Turbo Tactical Exploitation: 22 Tips for Tricky Targets

All righty. So, I got 20 minutes, so I'm not going to let a single second waste here. Uh, thank you so much for coming out. Um, this is kind of a a pile of random tricks that I like doing and they may be different than ones you like doing. So, if I don't cover your favorite trick, I'm sorry. Um, these are generally ones that I think are both interesting and also things that less people typically know about. So, where this all starts from is if you're doing a security assessment or you're just breaking into [ __ ] for fun, um, it's a race. you're racing against either someone else finding the same machines first, the attacker is detecting you,

whatever it happens to be, you're racing against the clock because your firm is only paying you for two weeks in assessment. Whoever it is, there's usually some pretty good time pressure for, you know, when and why you're breaking into something or at least trying to assess it before someone else breaks into it. So, in general, like every time you're doing a security assessment, it's always a race. You're not doing it, you know, now because it's fun. You're doing it now because you're trying to prevent someone else breaking in or someone else from fixing it before you break it. So, the goal today is to really focus on how do you get useful targets fast? How do you find the most

interesting stuff uh quick? How do you identify pivot points so things can let you go from one part of the network to another or one privilege to another across the environment? Uh how do you maximize your access? So instead of kind of you charging straight forward the you know fortified walls, how do you just find like a tunnel around it and ignore all that crap? And then how do you actually get your data and leave with it? So um try to do a quick intro. Hi HD Moore uh founder of Metas-Pit. Worked on that for 15 years with some folks here. Um lately I've been working at a company called RunZero. We do commercial fun

stuff, but uh mostly I like doing research and I like cutting coming up with really neat fun techniques for identifying things. And that's kind of where my heart's been for the last uh almost 30 years. So first things first, um the very first thing you should do in every assessment is start TCBump, start responder, and start Flamingo. And if you don't know what Flamingo is, that's fine. It's a tool I wrote a while back when it's working at Tradeis, but Flamingo is basically catches all the stuff that responder doesn't catch. So if you're running uh this responder for example, it'll catch things like insql server uh you know name by lmr n bios resolution things like that. Uh flamingo then

captures the rest of it things like SSL sh actually acts like sh honeypot in some cases it'll gather web requests various different flavors. So it's not quite responder but it has a little bit of overlap. So I definitely recommend like one set up tcb whatever machine you're doing your attacks from. Uh run responder with defaults they're great. uh and then turn around and run flamingo on top to cover all the other ports that respond doesn't cover. And you'll find links to all this stuff in the references in the deck. But this stuff is really important because just in the process of preparing for this um presentation um I end up getting a ton of great credentials by a lot of big

firms. So big airline, national airline company sent me their Palo Alto user ID password. That's like the admin for the Palo Alto. Um Watchard Firewalls apparently will throw you their password if you board scan them still, which is fantastic just like Palo Alto used to. So, I love the fact that all these security hardware love to give you their password when you piss them off. So, the more noise you create on the network, more likely one of those devices will then try to log into you and give you its password. It's fantastic. So, first thing you do is always set up your listeners because you'll capture all kinds of nice gold just by running that.

So, um we're going to kind of take this multi steps like start from like outside everything like you don't know anything about the company, how do you find the initial domains, things like that. Then kind of get into well, how do you get past the first layer of the edge? How do you start, you know, finding good targets inside? And then how do you find the loot? How do you get out? So from the outside it's, you know, all is DNS, right? DNS is always the great first step to find anything. Um, what I love about DNS these days is that it's gotten a lot more uh juicy in that sense. Like you do a text record lookup for a

domain, it used to be you get an SPF record and that's it. Now you get an entire list of every third party service that company uses. So if you do a dig t-sh like adobe.com for example, you'll get a list saying, "Oh yeah, we got Docker sign, we use Docker, we use Chariot, we use Atlassian, we use Amazon SCS." So if you're doing a fishing attack, you know exactly what platforms they support, which ones they don't based on what verifications they've already done. You also know where their website hosts are. You know what other applications their team is using. You know their authentication back end. So you learn all this stuff about a target now with a simple dig-T text which you

didn't nearly you didn't get nearly as much information about the stuff years ago. So it's kind of neat to see uh how all this stuff is, you know, what's new is old again is actually even better now. But there's also fun records. Look at the NS records, T MX, CARE, etc. Um it's a neat way to just kind of get started. So, the second thing is a lot of folks complain about, well, I don't want to run like, you know, these different, you know, DNS dumpster or go to these different websites because I'm like sending my target list to a third party. Like, yes, yes, you're doing that. Like, don't do that. Uh, an easier

