BSidesMCR 2019: Losing Battles But Winning Wars - Phil Lynch

so good afternoon everybody and thanks for coming to the last talk of the day I know you'd all rather be in the pub which is exactly where I'm going to be after this um yeah luzhin part was winning wars fussing Who am I Phil Lynch I'm one of the management principles at natured and for my sense that means that I'm one of four managers responsible for the entire pentest team there I also manage most of nature's red team engagements from a rest governance and clients or a face and perspective and on occasion I still get my hands dirty behind the keyboard and so I'm not too far removed from the core face that I don't really know what's going on I

have the dubious or not have also conducted most of the executive debriefs that we that we do after an engagement basically that means going to the senior management executive teams sea levels I'm telling them how miraculously well they've performed over the that engagement or not I never give good news unfortunately that's it I'm actually a fourth twenty four years in the Air Force I've got twenty five years experience in IT or last SEC's of which have been primarily in security and I'm also a co-author of nature's advance they act a simulation course which I also teach with some of the other guys from NetID so what's this all about so a net it should have been red team

and for the past five years of effectively so all that time we've played obviously we've allowed quite a few things along the way and I apologize now I will try really hard not to swear so apologies for anybody ever sensibilities I am Scottish Ernest a bit of a sort of a cultural thing but most of the things we've learned with round because things go south things go wrong we up we are human by the time you've got into the middle of an engagement the heat of battle you tend to make mistakes then that's fine in and of itself it's not really great for the engagement but primarily as long as what we're doing is learn from those

mistakes not falling at the Einstein's definition of insanity which is doing the same thing over at all them expecting a different result so what I wanted to do with you on today was she have some of her experiences where things have been less than ideal and have gone wrong so hopefully you'll be on an engagement you'll be managing teams and engagements whatever your role is and maybe you don't make the same mistakes so maybe your engagements are a little bit more successful than the ones who have not been so agreed and of course it's the bees they stopped so there's an appropriate number of memes and gifts in there because that's what we don't learn from our mistakes here we

all make them and we get on an engagement users do weird stuff you can never account for everything that's going to come up with you on a red team engaging you blamed from the start effectively you're on the outside you've got a maybe access to the internal environment you don't know what it looks like you don't know what they're doing you can't see anything you've got no real idea of what's happening on the other side of the house you can mix and assumptions you can make some educated guesses but you never truly know what's going on and because of that things happen when they don't go the way you wanted them to go the way you expected

that big or quite frankly things happen and you've got no idea why and what do we do about it allow them from those mistakes is fundamental to us becoming better at what we do and that's not just a red teaming that's the industry in general so it natured we're very open about any things that go wrong we have an or blame culture if somebody does something that they think it's a mistake the thing has gone wrong we open out we let the team know we make sure that everybody understands why it's happened how it harm and quite often we don't find out until right at the end of the engagement when we're doing the debriefs and we're

getting the client center as to what's actually going on and sometimes it's been things that we haven't even thought of this sort of corazon so what we've learned I'll start with it we'll start with the famous one today and tell every has the viewers on fair intelligence snake-oil smoking medals let alberto magic fair intelligence-led pen testing requires threat intelligence and you've got to help your ther Intel teams pervade you as the red team what you need sort of there's two sides to it they provide the the client where they are player report ensures they are exposure and what they look like to other people in the real world but the digital fruit prints like and then

there's a targeting say that we as red teamers want to consume in order to compromise the organization show them how this can happen through intelligence gathered in exercises and then effectively so they teach them home this is bad and how not to do it in the future so I think the most important thing I've learned over the years about the intelligence is that timing is crucial take the following scenarios we then should start an engagement I think one week ago threat intelligence was probably done in 2017 at the back end it should have started in March of this year of the engagement the actual operational site so if you think about it that their intelligence at the time

