Assumed Breach: A Better Model for Pen Testing

okay here's C microphone so my kids they'll get me to talk on something that I do find very near and dear to my heart we are assuming compromise so you didn't hear this now I work in higher education security is interesting shall we say this is not unique to the higher education but now someone high up enough of the food chain complaints policy is going to be circumvented with that more so in higher education we have to worry about the threat of an insider attack Raqqah insight attacker company has to so I'm already in that mentality hopefully you guys will all be in that mentality or more so if you weren't already I'm gonna let Mike take

it away

it's hard to see

before I start though want me to shout out to our sponsors because they made as possible so we could be here all that so people shout out on Twitter stop by the booth say hello about me I'm with Fred sees information security I've been an IT for over 20 years now networking operations what I'm not doing computer security stuff I'm probably kayaking why am I talking to you about a suit for each customer I think like a lot of people the current model for pentesting is growing what do we do we

her Etsy we use two primary models for each test the first one is the executor that's the user who clicked on a link to the table their credentials or for most protests

that's what we mean by soon

the other model that we tested the malicious inside that someone who washed their employees

so we can demonstrate the actual risk that user gets with a representative user meeting if we're testing what happens if an accounting user gets fish I should have used it in the accountant groups as access to the account allows shared file servers application servers has that software

and from that point on we do all of our operations over

the place and or trying to get into bar or 365 if we're able to get user credentials that would feel like

the one consideration is do we spend time on bypassing a VR and what I mean is just should the client be whitelisting our payload so that in execute some that were stationed or should they not I think most of us can agree that give it time just about any aviary TR can be bypassed you can tell that to the client and they may want us to try to do that but the other question to ask mine is like what we assume we users can be economic mice and eventually

not so

there's the other bottle delicious insider this well we test either on site or we VPN into a network it already into that workstation we use whatever user would have PowerShell or something we're not having that executed we're gonna have a fight same considerations deportation users

our test whether I publish the blog where it was right off of an engagement they did for a customer and was designed to emulate how they would operate and ever so they laid off the spinal tap officially you got credentials it ship it into remote access we did some reconnaissance eventually did some Kerberos targeted Kerberos people which got an elevated elevation privilege and high-value targets and that's what we're trying to do when we do our test

so to do this attackers have the luxury of going into stock price and winners

so

essentially the main proteins routing our traffic to another domain and you see this in content distribution networks so we need five ways to make our craft blend in at least your hosts and perspectives so there's

those are perfect choice they're less likely to attract kind of fun a lot of clients come from the domains so what you use you suppose figure out what technology doesn't use there's just no shot there

[Music]

and it goes out

in the US and

that's where

and what we're doing is if I'm fronting through something I need that website whether the responsible and then I can crap I see two requests and responses like those a train it's in a responders looking at that little spot but if they're just in a hurry anyone it may not

now we've got HD

an HD 800 strength however the problems using an HTML stretches most babies on the desert so you can generate shellcode COBOL surrender even generate a hour or yeah HD is an HTML application it's a basically an application built into a tremendous Microsoft standard you can also use the station anyone script to further out state your ps1 you can use these shavings hdhd a from your obligated payload and then there's something called emmy guys which is really cool because it does get encourage your payload in transit and it's an encrypted payload until it hits the user's workstation with JavaScript checks Thanks if those match then it would be criminal table so wire back rows are still executable

to click once executables that's why I has a blog on that and for those who can delay I will

once we're in a network

so we start doing passwords Frank you can do target after spring in and pillage to larval 365 repeal cyber or domain password spray and nicely but the castle is for use an actual chance to see how close is the user to be locked out

there what we're doing spatulas right so they can find other accounts and maybe harvest information out of work

so curb roasting is anyone familiar with her grossing a few people timba Dean inventor Kerberos and spoke earlier today if you want to know how it works doctor tempest for me it's a magical yeah that's

the problem is that normal tremor Carmel Kerberos and traffic is a user request this service they don't worry all of them at once and if used Power View or use are there tools like that request all the sps you're generating a lot of noise that says hey I'm here Microsoft ETA is for that patient if you're correlating on the Kerberos this morning if you're correlating on that you can alert and if you see more than a couple of requests from a single loser in high so when Aniyah talked about was this low and slow approach to it targeted perversity and harm joy has blog on that where you look for users that are in a

group with the name admin for instance for sequel and then requesting only one sen at a time or doing programming and building a random delay to say maybe 60 seconds 97 so you're only requested once and hit ever so never sloppy