way to do it is to go download all the zone files yourself. It's free. Like, you have no excuse. Like, sign up to CCDS.org, get an account, and then request all 1200 zone files for comm net or whatever, like all the GTLDs, and then download them. And then, if you're looking for a target, you just GP it. It's not like rocket science, and still nobody seems to do it. It's really easy. So you want to find every network domain that looks like Palpo Alto's network.com that looks like a particular IP address to the blue record that use a particular name server. Um those are really quick things you can do with a download of data from the zone dump. So you know

definitely be a zoned dub trash panda like it's a lot of fun to go dig through these data files. You can download them daily. There's CLI tools to automate it. Um and it's a really underused resource. Instead we typically go to a third party you know portal run in some other tool. Like you don't need to go to a third party. You can go straight to the source of the zones, download them all, and do analysis on your own without someone else knowing what you're looking for, which is the important part. Now, this is also really important if you're, let's say, like changing your company's domain name and need to find a new domain name. If you try to look at new

domain names online, they'll actually get more pricey the more you look at them. If you just download all the zone files and find the white space in between them, well, then you can find a domain name no one's going to use without them knowing you're about to pick that domain name. So, it's really helpful for that perspective, too. So, a neat trick I came across just chatting with some friends on Slack is there's a way to identify um which Cloudflare domains are owned by the same account. And that's usually something pretty rare. You typically that's a privacy thing. You typically don't want someone to know that your multiple Cloudflare domains are owned by you. That your

Furcon, so that is also your personal portfolio, etc. Like you usually want a little bit of separation between those things. But um there's a kind of semi- neat trick with Cloudflare where inside your Cloudflare account, they support about 10 different domain servers and they allocate two different DNS servers for your all your domains and they're all the same pair within your account. So um if you start doing the math on that, you've got about like a 2% false positive rate when you look at the combination the factorial or combinatoral of 10 different domains for a given account. And with older accounts, you're more likely to use the two older domains, but typically it's about 2.2% false positive. So you can

see here that we did a really quick like first download the com database look for everything using cloudflare get a list of all the pairs run that through an analysis tool which will be in the references here you can see that accountingcloudbox.com accountingdoc.com accountinghosted.com bizacountingcloud.com those all got matched together as being under the same account so pretty straightforward and later down here you see there's probably some false positives like lux girls aana things like that but it's really solid at getting you about like a 90% hit rate there for all the accounts all the domains within the same account at Cloudflare uh which as far as there is no other way to do So there's also Subfinder and Moss. Like

if you use, you know, either of these tools are fantastic at doing kind of throw your stuff at everything. Like they will hit every API out there. You can give them API keys. You can use the non-API key versions and effectively they'll give you a ton of data really quickly. Um you know the the pro of course is they're really fast. They do a lot of work for you without a lot of setup. The con is you're sending every single hacker website a list of your targets when you're looking for them. So if I was a you know evil person, I'd go set up my own DNS resolver DNS dumpster but forreal.com. at submit it to mass

and subfinder is a cool resource and I just like soak up all people's targets and look at what they're looking at. So you get a good sense of intelligence on the other side if you're running one of those tools. So one of the reasons you may want to use the DNS zone files directly is you're not doing this other hand if you're in a rush or don't care these tools work great. Now Subfinders the kind of quick you know CLI version that pipes into other tools really well whereas amass is much more of a tool that you want to like run on a recurring basis to keep track of uh new domains and alert when the new domains are

found. That's more of kind of a set and forget kind of, you know, enterprise tool, but both written and go. Mass just released 5.0, which is fantastic. And they're both under permissive licenses, so none of the AGPL crap. So, um, anyone here familiar with certificate transparency? Hopefully a bunch. Okay, great. Certificate transparent like changed the world. Like, it used to be really difficult to know what subdomains, what host names company had. And then the uh the CAB, the browser forum said, you know what? If you guys are going to issue TLS, we don't trust you guys anymore. you need to issue all your certificates to a public transparency log. That's a big sign Merkel tree. And