was relevant it was good it was exactly what we needed six months down the line is it relevant as it's still useful to us as are empty so when we're looking at the target and aspects of it we're thinking okay the fair Intel team have discovered a conference and the attend the target company attains as conference regularly we're going to use that to create a pretext around inviting some of those speakers or people have spoken at these events back to our event except now that event was that happened three months ago that fit and tells no good to us anymore so getting threat intelligence to you at the right time is crucial so you need to

be aware of delays you need to be aware of any pretext proposed to you through their intelligence that may not be relevant and if they're talking about things around Christmas if it's April and it's Easter it's fact that Santa Claus I'm coming along is the Easter Bunny you want to be talking about so you have to look at these things as reading you have to go in and make sure that it's relevant for what you're trying to do you can be creative you can use some some clever language within your threat Intel and you're targeting packs and order for it to become relevant at the time but it becomes difficult other things that happen over time your targets leave the

organization they get married and hence their name changes they move departments and you're targeting HR and they're no in marketing or sales all of these things can happen and from the outside you can only go on the information you've got presented in front of you so what do we do about this well you clearly can't continually go through the affair and tell look where you got your team constantly gathering the latest and greatest because it's just not practical they've moved on to the next engagement they're playing it for the next test so what do we do what I've learned talk to the clients talk to them upfront ask them about the people that you're proposing a target it sounds a little

bit alien to a lot of people who do red teaming because like oh you can't tell the client anything because they'll gaming you they'll use it against you they'll watch those accounts at some point you have to trust the white sale and by white sale for those who don't really understand those are the trusted individuals within a target organization that know the tests happen and they know that you're going to be targeting individuals within them and they may have a view on some of the pretext that you want to use speak to them get their temper make sure that if you're targeting Joe Bloggs in HR that you're blocked he still indeed walks in HR and maybe

he's not on holiday for the next two weeks because again there's nothing worse than up and put a lovely pretext together great fashion email sender N and you know of office reply hi I'm in the galley areas and I'll be back and November check my tan oh and you've got a two-week engagement and this is ten mother's late what's next and these things happen you've just got to manage them but talk to the clients it's it's an age-old so a thing where you can't tell the client anything but there's a white sale there for a reason use them talk to them get that little bit of intelligence that helps the test run because remember they can pay a

whole load of money for you is set and say well I've targeted all these individuals and northey's reply and because none of them work there anymore they're all on holiday or whatever and all they're doing is as money is dripping down the drain and you're sending emails to empty end boxes I didn't vote to the hump in one hug and they'd receive an or value in the end of it so all of these things have happened to us and because of that I know at the beginning of an engagement I set up dialogue with clients and I make sure they understand that when they receive the threat Intel report that you know we have a discussion around those people

with proposing to target and they can then go generally without any sort of alarm bells going off and say how actually Sheila in HR and she's on maternity leave she's not gonna be in the office for the next four months well that's not target Sheila a child anymore because that's not gonna provide you any value and it saves a whole load of work up front so it's not it's not rocket science but you'll be amazed at how many people won't engage with the client early on don't wait for it to go wrong try and preempt it the second thing I had learned and being an ex-military guy you know I've traveled quite extensively around the world on hard wreck in my

geography seems to be pretty good AM pen testers are geographically challenged I don't know what it is they don't really seem to understand where countries are it's not just news outlets the CEPA struggle with pain I don't know what it is pens here so strong so here's the scenario we're conducting a red team for an organization as players and globally you know let's go officers in loads of different countries and they want to test each of these countries individually so that they're all mark from the same hymn machine if you like scream saw their intelligence kicks in it's in a timely manner we've engaged with the the client of these targets violent yeah yeah Shawne saw box in that office brilliant

we create a nice pretext we save an email will successfully feste the individual at the end and we got a shell back everybody's doing the root dance in the war room so because we are conscientious red teamers we start doing situational awareness we do some basic checks we've got a shell which means the IP address that the external facing infrastructure has has or no waitlist that means it belongs to them tech number one the target name is correct so that's good we know that we've targeted the right individual we can see his email address we look at the computer name the computer name follows the standard that we expect for the environment the domain name is correct I

