Pentest Attack Tactics

[Music]

[Music]

[Music]

[Music]

do that

someone is recounting you network plots okay what if it's a non-touch recon what if we're finding out all three email addresses from third parties that's great for the internet which is legal very legal link in Nicholas Creek

inside a basement not very effective so we do it we get every time one of you is going to post a link to our blog post we're going to get an email that says someone within their organizations blow us up for our engagement even otherway because we go by so many try to install CMS on it and then get it categorized so that when we go to fish you your content filtering cousin [Music]

[Music]

you're right all right so when it works is we go through an actual pen test here the items that are how they deliver and the process what we found the process and what we know you could be anywhere in this see something shiny to jump to an explanation I have lots of tools areas for recon the idea here is that after we did a recon for a fictitious company we found the farming with some crazy young worth there you're right what we found so far and some users and services okay so what is this up right we're just gonna here and these things on your perimeter then we're gonna try to exploit it so much

it's always yeah oh we gonna do it okay so we have user accounts you guys no more jealous yes the spring told you to something you wrote a long time ago when he was tired of something that any of you used male sniper okay you got it wrong

and then the strange toolkits to atomize

an old sniper Brad sis erupts we're gonna show those Bulldog here in just a second one of them interacts with credential validation and actually touches your DC for 771 and then the other one does credential something different than its event ID four seven seven six so they interact a little bit differently with your networks but do the same using that information along really good in past experience you have a world which is not difficult

right it's on I saw something trifling

all right so the point years that we're able to spray is taking this long so if you notice my cell addresses so that mouse title right we see the threads running across here and this interacts with an exchange box that tells the exchange box can you go check each one of these individual accounts against the domain controller and tell them their valid these tools take about approximately the same amount of time to do the same so I Killian logs between look for is a bunch of fail authentication tennis happening from one place and in this case the application is enticing to coming from exchange so which changed to your DC

minimal times [Music]

[Music]

so anyway with both of these tools we password spread we gain access to credentials they operate a little differently when all of these should trip things on your network you should catch us doing this this is a fantastic place where blue cheesy to say we caught you down red blue to perspective we should be able to see a pastor sprayer and with that passing fingers you have bones available off your gun was successful as soon as you see a bunch of

this is not on by default and you would not believe

oh good okay perfect okay that's really good and then everybody familiar with not against this one and actually using it effectively

so we want to see

we what's inside was interesting emails

[Music]

[Music]

so one weekend now and we've got access to a vessel like this one down mandibles and tell what you find on extras and there's no direct way to get where you're going

[Music]

[Music]

[Applause]

[Music]

[Music]

what we do is internal access with additional that's what your networks looting or scanning probably moving toward purple team

[Music]

okay okay yes use our powers

[Music] [Laughter] yeah with extent we've seen almost do with it with that password that the interns changed and then emailed the Playtex to other interns

[Music]

[Music]

[Music]

so here we go right we have the user who requests the system name on the network that is not resolved by your DNS infrastructure windows behavior isn't that right sure yeah that's me we relay the poison response to our part ok doesn't work multicast the save request yeah that's me right here and we said that poison responds to our target s of these systems let me recap that so I opened up holders windows when I take the interns here which is not a real stare windows say yeah that server doesn't exist I don't really know what to do anybody on the letter - no - give me to send you files on Windows so you

send me your apps on Windows and I'll first you and then I'll give you something that I don't have okay and then the attackee server gave nothing returned because it really didn't care all the one was your house and next part of that is this gonna take the hash it's going to use it that's gonna get support whereas you but all it has is my hatched I did give it them password speaking of hash does anyone recognize that one I have one hash highlight does anybody recognize this this is a blank LM hash there is no Landman force the password policy greater than 14 characters not 14 characters because Windows with chalk let it happen

windows will shock that thank you if your password policy is 14 characters it's not good enough windows will take a 14 character password chop it in half and store two chunks of hash which we can crack my holding space time in our GPU it's worse than that okay they bring the white land man is so so bad okay 14 character password yeah that's a good that's a great okay now we're gonna cut it out we're gonna send into two different seven character passwords but before we do that we're first going to make everything capitalized so we have like what maybe 15 to its characters and then we won't have to crack seven of those at a time that takes the entire 14

characters basically and that takes about two minutes so if you store anything in man

on your domains and then everyone changed their password

because the alignment attribute enacted rhetoric and only store 14 characters

[Music] la-di-da that's the DNC line - that's right so we always have a request for a user target in the system with us would be signing disabled so the idea is here we let you get local admin because I'm a typo because an intern takes an interest here instead of interns centered

[Music] countless wasting on your network oh that's awesome okay so everything we just did there your every sponder respond are someone that's gonna say window says hey is mouth certain they have it and respondents we say hey that's me and it's we're descent and chillin real answers take that pass and then use it to a thank you on that same system to the track together just one condition note that targets is a variable so definitely try it on that one system we'll try it all the targets