in doing so, we've now got like real-time notification of domains being registered. So, if you're setting up a new WordPress site, for example, and you use godaddy.com, well, the second you register that domain before WordPress even like completely set up, you're now telling the entire world that that domain is live with a new TLS here. And you don't want to connect to WordPress before there's TLS because then you're sending your password across the network clear text. But as soon as you over TLS, you're now fighting to race that before everyone else finds your WordPress site before you do. So if you run a uh you know ctail basically like watch the flow of new domains being registered to CT

you can race people and steal the WordPress accounts before they finish setting them up and just how it works. There's like no there's no fix for that right now. Um but one of the things a lot of folks don't realize is CRT.sh is an amazing tool if you ever been to the website. What a lot of people don't realize is there is no application there. There is no web stack. There's nothing but Postgress. The entire web interface of it is just Postgress. They built an entire web stack like everything from search queries to HTML to templating to links is just SQL queries and SQL functions in the back end. It is insane and you can find the

source code. So don't let anyone tell you that just because you're DBA, you're not a full stack developer. Uh [laughter] one of the things you also don't realize about CRT shell or may not realize is they actually have a a full-on SQL interface. You can just run psql- guess shell and run queries all day long. Like you don't have to use their website at all. You can hit their database directly on the internet. Like they just they allow that. They're they're very brave. But the hard part is getting the SQL. like how do you figure out this crazy SQL on the right side? Well, you have to go look at your web interface, pass the

show SQL equal true, and it'll give you the query you need to find the stuff. Then you adapt that query for your stuff going forward. So, if you want to build automation to your tools using just psql, great. It's easy. Now, if you want to go the other direction, let's say you want to do this, but you don't want to tell CRT.shell tell who you're trying to resolve all the time or you want to go get the data directly yourself. Um, ends up it's really easy just to go take a list of all the active sort of transparency logs and then monitor the uh heads of those logs and tell you about new registrations in real time

without having to tell anyone else about it. Effectively, you just write a tool that goes looks at the 20 odd logs. It says what's the current index? Give me the last registrations. Show me the names. Spit them out. And so this little arrow called ctail. It's at github.com html ctail. And basically it'll just spew out all the names as you registered in real time with whatever reax you want and you feed that into whatever attack tools you want. So if you want to look at uh identifying all the registrations for a given target domain name for anything with a certain prefix like autodiscocover or blog or whatever, it's really easy to do. And the project

discovery team recently added similar support to the TLX utility uh for a subutility called ctutil. So I'm not sure if it's been officially released yet, but it's in the source tree. Uh and that'll do something very similar as well. So if you want to drink directly from the CT fire hose, it's not that hard. So another fun thing is split DNS. Like a lot of folks don't realize that uh often external DNS servers will allow you to query internal DNS results. Like it's something that's been around forever, but folks don't actively look for it and they should. Um the short version is first you look for I'm going to have to fly. Um the first thing you

need to look for is any outbound DNS server. So look for any DNS exposed to the internet. Great. Scan that and then brute force that for private IP. So you find results for you can do the same thing by looking for internal names like OpenSense, PFSense, router. setup.com is a special name where if you resolve it internally it resol resolves to RS1918 IP like a private IP. If you resolve it externally it resolves to ads IP. So great way to know if you're inside or out. Another fun trick is you can actually use a open DNS resolver. So any DNS server that resolves your domains as a ping scanner. You can tell it to ping

things it can reach no one else can reach. You do that by creating a fake subdomain where the NS records for your fake sub results point internal servers and internal like private IPs. and you tell it to basically do DNS lookups against internal systems and based on the latency of that, you can determine whether that system resolves or not. So for example, you can scan the private range of Quad 9's internal network by looking at the latency results of doing uh IPv4 lookups with this crazy DNSRP tool which you can also find in the references. So going to the next step like how do we find things in the internal environment? Well, we find developers repos

resources, find targets, find pivot points and then go quick. So first thing I like to do is hunt for the developers themselves. like find the folks who work at these companies, go through all their stuff and try to find references to tooling, to packages, to resources, domains you may not know about otherwise. Even better, if you can find the list of all the different developers, like in case this is the Microsoft repo, go steal all their SSH keys. They're all public. Just go there and grab all their SSH keys. Now, whenever you find an external machine with SSH enabled, you can just throw those keys against it and see whether or not they're allowed to log into it. So,