mean everything's good we're in the right place we can start going to town right well do one last check we'll just check the list the last time the system rebooted and stuff like up no that's interesting the times all off not just because it's in a foreign country it's off from what we expect it to be now it's system time account the wrong maybe the computer's not very well let's have a look now it's photos oh how else can we check the time let's have a look at the locale sales idea that's not the country we would expect in from a target so what do we do then we speak to the claim we believe that our target is in

country X and we expected them to be in country Y can you confirm everything else is good apart from we only physically are the client runs offenses Mon or not subsequently what we found out is this individual what's between two different countries and we happen to catch him when he is not in the target market no need to massively panic we haven't committed an offense the targets balinese a very organisation it's just not in the market that we were looking to target at our particular time not in the right place so display I was going through a whole raft of checks that all red teens should be doing we still got caught by what fundamentally was an understanding

between their intelligence a target sorry the client and others that that individual walked in multiple counts so it's something to be aware of situation will be honest or helped us here is the fact that we went to town and when things didn't look quite right we made a call and if it didn't look right we stopped the engagement we came out reach out to the client the last thing you want is to actually have targeted an individual who's in the wrong organization therefore you are in deep doo-doo at that point and you don't want to be there so globally you know the model is a big place it's easy to get things wrong you don't country's

them a long way off not just a global problem it would appear the painters of local geographies not entirely agree I consider the following scenario we've been asked to conduct a physical se engagement against a company so we asked them okay what's the objectives and they said well we've got a client database but we want to see if you can beat your physical pediment on get into the office and then hopefully compromise the network or hopefully not compromise the network and get to your client database is there something you can do for us yeah of course we can't forget this done so we assigned it to one of our consultants who absolutely loves it over

a physical se he speaks to the client he said can I have the pork order to Belden you know and the client Julie given it said it's in a business park so multi-turreted there's building he said and the business parks all covered by the same postcode okay he said but the names above the door and remember that for later because that's important the name was above the door so our consultant goes and does about a recon he he takes the company website gets the address off of it he puts her into Google Maps it shows office exactly where the client said it was going to be he's thinking yeah this was all good so he takes a drive drive

by he has a look around if client said attended office space opposite some industrial unit so it does drive past multi-tenant novice oh it's good industrial units of current the car park company them above the door when are men so off he trots gets himself ready next day he sashes at the build and using his best physical se techniques which was basically he made a badge and then went and walked him through the front door it was a bit quiet in the office it was only one or two people milling about he was okay settled himself down in the corner plugged his laptop and went to town compromised the entire network zero to hero and about four hours using a

printer it is a good consultant did a great job anyhow he's getting towards the end of the day in and he's thinking it's been real quiet yeah and one of his staff comes up him said look me he said I'm after a nearly knock off you couldn't lock up for me panic no mid maybe uh maybe I can't let them lock up for you I'm just leaving so as he's leavin he gets a phone call from the client said damn it said was there a reason you even so they don't anything today and easily what they said well I happened to be in the office he says and I haven't senior awkward silence I've been in the office all day hmm

there's a problem sometimes things really don't go to plan Tom's area the company has two officers in a business park in multi-turreted buildings opposite industrial unit and hilariously saw the one Road apart and are still covered by the st. Paul's Court you cannot obtain for some of that stuff up and it like I said sometimes things just don't go to plan fortunately again when he got into the office the correct name was in the building he was on the right network he done his due diligence he's done all these checks he was definitely reckless and he had compromised the right network it was just from one of their small satellite offices that wasn't really in use but I

think he'd give a lot of value to the client because the client had a lot of focus in their southern office and no he realized he could be completely compromised from a place that he wasn't invest in any security in so everybody's a winner except for the person that was going to give him the keys not great oh

yeah so geography not the pen testers friend opps head write this this will be a painful slate for me personally our team and hopefully because it won't be painful for some of you guys OPSEC is hard things never go quite according to plan so we do we go to great lengths to make sure their objects as good as it possibly can be with enough red team we go to excruciating lengths and yet over the last five years there have been a number of occasions where when I look at them in the cold hard light of the slate in front of me I think why did we do some of that stuff in the bottom Lena is