[Applause]

okay it's not five minutes of 24 minutes we're 24 minutes into a pendant okay prepare every Constance actually took us like 20 minutes before so we're 44 minutes into the pen test we have a local admin and one of your internal desktops the time there's not that accurate the question is can your blue team find all those connections and block us within another time what's the average response time yeah it's more than two hours I hear too well but usually we're in two hours really awesome looting a really awesome sim that's finding everything and automating for you and then taking every resource and walking on the floor automatically without disrupting business

this hurt my trouble before yes yeah he's annoying lives in Denver area we call them London services there

probably we've done account that has local admin on leveraging the domains alright so right now we're gonna be retro and yellow right so we've got 259 ounce now we know where the owh server isn't over the VPN server this you have a valid credentials and additional credentials in this room we know what the internal network access landscape we know the identified services the river to a mind which is SMB which we've used with responder investment be signing zip which has allowed us to take those batches to replay them over and over we have the internal callosum which we found this I have an email we have a political as somebody which is given a sign disabled and we found even happens

we just used here which gave us additional lashes and I think we think we missed in the screen

[Music]

this one this is going to tell us that something touched L says what touched L sets in here why pick you cell says what's it L says Chris made me catch my billfold plaintext creds on the memory with those it's really hard to trigger on that it was even harder for us to sort out which ones so it's hard but this one is amazing okay time to learn how to walk properly we install to spawn there there's another problem with us and actually identifying what we've done because he's tell some hackers to go build a network that's contrived and does a bunch of automated things the way that hackers are going to automate all the things

that make it look like user accounts are to essentially installed malware everywhere so he's then trying to go back and find where you're running malware intentionally inside of all the other intentional malware that's going to be really difficult so if you're actually looking at blue tier perspective on Active Directory domain it just looks like Matt what everywhere and all that malware is to automate user behavior so all the other project this entire Latin we built Asafa is tapped in multiple network connections so the governor teams that do blue team do they tried to do hunt team analysis

fishing who loves fishing anyone to SBI security okay

[Music]

coefficient is the rebuilt and sub-regional but if they're trying to mimic with me here someone know before so if using no before it's similar to that except it gives you a metric so tell you how many interviews is why her company you search the news [Music]

[Music]

[Music]

okay so we're going to fish someone you really really want them to click on the link you really don't care about the consequences you can send an email from each arm that says hey there has been a complaint of nature and you need to review this document if you start talking about finances so organic something you say hey guys bakery we're in a position to acquire southern farm district now check out these plants which think and then you actually include like the price of the farm and maybe the value of the bakery system the process people you know they shouldn't probably be privy to that information with you're going to click on it because they're interesting another one we

didn't like the fishing in terms of email Google Calendar injections yeah that's scary ever you can send your CEO orbit rarely keep pop-up this is a happy at this meeting in 20 minutes and the agenda is rakers put them

and Google Calendar in Texas is an active feature so ball strike is awesome okay see to infrastructure so it's a kind of mess interpreter

Oh No so continue a lot of documentation because generating cues about 40 pages of technical training which is not fun to do after the faculty yeah that's bad [Music] explain for the first ones ever that might be middle management [Music]

[Music]

you should say what the motor 41 what 6.1 why it matters how to make it better in terms

get a better index position a practitioner level methodology which means you take that report you need go step by step you can reproduce everything that the pen tester did the exact same way and come to the exact same results the reason that's important is after your team faces vulnerabilities you want to be able to retest that methodology without going to another pen tester for you

[Music]

[Music]

[Applause]

so yeah kind of lessons about fishing yes so we get it domain you purchased a domain we want that's a way to be look legitimate so if you have the Borden ended with Cisco when you go to the web browser and you open up with the targets that domain typically good having good product that filters then it's I should wear to check in this database to see whether or not that domain name this accurate legitimate miscategorized and it's gonna say oh yeah that's categorize to the business sector so it's probably Jimin for that user to get to it in order for that fish to work we have to go in

[Music]

everybody knew what it is marketers oh what happens okay so SPF 30 can the idea is that if I send you an email SPF is what you tell receive email server whether or not my email that I sent was authorized to be sent with the front domain that I'm setting it has these together can tell recipient mail servers they were not authorized to send an email with dk when I sent my email I then have to include a key and that key is the public key that I'm sending has to match the key that's in DNS so that is one way to authenticate email it's being sent with d-minor utilize these two things together and you can build a

report back so the bleep blue teamers perspective you can use a team on here's what a bit like about this you can use team up to determine all the emails that are sent using your from domain that are not sent by someone you authorized to be sending email from right so China is sending sorry if any one else that is not use sends email on your behalf you will get a report back from recipient mail server saying hey when you receive this mail we actually walked it know that that's what democracy recording okay so it's pretty important there's also really great 12 dozen Houston mark on its own here it gets really ugly email reports back that are

useless they're like what's a great data and stuff that doesn't make any sense that anyone what you want to do is so partner agencies

the marketing agency should be working with the IT department the way they don't but let's see what they don't anyways if they did you come to get better penetration where it's on emails alright I think we were any other questions yes how's the food the increased move to reduce your ability

through this we ran the HTML was inside of the fish if we sent that 12 is 365 we will get an immediate beacon back to our c2 sir that does not come from our client no it came from yes it comes from office 365 they're inspecting that traffic they will recognize it as a c2

so you have to be clever you have to make emails that look legitimate and doubly directly to your Bimmer

[Music]

[Music]

[Music] [Music]

that is very very quiet very targeted so if you'll notice before we did it pass the spray no you don't do that we will do everything we tend to find what we know anyone a lot password to one valid user account and that's one of the use the same username so if not to raise any suspicions it's much slimmer Intel had a really cool

[Music]