you can quickly just using someone's public SSH key, you can see whether the server accepts it for that username and that key even without having the private key part of it. So, in doing so, you can figure out does user A have access to the system. Um, it's also useful for knowing like did we lock this user out or not. Well, if you have their pub key and just their pub key, you can still figure out whether they've got access to internal machine or not. Um, for a lot of git repos, you don't even need you don't actually need the username, you just need the pub key. It'll then tell you which username you're logging into

just by doing half authentication. So, there's some neat things you can do with that. Um, a couple ways you can do it. You can either take one key and throw it at all servers in the internet, which is what we did. We're searching for like geotan from his GitHub key. Or you can go the other way and you can take a thousand keys and throw them against one server. We're trying to figure out which users have access to one server. So both methods you can do through the shamble tool that uh released a couple years ago. Now VPN appliances have become like the number one way into networks. The manate report from last year says like

of their top four breaches or sorry the top four uh initial access vectors for all the breaches they investigated there are all security appliances avant and forinet. And if you've been in security for the last couple years it didn't surprise you but it's amazing those are actually the biggest sources of breaches are security vendors. So another fun thing is uh remote desktop. Now remote desktop used to be fun because you can get a copy of the desktop without logging into it. You can see the group names. You can mess with it, screenshot it, things like that. Then they added something called NLA. NLA is network level authentication. Makes you do a full NMSP handshake. That's actually even better half the

time because it'll actually give you the domain name. It'll give you the OS version. All kinds of stuff during the handshake itself. So while remote desktop is something typically you don't see on the edge anymore because it's not something you want to expose, it's also something that you can still find through these other mechanisms. You can find it hanging on IPv6 addresses that the user just doesn't know are there. Um, and you can also find it through remote desktop gateways through RD web and other web interfaces to remote desktop. Um, see another fun ones are V6 exposures overall. So there's a large university customer of ours who says, "Hey, um, our Hurricane Electric ISP accidentally routed all of our internal

IPs internet through V6 to the 64 gateway." So if you have a anycast 64 router, it'll actually just start routing all your external traffic to internal devices externally through a mapping layer that's predictable and they found out the hard way when shadow server told them their RP was exposed internet. Another example of this that comes up is cellular broadband IPs. If you've got a laptop and it's got like a, you know, mobile LT adapter, typically you have a V6 address from your cellular provider and depending on which network you're roing on, you either have a firewall or no firewall, but you don't actually know. Like a lot of folks just assume the cellular side's going to

firewall you off, but a lot a lot of cellular networks will actually just stick you directly on the internet, too. So, as you're roaming around, you go from having a public bear v6 address to not having a public bear v6. So, as we're going kind of inside the network a little bit here, and I know we're short on time. Um, so the question is, where do you go next? So, you've got some foothold. What's the first thing you go after? Well, you don't go after the data first. You go after all the platforms that control access to the data. You go after the network management tools. You go after the admins workstation. You go after the

developer machines. Like those machines that will get you into everything else. They're not the things that you typically think of as being your first line of defense for your credit card data, but they're actually the most easy way to get to the credit card data is by going through those machines. So, network management platforms are my favorite. I love popping Solar Winds, manage angle, PRTG, open NMS because they've got all the clear text passwords to all the network devices. And it doesn't matter how good your segmentation is when the attacker has a password to your ASA and can just reconfigure your firewall. So I've been in test before where we literally just opened a hole in the ASA firewall into

the card data hole environment and just walked right into it because we had access to Solar Winds which had access to push rules to the firewalls. So your segmentation doesn't matter if your attackers take over your device configuration and it's just a really easy thing. So what I like about this is you can actually run the uh flamingo tool on the command line for port 22 161 etc and immediately capture all the credentials from your local network management tools and then turn around and replay those against the network and own all your stuff. So it's easy. Um some other easy pivot points here are like nextet a little utility for doing net bios reflection that gets you the

secondary IPs. RPC dump will actually dump the endpoint mapper. Impact has a tool called oxy resolver which gives you the multiple IPs for a single machine as well. Um a little more difficult is you can start looking for devices support SMPP and looking for devices that have the same unique ID in multiple places. Therefore, you know it's the same machine or you can find systems that enable packet forwarding by default. So, the surprising thing here is just about every printer and just about every desktop or laptop running Docker is actually also turning on IP40 by default. So, if you take your laptop and you're plugged into the Ethernet and you're plugged into the Wi-Fi, your your