is winded on an engagement when time and pleasure is on when you are suddenly getting somewhere after many ds of getting nowhere the red mist comes down pen testers B pen testers and they just get on the keyboard and give it everything because they wanted to a good they want to get to the objective they want to provide value in the client and OPSEC is really hard so let's start with a beginning email we don't use things like Kingfisher than it should we don't do mass mail campaigns we have a separate offer and it does that when we're doing targeted attacks in an engagement we mean at the top end some send something like sex emails we don't

send dozens of emails and throw all the per the wall and see what sticks we're very targeted in what we do so we've got in great pains to make sure that not only is the infrastructure that supports the pretext up and running looks legit we hope that emails also look legit and again when you do this globally we have interpreters who come in and they do the translation services for us and we have them do it in a way where it says don't just do what for what what this email says I wanted to sound exciting I know translators they go to work and they make these things look really beautiful and do a great job

that's fine up to the point where one user very vigilant as they may be said hmm I didn't really expect this kind of email I'll send it to our em IT security and they can just check it out and they do a quick bit of reversing on the email they have a look at the the X handles and lord behold the Exeter Ginny and IP is pointing straight back in there it should IP address because when the guys were testing they were testing it from there to done for structure rather than doing it from a VPS in there and the waveone on some well sounds really beli basic but when you've tested the same email for your 50 times to make sure

it's absolutely perfect the one time you're not connected to the VPS when you're testing it is immediately the one that you see yeah this is good to go and you get you get nailed for it it's hard doc you may hear if you're sending documents and whether it's supporting documents and documents to to back up your pretext then make sure you strip the metadata from it if you've created it using a VM that's owned by the corporate on it your own person again you thinking what idea does that we've done it you know it's over five years there's a lot of things can happen so again we tell you hopefully you remember strip the matter

dear and they only happen the ones but it's always the one time that you use it that you don't that you don't do it social media well we're using social media not for social media purposes but for targeting because that's what we make you do don't use called personal accounts think of LinkedIn and who's viewing my profile if they see a lotta Healy bums pentesters looking at the profile and suddenly they've got an email or from them the job with a waddle waddle on a stick associated with it it's probably not good so use your phone that account use those things that aren't on your finger print your organization or your team when you're when you're doing your reconnaissance on

your targets again somes obvious I'll just check I need enough of target I'm really struggling they've all gone on holiday I've got nobody left from Ti to target let me have a look at LinkedIn and you forget to use your non corporate McCain the individuals not here I'll be P you're in the environment you've got the ability to our VP table service it's a great it's a great thing to have if you've got that level of compromise now when you're cleaning up and it's the middle of the night and it's on a weekend and you think oh that box that hasn't been in is online I'll go and do my cleanup because I'm a good pen tester

but I want to make sure that everything is clean and it's the middle of the night and obviously there's nobody there when you do RDP and it said this will tell many another user session do you want to carry on the answer is always no because when it's yes they're like something's just kicked me off my computer police something's happening real real story he's never lived it down basically because I won't let them forget I asked as a bar of light using your certificates again that the three know you've got multiple VP aces and you've got they're obviously all secured make sure you're not doing things that leave in other infrastructure names in the old

the old names hair does it really trust me it's easy to do and it's happened and when the the blue team Aranya stuff like that it is not fun in the debriefs it does not look good but it happens so be careful when this stuff BAM is going on VPNs will love them you've compromised the network you've got credentials you discover they've got single facts of SSL VPN open to the world it's game over and you're gonna bypass all of their boundary controls and get your VM setup your VPN n brilliant I'm now a machine on the network I can do whatever I want leak hacks or box as a computer name and fuzzy navel as your what grip sticks out

like the proverbial on a client network remember to change the things that are obvious again you don't really obvious what I'm saying and it is kind of obvious in the cold light of day but as soon as you get out VPN access you've got two hours left before the end of the engagement you've got to use it right they've easy to forget something like that be aware that DNS so you know that basically when you've got multiple engagements on and you using lots of different DNS don't share them between engagements now again that sounds obvious you should never reuse em your collateral if you've got a lot of collateral in the bank because you've stored an up you're getting reputation

