Harvesting Low-Hanging Fruit in Red Teaming Exercises

seems that we don't have one side right so uh who am I uh I'm n capelos I'm the I'm a principal at and I'm the director of offens operations that means that uh pretty much everything that has to do with pen test uh vulnerability assessment and all typ of exercises threat is TE but everything pretty much pass through me uh I what uh yeah so I have some certifications like pretty much everyone in the Cyber uh Community right and uh in my past life I used to be an IDE that's why you see that I'm certified information Monitor and I'm also a ched certified accountant and that was in the previous live right and uh that also helps me actually speak

to board of directors and speak to people that are not so technical uh nowadays unfortunately I hack the world one excel at a time most of the time uh that means that I'm usually doing sales and uh I'm I'm pretty much focused on why and what instead of how uh but uh that's okay because I've got a team of 14 that actually uh do great stuff and that keeps me motivated and also I'm I'm also very content with it because I'm also doing all the uh physical penetration test uh which is does not change that much and uh get to get S be on the field pretty much very often and on my bu I do

still keep a flipper zero and I get out of jail later pretty much all the time right so what do it talk about uh this spee this talk is about um easy ways to move forward within the red team right so uh through the past seven eight years we've done like lots and lots of R teing right and several uh ways of moving forward actually uh keep up poing up right so and the thing is that they're pretty easy to do by everyone right and I'm keep trying to remind myself and team that it's not only the very uh High Precision uh complicated ways of getting domain up right so there are also many easy ways to get there most of the time

right so it's not only adcs it's not only I don't know ACL L and you know going through the active directory uh but there also at least in the Greek and abroad uh there are many many companies that are huge and unfortunately we see lots and lots of issues uh that are easily detected and easily corrected popping up all the time right so what I love about usually R teams is the uh getting after households right so passwords in a red team usually are pretty much everywhere right and this is the main objective of the red team we usually search for passwords all the time right so we don't search for exploits we don't show uh okay so you've

got like 50 five exploitable machines like in the network we don't care about that usually uh we get we care about passwords because it's usually a method an easy method or a simple method to get domain up in right um it's usually it is usually inside the red team objectives which is usually uh getting the domain administrator level of access and there is no easier way of getting access of the domain administrator other than having the domain administrator password right and uh it's an easy way to do lateral movement and fly under the radar right so there if you get passwords or hes right it's an easy way to actually move forward within the active directory

right and usually it's not easily detected okay yeah pass the H it's it's a method that might get detected but still uh we've got like huge huge companies here and abroad that actually have invested millions and millions mdrs xdr and whatnot and still they don't get like pass the house if it's done from a with a certain uh account right like a computer account or maybe you know um system account or whatever U and uh we usually uh what we usually do is actually try to find as many passwords as possible right and uh I'm not going to get into details of the ntlm hes right because there is NT there's LM there's ntlm V1 there dmp2 right so all

these are different or uh when we talking about either it's for Relay so it's N2 or it's uh used for attack which is right and and so and the beauty also of passwords is that for proof of concept they're pretty much uh standard uh like no one can actually uh say no you don't have the access if you actually show him the password right so it's pretty much at least for the it stuff right so uh just want to show you some ways of actually getting the passwords right the first of all and pretty much around 50% of um what we see and I guess who has seen this in the past like passwords and shes right that's the main

method that you actually get that like I mean pretty much even huge corporations like Fortune 500 right either uh you can get it from configuration files like uh right and this is one of the picture shown below right and either you can get it from user folders because users are not usually it uh security related so they store pretty much everything in an Excel file or or notot or whatever right so um if I'm not mistaken that's something about maybe 50% of companies one of the ways that we actually get domain admin because we don't stop at one if we have the time uh is actually through uh password and Serv right because uh when

you get one password you can get into a system and get into another system and things move forward from there own right um so usually SE it's uh very hard to get notice if done manually right so no system even the network detection systems like dark Trace uh that follows the network traffic can actually flag some things but nevertheless uh if you do it manually pretty much no one's going to get it right unless you want to get access to a h or something uh the only thing that you have to be careful uh down in the bottom uh left is uh signed actually files are actually placed on the network we've seen some of our clients and the

silly thing again is that pretty much what we what the add they advertise is what you get right so the name to the files and the dates that they're actually on their website is the day of the files and the dates of the files that you're actually going to get into the Ed te right so it's not something different right moving forward um yeah also we have to say that to prevent that okay so you have to do a periodical review of the SS and you have to do some user and it stuff trading right because well not everyone is it literate right so I we see lots and lots of uh silly mistakes being done by the

it administrators um the Excel seat that you see on the left is actually from the it stuff right so someone from the it was keeping every username every password every uh email pretty much everything on uh certain uh Ser right moving [Music] forward how many of you have seen this no I I mean you can get in CFS right you can dump all the L dub and pretty much you'll find service account passwords in the uh password description that's a very silly mistake right because somehow it ads think that they this is only for them that no one else can see it but pretty much everyone with access to the active director can actually see it