Miami ad what home is Blenheim is great for finding all kinds of information and figuring out how offer it it is a lot of requests and you have something like my socks ETA it will light up all their systems can't detect this but it's it's a bad thing to try if you are using go up straight

my inferred credentials in India's War Department for credentials in ATC maybe Explorer 80 Explorer is a sysinternals tool it allows you to essentially see a structure of Active Directory and you can take a snapshot and downloaded offline Black Hill says good blog on using that and information you can get from it but markers is what we're looking for our certain fields was within users like the user description user comment field the UNIX user password the MS 17:30 password of Appeals sometimes those contain credentials I can't tell you why but in some organizations they think it's a good idea their helpdesk have a lot but we changed the password for this service account to block and it's in the

description field so you can find passwords very easy to do low-tech way with ABS for hunting Chiquita treads Microsoft made this patch five years ago but there's still a lot of legacy scripts your policy preferences essentially an XML configuration file that gets executed on a workstation when a workstation user logs into a computer and a lot of times historically these were used to push a local user name/password forces and that would set the password Apollo workstation is also used printers so if you can find the GPD file of President Mike fortunately publish the AES key for us so you don't even have to worry about of these tools like power who's catch we'll be corrected for that both search

the sysvol and find them and if they're out there they're very likely

what's today you can also look for caste files at workstation with power ducts get cash gtp and password function so both of those options very easy to find

this is my absolute all-time favorite technique there's a really high tech it involves a final share realize hackers do it too they don't want to burn their tradecraft right they want to use the lowest moment this is it and it's an absolutely silly the number of times that I have gotten domain that min or si or some type of privileged access because of a unencrypted file on a file system that should have restricted more you know finding the previous pentest reports when they did a password cracking exercise here's a spreadsheet of all the passwords the users were probably changed but none of the service account pastors haven't changed and I had 12 domain admins once

rich is it happens it's still out there and you should absolutely be looking for it's a very stealthy way to find privileged information without giving yourself up our view invokes Sheriff either the check access planning and the check access leg actually checks to see do you have access little search all over the domain for file shirts to eat access and then for recreation and don't whatever won't may be the only big companies have a good file structure so anyone who's been around for a while has these legacy folders or people are storing their great place blog with that there's the book filed miners purse allows you to do a targeted file search before a model that has

worked password or for instance if you're looking for peace

so bring your own PowerShell environment there's a tool called power line and what it is is the self-contained unmanaged powershell on our given configuration file that says these are all the powershell scripts I want to use I want to use invoke any caps power power when you build a power line the resulting executable is the self-contained PowerShell environment with those scripts of bed in it this is useful if you're doing like delicious insider toolkit does run the recipe going to be detected sometimes they need indexes but if you can get around a var it's a really good way to run PowerShell especially in environments that have PowerShell logging dialed up to 11 because they won't see this

all right make a good short on time so some of the pros and cons with a su breach testing Pro side we can model what we're doing after real advanced threat actors you can study various apt groups let's say this is exactly probably their campaigns and as a result our clients get a better understanding of their strengths and weaknesses as they considered advanced threat hackers done and even not so advanced that are operated in this fashion they now understand where those gaps are it's a different kind of test intensivist right that's the internal pin size the rivers running a map and launching exploits tasks different things this help them understand their strengths and weaknesses on the downside

this is not a been test so if there is a glaring vulnerability that is not patched they will allow you to shell out the systems in the organization

but it's not a traditional we're not doing

the other side downside to it is you can get clients that want to play games you've never been in it was open long enough you get that client that yes they want to check a box but they don't want to find anything so we do everything possible to don't like giving you a non-standard workstation which that doesn't have any other standard workstation software privileges that habits more often than not they give you about how much they don't understand why so work with your clients to really help them understand why you need a machine is configured that way with that power this configured just like a regular account because you're helping that's our job whoops Tim's talk

today like our job like that's all we did you suck ever our job is to make companies not better maker harder make our clients better and that's why I think this testing company's clients thank you looking for another word our clients more resilient and better able to respond so I think it's better readers find a better way to keep our clients up to speed with current threats I think though if they've never done it VA they don't catch me bitterly this isn't the kind of test for that they have sometimes they need to get into place if they don't have any blogging and monitoring and alerting in place this test is going to tell them

that we owned you when you didn't see anything so that's holding colony we're going to give them other than that's broken if they have some level of maturity though we can really help figure out where they have gaps where they're strong as well and help them build their program so there or class of attackers if you want the slides there red seat /medium and feel free to reach out to me I will be tweeting about upwards from my heart water after Twitter account between England from the Red Sea to InfoSec as well all the Red Sea just books that will find out about our new blogs and the cache that we're doing and I live just show you this next slide

thank you to our awesome staff and volunteers that made as possible if you know feedback to me

with that any questions yes I still like environment segmentation is sort of logical like product but they help visualize them need to treat all the data like the way they do if we can access product data in a less you're not product iron man we will show that redacted screenshots like hey here's your HR database here's your customer's account information like their banking accommodation that we got into this because you don't count this levels your name dis America we try to get into production

so that's how you demonstrate is that hub also convince them to treat that lower low yeah yeah we try to be like look this took less work be compromised this is the I'm going to go after it's the same day

I show PowerShell simply because that's one common when doing that however if I have football trainers in every which skins around that there's apps we're starting to do that it's more all the different ways to see

more questions actually if you do have more questions like an entertainer now all we got to do the little run around round of applause you [Applause]

you