you did all these good things it's really easy to lose track tracking things that all the domains all the IPS state all the websites that you've got up and running for your engagements going forward if people aren't marking down what they're using when they're using how they're using it is it bombed and it has quite an overhead and it's a struggle for all teams that I've ever spoke - is how they hope they track the collateral it will get you caught in the end because as soon as you could put on your black list by company X company wise got the same feat and suddenly you're bombed before you started so tracking your collateral through DNS it

is you know it's something that it's hard but you've got to sort of be aware of it on domain reputation so again we do things like we always bind them in privacy and everybody said I don't bother about gdpr fix it all that takes all that information now it's not global yeah if you ever got the option to buy it buy it if you don't get the option use a different provider you know those historical who has records against the registrant is gonna get you caught again maybe not in the outset maybe not in the LEDs but as soon as the blue team have got a snap they're going to use all their tools and they're gonna

fingerprint you at which point it says kind of game over for you to be in Plymouth II so you've got domain reputation we a particular piece of infrastructure you using you use your checking it against the type of proxy you use a blue court for example don't just check it against what you think you're going against check it against all of the providers that we it may look good on one provider it may not look good another and eventually they all synchronize and that'll get you caught so you know do your due diligence it only takes a few minutes more to check against all your providers rather than just the one that looks good on that

we're good to go you need to check it everywhere and we spoke a little bit of a tracking your collateral it's really really hard and keep all of this stuff you know if you've got four or five engagements run it and simultaneously who's using this website who's using that who's using those email addresses use your build miss Clavel up you've gotta have a reliable way of tracking it or your DNS names or your IP addresses all of that stuff and because again the blue teams are on it and it's hard for you but once they fingerprint if you once they've got that little thread that they can start tugging at it's much easier for them to be able to track all

that back when you're using things like your WS you know I lacked elastic IPS by them the last thing you need is because you have to do a reboot at a sale but for whatever reason as you end up getting a definite IP address all of your c2 is coming back to an IP address that you no longer have and even what somebody else you know has that's not a great place to be and you run around like a lunatic trying to change all your DNS and stuff that's it's only for what these engagements cost to run and stuff it's not a lot of money to get em elastic I'm Peas so use the wheel you can and here

here's my favorite it is my personal humble opinion that you cannot conduct proper red team's without dropping files to desk as a lot of people will tell you that it's possible we've been doing this a long time you can't do it reliably it's just not a thing but I'm not saying that you go and use free X's all over the car get environment that's know what I'm saying be careful about fails you draw and absolutely record everything you drop in a target environment I take the stamp it location and don't just do I please do host names because IPS can change in target environments but also even generally stay the same yeah make sure that any artifacts that you either

leave or you change in the target environment is absolutely picked up by you as the team recorded and available immediately that the client said or we think we've got a real breach I need to know everything you've done where you've been what you've been doing because we need to remove attribution because we've got an incident response team at ten grand an hour who make spends two weeks chasing you around the network that's not good and if you can pervade that reliably in a short space of time you will get mega but any points where your clients and they'll love you for it not recall that it and not being able to provide it it's just not an option if

you're doing red team engages and you can't pervade all of those things could really quickly to your clients if you're doing them a disservice and several times in the last couple years we've been on target and we've either discovered what looks like a breach in progress or a recent breach or they've had an incident happen where we've been on the environment and we have got better we've not been great at the start but we've really sort of refined our process we can now provide them with everything we've done in in really minutes and after they tell us we can provide all that information - and it's important that you're doing that for all of your clients and at the end

they need it anyway because if something happens down the lane and you haven't been able to clean up because a machine has gone offline the user has gone to Barbados for a month already and taking a laptop with them you can't clean it up from now so you need to eat it comes back to the environment you've finished the engagement but the clients the information they need and all that they clean up manually it's really important and it will that'll do you wonders and it drop in files to desk have the ability to time stop if your turbine doesn't all of it you know creating that capability blue team's love this when every fails got the system created deep