right so it ads actually think that it's actually uh uh an easy way to keep the service account password it's an easy and accessible way to keep it and it's one of the stuff that we actually check um you can get in multiple ways in multiple ways you get getting with power VI sharp blood hound adsi seches and from uh your box either that's C or W and of course you can get from Explorer and um well again the thing is that you have to do a periodical review of not of the Serv I'm sorry but uh of the um Ela and you have to educate the uh outs of the company that okay please don't keep that

in there because everyone can actually see it right so it's not a secret H care okay so that's a very old one right so everyone is doing K roosting either it's a correct way or the wrong way but everyone is doing it uh the thing with kosting is that it's harmless if the password is actually very strong right and we don't see that first of all uh what we say is that usually we see password to do uh 23 that means that it's in rc4 format right and uh you have to go to I right so it's far far more difficult to actually do the whole cracking thing uh with is but we still see it in rc4 for uh back porting

purposes and for um working with older systems and the thing here is that it can be harmless right uh the problem here is is the passwords the we see two kinds of two or three kinds of passwords usually either it's very big passwords that are actually inside uh Ru 20121 say or uh we can see passwords that are actually the name of the company plus four digits plus a h or question mark or whatever right so that's not a strong CL so every mask every tracking system every competent password crack it is going to crack it so it's something that you can prevent it's something that you also can detect because you can use Hots hot

accounts uh and but the thing is that you have to have strong password in order to avoid actually the service accounts because usually we're talking about service accounts that are actually the password hasn't sa for the last 7 years 10 years whatever that are actually the passwords are really city right so yeah that's that's something that we see uh even in huge corporations okay so we also got a problem with mssql right so if you get users or if you get your passwords if you get your hands on passwords of users we usually see problems of the style like uh simple users have dbo access to databases right and that's a major misconfiguration because the

problem with it is that it wants to do their job and they want to do it as fast and as purposefully as possible and also you have vendors that are actually pushing forward that their uh ventor account should be a domain or what whatnot right so you've got like uh service accounts and some of the users that actually get access to database uh to databases that are actually either dpos or they're dpos to a link database right or they can actually uh Harvest data from within the mssql right and that's a very uh silly stuff because it's usually one of the objectives of a exfiltrate data critical data from a corporation is what APS usually do that

means that even if you have a single user that has even has read access to a database even if you cannot execute commands right without XP CM cell whatever right you can still exfiltrate get the data and exfiltrate them and that's a major problem for the corporation because you have to remember that attackers nowadays usually go two ways usually they're either send up ROM work right or they do exfiltrate data and um extort companies to actually get some funds otherwise everything is going to be on data right and that's pretty much what we have seen publicly for the past few years right so there are also multiple uh operating system execution methods and there are

uh certification that you can actually get to actually see uh more methods to execute uh OS commands other than xpc but uh in any case you have to check the database to see who can access and who can execute data and the one thing that we usually also see is that when we get access to databases these databases usually are um application databases right uh that means that usually they have passwords inside user passwords and that's major issue as well because we get one password and out of that password that actually gets inside the database we get like maybe 1,000 more passwords because users uh the the we see several configuration issues with applications that don't actually uh encrypt the

passwords inside the database just put it there right or the encryption is like very silly H like a I don't know md4 or what okay that's also a problem so the default state of uh Windows Server 2003 if I'm not mistaken is to actually serve ntlm version one hes right ntlm version version one Hass is actually something that is uh if I don't if I remember correctly that's m md4 i remember in any case the thing is that it's very easy to crack right uh there is an online platform called crackas uh which is actually can be used usually unfortunately it's down or F depends uh we do have uh several um NV cards in our lab so we actually

crack them inside there inside there using takes about two days but the thing is that if the server and usually the server we're talking about is usually uh DC or some other kind of server file server or some other kind of server that is actually own uh in the picture in the right you can see that it's it's actually domain controller that's actually supporting ntlmv1 and the thing is that from that one you get access you get the machine account of the domain controller okay that either you can you can use to get the silver ticket you can use it to uh to rbcd and but usually the most easy stuff to actually do if there are not um

competent let's say detections in place you can actually this ising right with a computer account you can get all the passwords of the users of the domain right or even one or even one user KB whatever you like and the thing is that it is an encryption and it's very weak and it shouldn't be used and it's used because of all machines uh that are existing in the network uh for redeeming I would suggest if you do it just try multiple machines some of them might actually have it and you can see if you get blound you can see pretty easily um what actually uh machines are in the network if there are window ser 2003 and

p uh you've got a very big chance of some of the uh domain controllers actually supporting until one yeah okay the commission old systems I think that's something that pretty much everyone knows that needs to be done but not usually done right better uh more work for us uh this is a very easy way to get user from zero right and we see this also many many many times default credentials are something especially the printers and other devices firewalls cameras access card systems uh are pretty much something that we see all the time that's a vector by itself and that's very silly but it still is right so the thing to actually explore it is to

