'm showing here for the screenshot is how to do um because i was on a pen test and i was having getting caught by amsi i forgot that c sharp also has amz support nowadays so not only can you have to worry about

your powershell code but also your your c sharp code kind of why developers are going to c plus plus and back this are two people plus and c uh so uh i was talking to jimmy jim was giving me a hand and he was like hey does the process you're trying to induct into how they have ramsey fire a process hacker and lo and behold it did so that's why i was being caught um mimikatz av evasion this is more of a sales pitch gentlemen this is a video from ipsec uh um on youtube he puts out videos on on the hack-to-box videos this was great for me because i can't tell you how many years i spent trying

to wish i could i could make a version of mimikats i could bypass defender um i always thought it was as simple as controller or control f replace mimic at the kitty cats or whatever code you wanted to hit enter and hit go but it was a little more involved in that but what i've learned from that video i've been able to use quite often for other tool sets it will help you get a bypass defender uh it will probably get caught by every other product whatever you create but that's usually enough for me so net obfuscate we're trying to modify we're trying to obfuscate uh c-sharp assemblies so once again we're trying to bypass um

defender we also do uh training lab environments so we were trying to do a ransomware demonstration but our ransomware product kept a ransomware assembly kept getting caught by defender because we used ryuk i think that the string was and we couldn't modify it so we kept we couldn't bypass defender we couldn't disable defender because of real-time tamper protection so we ended up just simply using net obfuscate which is an open source product uh tool to obfuscate our assembly and that was enough to get us bypassed the bypass defender and then a quick comparison i ran uh net obfuscate on the c sharp assembly i wrote for add a user uh you can see on the left of the

original on the right is the obfuscated one really this code base is pretty simple but what you see is it used a lot of base64 to try to bypass to try to obfuscate my code a bit now the reason why i wasn't trying to knock on defender is the reason why i say we can bypass defender is because there are tool sets out there which allow you to test directly against defenders rule base so here's a tool called defender check once again available on github which you can run your binary against and see where it flags so in this case i went ahead and ran defender check against memocats.exe and it tells you exactly the byte offset

to where it's being caught so from here you can go look refer back to ipsec or refer to epsec's video and see what he recommends you do uh which is basically break down your binary into smaller chunks around that byte offset uh find that code figure out what code is triggering it go to visual studio or visual studio code or whatever you use to edit your your code modify it there recompile run against defender check once again and kind of rinse and repeat until you get bypassed whatever product you're trying to get past and sorry to rush through with the very last couple slides i told daniel i'll be done in 15 minutes and i'm here at 55.

uh contact information love to stay in touch even though it's all virtual and i couldn't see any of your faces um feel free to email me if you have any questions at all where i could be of help uh there is my work email on twitter i am oaktree underscore underscore i am on hack the planet as well as our entire tgs team as i'm on there as oak tree and bloodhound slack as oak tree and that's it are there any questions that i can answer all right thanks octavia that was really great we do have a couple questions that came up in the chat um one of them is is there a consolidated list

of some of these tools that you can reference no but if you give me um maybe until monday i can put something on my github page and tweet it out excellent and for another question um once you leverage ad to create a machine account is it more advantageous to do curb roasting or ticket attacks since a lot of these defensive tools you mentioned are flagging um the as rep roast from non-machine entities um kerbero roasting will also get you caught too uh if you go out and try to query for you know if you go ahead and query your entire domain blindly for any accounts that have spn ata will capture you there as well

got it and is cobalt strike still your c2 of choice yeah it is it is excellent um do you use a particular pin testing distribution like kali linux or are you starting with something and building on top of from vanilla no we use uh i use cali a lot but i'm not afraid just to use ubuntu um yeah i mean you really can get by with such a minimal tool set uh between if you're familiar with uh if you can use if you can do proxy tunnels using the tac b flag you can really get whatever tool that you need but usually ubuntu your answer is cali or ubuntu but primarily cali got it and what are in in your testing

what are some of the most effective defenses that kind of shut you down right at the beginning that you've seen either tools or configurations aside from some of the stuff you went over i mean smb signing you want you want to you want to stop you want to stop someone blindly going into your environment smb signing making sure nfs shares and smb shares are are required uh are limited to particular users or at least require i'm sorry limited to users or particular computers um usually the the two ways that we get onto a machine would be smb shares oh sorry s b shares so we find credentials there or we put malware we put our code onto

there for executable uh or sm visa or ntlm relay for smb signing our last question is with the big migration of companies to aws or azure ad do you see that impacting any of these techniques or needing you to use new techniques for those environments there there's already been a migration of these tools for aws um there's dirk john that mentioned the guy i mentioned at least three four times in this talk has some new tools that's coming out the folks over at net spi are doing some research on azure attacks uh there are books available for both azure and aws uh and bloodhound does have aws integration um sorry azure integration as well so

while there is a mind there is obviously the move to uh cloud base so is this tooling uh there are there is uh sentinel i've heard mentioned about sentinel for in azure being quite the uh challenge but probably to go against so um that's i guess something i have to be aware of got it all right i think that's it for the questions octavio uh so we really appreciate you coming here and talking to us today thank you thank you thank you bye everyone