stomp on it they can't just track you back to whatever was dropped in the last two days they have to do a proper investigation and remember you're there to test the blue team's capabilities that incident response so you want to know how well they can do it if all they have to do is a quick sale - and last access time or last created time then you know you're not you're not stretching them you're not you're not giving them a proper test so what we found outside of the OPSEC and the the mistakes that have been made is we've got to the stage on a target environment where we've found the the target system we know who the users of the target

system are we compromised the Machine the user ones or counter leash all that emilich come on then login a nap pod volume with an alcohol time 14 medals and you spend a week watching them playing bubbles and looking at really expensive hoses on the internet with the tab sat up in the corner just waiting for you to wait for click on it and it doesn't happen so we need the right tools for the job pentesters you got all of them so tool development because of we've run into situations where if we hit a better capability we could have saved ourselves lots of pain lots of heartache wasa grief over that you know when there hasn't been capability you know how guys

have been they've been amazing they go back and I'll it we can't currently do this so let's figure out how we can do it and we're going to rate a tool to do it for us and that's you know that's what you want no this goes back to the early days and I'm sure you'll all be aware one of the first things that we run into that there wasn't really any tool available for was a proxy or we are Seto back in the day things like Empire I'm softly we couldn't handle proxy weird environment and where clients are slowly catching up on the security M sort of ramp most of them had an authenticated proxy and we see all the

time so young mr. Tonga and several other people mr. Hardy as well and develop or see too many of you will be familiar with it it's an ongoing project and young mr. Rob born who's started I see however you rob here you go Rob there's a lot of Dearborn Posse to know and it's gone from what was effectively a tool that allowed the guys to get through proxy we are to create proxy we have payloads and get through authenticated proxies and to something that's now a fully fledged C to a framework where you know you can write all you don't more jewels add to it customize it do what you will with it but that was the original requirement

that's why they were Auto only wanted to lay on the pile shell because back then pearl wasn't dead it was still a thing but and party to was born up so one of the other things that we discovered again you don't target and you've you've got the sea to channel your interactive PowerShell or whatever that is the soul still some things you can't do some of our target applications you needed to help GUI access that's either a thick client or it's sat behind a web front-end or at some and they created the s400 type system it's got some we have interface that only runs on the desktop decline and unless you can get your grubby little fingers

on it you can't do a lot and that's really frustrating and when you've gone all the time and effort of camping on the user's box you can see them using it and you can't do anything with it so Oh surely we wrote on socks proxy source it's not due up until the point where we brought this the only thing we came to had available was the socks proxy from Metasploit no it was a good sock proxy but everybody new hope you fingerprint er so throw an N here and engagement with again you spent a lot of time effort and you know money get into the end point and then throw it and you know a better Metasploit cord probably not

great so one of them guys rob Maslin and with help from other people and team you look sharp socks bombs as you can see you've got the attackers machine mail and this is all we do it allows us to proxy our traffic over Dorsey to comms to the M the infected machine at the other side and then we've got GUI access so we can run stuff from outside if they're using a thick client we can download the thick client from their machine we can run up on our machine and we can proxy it down we can and we can run you know like you can on any sort of proxy you can run proxy chains or proxy

cap and you can use a browser you can use any number of tools on the endpoint and all it does is it just tunnels everything don't know the existence c2 and you've got effect of doing access um sounds really billy basics it was actually much much harder than we ever thought is to be able to run the source proxy across the sea to comms and not to be visible to the other site and that's the beauty of it it's been recently updated anybody who's keeps up with posh develoment Portuguese these shark flops as bill and it's it's super reliable it's super fast and it's really it's made a massive difference you know using operators on now to get