company and you're running Docker desktop, congratulations. You're now allowing everyone on the wireless network to route through your laptop to the corp network and no one knows because they didn't realize you turned on IP foring and there's no apples disabling that on your machine. So, IP foring is everywhere and no one bothers checking forward and it's a lot of fun. So, the dev tool hubs are also a lot of fun. You can go after the CIS, code forges, artifact tools, etc. They tend to be full chalk full of credentials as people build packages that are not meant for external use. Uh config key value database is my favorite as well going after [ __ ] Reddus, console, etc. Uh

you basically can find all these services that are exposed to network authentication that are chalk full of credentials and fun things including session IDs which you then take to bypass login. Uh [ __ ] I just want to complain about it temporarily here. So [ __ ] in version 50 said, "You can no longer run our software on CPUs older than X." And so what did the world do? They said, "Well, that's great. We're just going to run ancient [ __ ] on our production systems from now on. So if you install Ubiquiti Unifi on any system out there, it's going to be running an end of life version of MongoDB before 4.4 because they literally cannot run

newer binaries from [ __ ] on older ARM platforms. Even Cisco Ice like the big enterprise tool, it actually includes seven different versions of [ __ ] and depending on how old your CPU is, it'll downgrade you to an end of life version if you run on older Halm or pre Sandy Bridge Intel architecture. So it's pretty amazing that you have these like end of life tooling being packaged with un you know fully patched software just because of that. So other fun things are login scripts usually full of hardcoded passwords. Big fix relays are great to dig through and dump out packages. Uh I love finding really old computers because if they've been around for a

long time it means they've been there for a reason. Someone couldn't get rid of them if we wanted to. So whatever the reason is figure that out because that's why it's important. And also because it's ancient it probably has all kinds of fun bugs. You can you know dust off some books from the library and still find ways to break into it. So, uh, printers are also a lot of fun. Not only their pivot points, but they're chalk full of credentials as well. Um, and now the fun part is how do you get the loot? Well, focus on all the things that are old and odd and underprotected. Focus on out of band management, underlying

storage systems, and the backup platforms. So, find the weird stuff first. So, what are the only a few of the network? How many AS400s do they have? Well, probably like one. How many HP3000s? Uh, how much of these old OTH HMIs? Look for the things that don't look like their friends and go after them because they're probably missing Apple's missing security updates compared to the rest. I love BMC's KVM serial servers for the same reason. They effectively provide a lower security way to bypass security of a much higher security system. They typically leave authenticated sessions open. So if you pop a serial server, which tends to be like a junky IoT device, you now have 16

different logged in shells of all your routers and all your firewalls. And these are only the routers and firewalls that matter because otherwise you wouldn't put a serial server on it. Like it has to be important enough to have out of access to it. So by definition, if it has a serial server attached, it's wide open and it's exposed, which is great. So those are good targets. Um, IPMI is still a backd dooror even with the latest version of super micro. Uh, they ship with IPMI by default. And because the state of California found that default passwords give you cancer, they now have to randomize the password instead. But the randomized password can still be cracked by rack P protocol,

which is the IPMI handshake. And you can tell rack P, I would like that password in MD5 format, please, or maybe SHA one or maybe SHA 256. But because you're able to pick which password hash you want from the protocol, you know, it's storing a clear text on the server side because it has to otherwise can't calculate the hashes. So effectively you can you can ask the AIPMI services to give you a hash for any format you want and then go crack them really easily. Just turn off a llama for a little bit and get your shells. Um another really fun one is NFS pings. A lot of folks will filter port 111 but they won't

filter 249 in the mount port. So like my earliest claim to fame was owning all of Yahoo's mail servers through NFS because they filtered the RPC bind port but they didn't filter NFS and mount D. So you just mounted all the NFS shares the internet and went through all their email. That was great. Uh ice scuzzi same thing. It supports authentication but practically no one turns it on. Uh and backup systems are one of my favorites. So a great example is uh Rap 7 said that more than 20% of all their instance 2024 involve ransomware attackers going into their VH backup replication systems. So that's it. I talked about getting it out but effectively you know how to do this

stuff already. Basically a sync loot use uh SQL itself use VPN tooling use things like that. And uh that's it. So that's about 30ish tips 20 minutes. Thank you so much. [applause]

Uh, no amount of time. If you have any questions, I'll be hanging out by the run zero booth at the back there. Thank you.