actually get it to the system that is actually having full credentials especially printers they're usually either set up to uh have SMB credentials because they save documents in ANB Ser or they actually do the authentication through L up Which is far better than us for us because it actually sent us sens us uh un encrypted credentials right uh El L is actually an encrypted right so what you simply have to do is to actually get in uh change the uh Ser uh server uh that actually shares U stores the credentials to the attacking machine and whoever prints or even you if you print uh Ling will come to your machine and you can relay that

you can pretty much uh crack it you can do pretty much whatever you like and we besides that you you also have to think that prins also have documents inside which sometimes are critical for the organization and are confidential and also uh in my last two engagements I I've seen UPS uh with full credentials you can pretty much shut down pretty much everything right and that's also C attack method but it's there we have to check it and we have to inform the company that it's there so they have to change it but in any case printers is an attack method and uh the biggest uh benefit of it is that we've seen printers having domain admin as a user

right which is stupid but still we've seen it uh but other than that even getting a user from zero is actually a proof of concept that shows the companies that can actually you know you have to change it right it's not yeah because if you plug it into a network getting a user out of zero then you can access a set of folders and then you can go for more passws and more passs right uh yeah what you they have to do is actually remove the default credit right so it's not something it's something that an even a penetration tester would say even in an internal penetration test you know someone would find the default poens and actually and

you put it out okay so another silly way to actually get credentials is through the web browsers because uh you can either get it through uh C2 like Pon or whatever if you get a system access to a system you can actually download all the passwords are actually inside the uh you want Chrome you want firew you want want pretty much everything right so um unfortunately or fortunately for us users are lazy right so they do uh have password re us pretty much for everything and if they don't usually from uh dumping uh credentials from chrome usually it will tell you a pattern that they're actually using through all the applications right uh other than that you have to keep in mind

that us users usually uh nowadays look into web applications for pretty much everything even the active directory nowadays going through Azure you can actually get pretty much all the information that you need right so you don't actually have to go through the active directory everything is in there and of course yeah don't forget about cookies through cookies and P from internal Network you can actually log to azour and you know um Harvest credentials even from there you need good EDR of course you you need user awareness to tell the users to keep the password somewhere safe right not in the browser but use another application maybe keep pass even even that has problems but anyhow don't keep all your

passwords inside right and um of course multifactor authentication to sites that are actually outside the company should also help a lot Okay so yeah we see besides see passwords we also see password to users and that's problem that we see most of the time um admins use the same password pretty much all over the place and if it's not the same it's I don't know a digit change or a year change or something that even a seven-year-old would understand that yeah that's the Cent the new pass right um we we do see this yeah I'm going to speed up a little okay so we do see this in uh um local admin accounts a lot

right so if you don't have Labs there is a problem over there of actually having the same local administrator account for pretty much every machine that you have on the network usually that happens because usually corporations just have an image of a system and instead of installing pretty much for everyone the same application they just do it once and forget it and the same administrator for every machine that there is uh an easy access for that is if you have the machine you can actually if it's not prob configured for the bit Locker you can actually uh get in and grab that local admin uh ntlm NT has from the get go right um it's very difficult to

identify lateral movement from the perspective because usually this is a thing of the network it's not it's it is multiple LS but in any case you don't have to log to 50 machines at once right uh we have done it in the past just to check if the EDR or is properly set up right it wasn't but at some point in the red team you have to turn up the volume to see what's the capabilities of the defending uh BL team is right because it's it's nice to say that I've done a I don't know one month redeem no one CAU up with me but if it's not an objective maximum value to the client is actually

see what's the threshold of the defendant right so at what point is someone going to Blink and someone's going to raise some eyes right um so the what we say usually is to actually use Labs at least for uh local adment uh user awareness is a major thing as always and you have to check Network traffic if you don't if you don't monitor Network traffic that's something that it's very difficult to actually get okay so this has been going on for ages and ages and ages right so responder actually gave us the the the the first taste of actually getting uh spoofing uh and getting credentials etc etc right and uh there are other ways

and I'm not going to also get into relays because that's a whole different presentation by itself but you can either relay or you can either break and uh we can see weak passwords and this is another way like the printers that you can actually get from zero to user right and um everyone's going to say that this should not be there but for major organizations who have thrown millions and millions of dollars into creating uh their it environment it's very difficult to move forward and change the stuff and even though we've said lots and lots of uh um times okay you have to disable this um there is a problem no one actually manages to dis this no one well if it's

a small organization yet but if it's as big organization there is there for a reasion and uh you production is King right uh the easy thing to do is to relay this thing into a file server and exfiltrate exfiltrate data from the file server uh yeah just a just a quick note uh PC is a very small tool it's not mine I use it years and years now and uh it's actually redundant way to actually get all the contentions that's actually getting into the network just saying I'm I'm I'm trying to convince my guys to actually use it more and more uh the thing is that i' most of the time not most of the

time we' see a lot of uh applications actually fail getting the credential respond is getting crazyer and crazier if you have something un like this in a redundancy in the back everything that's going to connect to you and give cred is going to be written down your PR um yeah unencrypted traffic is a huge problem in the networks pcss doesn't like it at all in any case everyone does it right and uh I think that's

it