to the target application and the backend it's a breeze and it's really made a difference the other thing that we often have like I said a couple of the guys spent best part of a week camped on a user's machine the user of the target application and all he did was look for expensive houses and play bubbles it was an investment banker and he dead Norwalk whatsoever and I dread to think what they were paying him but looking at the houses he was looking at it was lots of money it wasn't even that good at bubbles we could see his desktop we would count there we were watch and has screamed the entire time and we could

see the tab or the target application name Annette all you needed to do was click on that tab and with keylogger and we'd then socks proxy and we would be him a week he never would be about tab he never touched what effectively has job was I know you got a we're here so again mister Maslin he wrote a tool called power thief I'll apologize for the next gift is coming up because this is Rob Moslems walk and anybody who's walked with them the guys are genius but his ability to actually use computers for like things with words PowerPoint stock shocking the guy has struggled with phones and yet he's got massive noggin really clever

but I'll let it run through a couple of times and I will explain what it's kind of doing I it just needs to get itself back to the beginning it's not a video is just a gif alright so the first thing you're going to see you're going to see a blows up in multiple towers that's the one that you're after if the user doesn't click on it you know you're going to struggle to get there there's a particular dpi is interested in he's gonna run power thief on the implant of sound that as a little other functionality you can see the three tabs there that are open he could pick any one of them choose the

ID and dump the HTML at Fame the particular API or whatever ID fielding he wanted as you can see there the idea was API secret and you can dump that into the command line and it will pull that open it doesn't matter what tab you're viewing at the time it can interact with the browser and pull each tml back from any of the tabs that are open and there was a whole raft of also think in this case think of something he's using the password manager password managers don't work for us for key login because obviously it's being copy and pasted oh but if you can pull it back straight from the blows of when it's

been entered you're then you know the links at the end of the presentation you'll be able to go Rob did a talk on this a year ago I think there's a blog the tool is available as a standalone as well as a mat being available for C to inbox and allows you to do a whole draft of all the stuffs it allows you to execute JavaScript in the window of your choice and stuff like that but both ADA desktop I told that allowed eyes to be able to move forward engagement without relying on that user so that Lisi saw and saw an investment banker we could have done less the FASTA that we were on

his machine for he played bubbles the next thing we would come up against is again over the years our clients the clients that were coming up against are getting better the security is getting better and some of them that actually started doing their locks aggregation of all things Oh Bazaar is up we had a situation where one of the guys in an environment and you could not get from sale the lands back to user land he could do the usual things he could request SMB so I think your face feels he can do HTTP so think of your your web sales of the AUSA and Silverland but what he couldn't do it was get a shell on them because it

couldn't come back and it wasn't allowed out to the Internet this is a bit annoying because and often order the good stuff who lives in silver land and that's where we want to get to so think back to your old Metasploit days when you can't get a Reb shell Watkyn because of firewall and issues bane shell so Ben she'll still not going to walk in this case because we do want that c2 traffic so oh excuse me so what mr. McCloud thought was a tool called P bind what this allows them to do is use SMB named pipes you know not rocket science but because 445 and the target of the sale girl and was allowed

because of the failures led the favor shields over there he was able to connect using named pipes and then run commands from that selves up from that dim pipe to other servers in the environment see there he can do things that run an arc scan what other devices are than here he could do things like try and faint what ports we're open back in the user land and where they were so what he's able to do and I'll show you here it can get any can't get out so you can't get shell so P baned allows them to create that named pay point of the foss silver run commands against the second server famed the route back out

through the firewall back to user land and no nobody's in user land and you can get information back by using the running the commands in a in a post rather than a pull manner and again this has become really sort of useful to us in those environments that are that the doom over tailing them or tailing the mistake again the networks were telling them not to use silver land user land and it just be a big flap network when the segregation can then so it shows you that we're still able to do a lot of this so the last few slides just a little bit on communication so it is good to talk right it's good to talk too

much effect of communications on any Red Team engagement you've got to have constant dialogue not just the ones the team members but amongst the the client and yourself early stages of an engagement how we actually got it we got all of the the guys who are on the engagement together in the same room same place because those early times are really crucial it's when it's at its more stressful you've got your fetch going in you may be for shell coming back you want to get processed into on a security of football the environment there's a lot of moving parts and trying to do this from different countries definitely counties different sort of cities it can

be quite difficult however we don't want everybody camped and at nature's offices all the time so those early stages are critical client communication needs to be sort of clearly defined so that you can communicate with them there's no point in saying sending them requests across email when if they've got a mature blue team they will be looking at the cause and if they start to see red team as a wad and the flag in on it or you know exploit anything else to make they're looking for you've got to make sure that you can communicate with a client and a secured manner that's not going to tip anybody off if they've got that level of capability um so how did

it be doing this so internally we use a couple of tools we use this it's it's called matter most there's a mile what the two layers at this plunge what this provides us with is the ability to have em just stand up chat room tape facilities you know and personally pay us and supplied with channels public channels that everybody can use peer-to-peer and allows me as a manager of the red team engagements to be able to depend to all the live engagements that are running but we can also secure them so only the people that are supposed to be on the engagement can see what's happening and that that's great and we host all of this internal so

you're not putting client information up on the cloud anywhere and what it means is that once we've got over those initial stressful part of the engagement and the guys can all sort of walk from home they've got a channel where that they can share fails Kord blocks they can do all of this stuff really sort of straightforward and again we've been using it about a year now and it's really made a difference to us and certainly as a manager that allows me to keep a really close eye on whether for the guys that are effective knowledge field saw you running the engagement you're talking everybody it's all good what about getting towards the end think of that large multi scenario

red team you may have had sex test those doing it they've all got the theater from the test they're all feeding it back to the one pure soul who is having to rate the report and you give him your folder full of screenshots labeled one PNG to PNG three PNG and that's not going to help him when he's got like a two hundred three hundred page report to write and he's having to go through all that stuff so how do we make that happen in a way that's conducive to rate in good reports because ultimately this is what you've given your clients at the end is good reports we use a tool that allows us to collaboratively walk on the

same document at the same time so it doesn't matter how many people are involved and the log then everybody who makes changes it's all recorded it's called hack MD and because it's probably the most important part it also allowed to log log everything as I was sayin earlier being able to give your clients information really quickly is super important and allows for the attribution it's key doing the detect and response because after all that's what we're there to do and of course with the multiple scenarios it keeps all the information that everybody can walk in at the same time and that is literally the one thing I think we've probably done in the last eight months is

introduced this tool we've we create a framework and basically as the engagements running the guys are filling in this this template effectively collaboratively everybody's adding bets at the same time and at the end of it it's almost a copy and paste and your formal report template all we need to add is the narrative our story of how that happens and the tool like I said it's fun in markdown it's really straightforward again we horse stuff internally the guys are all access it from the VPN again that doesn't matter what the tool is we know that that's what's for us but if you're not using something where you can all rate to the same document at the

same time rather than one person rate something then he has to read it and then add has bet and so on and so forth and this becomes really useful and you can do all sorts of funky things that you can create tables and stuff and it just makes your report and therefore the recording of the engagement a much much better and sort of experience for the test of really and you know what they're all precious little flowers and they need being to cuddle evident and again and something that's helped them so yeah like I said happy I've got some some links just at the end so I'm just wrapping up now read the docs is

something that we also use again we use that for all of permanent storage of information so you know stuff that we've got to reuse all over and over that could be security products what works against them what doesn't we have a repository we use read the docs it's a nice easy format again we all host this internally so it's never out anywhere that people can get at it but it's always available to the testers and a couple of show notes in for those of you who like to teak web screen pictures of the screenshot those are the tools and and if people involved along with us so the twelve handles all very smart people we're smarter than me and

they've really made a difference to our red teaming oh sorry trying to go back and those just a couple of links there to the so those tools that we use for the collaborative report and at the end and just last thing from me this thanks for listening the Olaf cops [Applause]

we've got time for two questions which I'll hit me up in the after-party in the bar come and talk to you look paint ball pop and pink shirt ankles with the same any quick questions no clothes that's great bill thanks very much