Make Red Teaming Fun Again

hello everyone and uh thank you for finding the time to join uh the first besides pristina conference uh it's a pleasure for me uh to have the honor to be a speaker at the uh very first event of this type in pristina uh today uh my talk is about uh red teaming uh maybe uh many of you that already have some experience in cyber security or offensive security already know what red teaming is uh but for uh the rest of you that uh don't have uh a specific knowledge on this uh type of engagement uh we're gonna go through it together uh so i'll start with a brief uh introduction or a short bio of me uh so

uh my name is rodon goshi and uh i am a senior uh security consultant at century cyber security i'm currently leading a team of five security consultants and uh before that i was a uh a penetration tester from 2018 to uh 2012 uh uh and 2020. uh my achievements uh include some ctf uh competitions including uh some from cyber defense week and from ubt cert in kosovo uh i've also had the honor to be in the top 10 uh of uh ranking on the hack the box platform i believe many of you have already heard of it so what this talk will not cover uh all of you that already have some knowledge for red teaming engagements uh

you are all familiar with the tools i have uh uploaded on this slide so uh first we have cobalt strike and bloodhound and we also have some edr evasion techniques uh this uh this particular engagement uh was not a traditional engagement uh me and my colleagues we make some jokes about uh cobalt strike we say it's like a game you just uh hey cobalt strike generator payload hey cobalt strike get the shell here so uh that's no that's not really fun uh but we tried to come up with some more uh creative ideas and uh to focus on the fun part uh of the these types of engagements so the uh presentation will cover how

red teaming engagement is executed by using real life examples and also here we have the life cycle of a red teaming engagement which includes uh mostly reconnaissance and attack planning and then is the part uh where the execution actually comes the reconnaissance and attack planning phases are uh separated into initial reconnaissance attack planning and then the execution phase uh is split into initial compromise maintaining access uh internal reconnaissance privilege escalation and lateral movement uh for most red teaming engagements the most difficult part is the first part which is reconnaissance and attack planning because we have to uh find an initial attack vector and we have to gather as much information as we can about this specific company that we are

targeting so that's usually the longest and the hardest part of the engagement uh some uh forms of reconnaissance and attack planning uh include uh virtual uh reconnaissance basically where we try to find out as much information as we can about the client in this example uh i have uh put two pictures that the client uh uploaded in their uh gallery uh so by using these images uh we were able to identify their internal communication platforms uh which were slack and discord as you all know slack and discord are very convenient and a lot of people that are oriented to technology use them for everyday communication but we'll get to that later another very uh critical part of uh

attack planning is mapping out the internal uh uh hair hierarchy of an organization uh what that means is that we have to uh see who uh uh important people of the organization or so we don't attack the low privileged guys the guys who don't have access to a lot of information but we try to map out who is the most important and we can uh plan our attacks accordingly other steps uh include for example identification of employees by using social media i've used an example for uh when we utilized linkedin filters to identify employees in this way we can get a uh almost full uh picture of uh who is working uh for this specific

company and uh uh also about uh their roles and their responsibilities so we can uh better create that uh hierarchy that we already talked about another example is for example uh when we uh when we start an engagement the client usually gives out some initial details about their company uh where they are located and stuff like that but we can also use that information for example by using who is data for isp identification this is a very important step in uh a next slide that we're going to talk about another critical phase is physically mapping out the company headquarters uh for those so we can use uh physical uh scouting uh of the environment for

example uh where their headquarters are and uh we in that way we can try to find uh entry points and we can try to find uh entry uh security mechanisms that may include uh pin uh numbers or uh badges or access cards or stuff like that we can also uh try to identify who the responsible person from the staff is for entrance and the clearance of the of the staff that's usually a worker that is on the front door of the company and basically knows everyone and gives them access as requested i have mentioned bra which is the business registration agency of kosovo or as we say it in albanian arabica this is a very

important part that we can use because in bra every business must be registered and use their physical address so if we cannot find the address of the headquarters for the client uh by using other identified identification mechanisms uh we can just resort back to uh bra and by law they are required to put the physical address of their headquarters there initial access time physical access via trusted relationships in this case we disguised one of our colleagues as an isp technician as you can see in the uh i'm sorry but the resolution is not very good but in this picture you can see the uniforms for two isps that the client was using uh one was their main isp and the other

was one of their backup isps in case the first one fails so this was uh via trusted relationship uh disguised as a nice isp technician and the other initial access vector was phishing via email and physically distributing the giraffe vpn which is a trojan now giraffa vpn you many of you probably have heard of giraffa it's the biggest local online store and it also offers a lot of services for kosovo people so we came up with an idea to create a fake vpn that is named giraffa vpn so if we go to the company headquarters and present the idea everybody will be happy we will say uh oh you have been chosen to know to beta test this vpn and it

will we will require your feedback for further improvement and stuff like that everybody in that case trusted us and we managed to deliver a trojan horse by disguising it as giraffa vvm going back to physical access via trusted relationships the goal was to plant network implants to aid in initial access if other things fail those equipment usually include rubber duckies land turtle and packet squirrels which are all uh evil tools that we use in red teaming engagements and the attack scenario was that uh one of our team members visits the client's headquarters and insists they need to see the server room uh because someone from the staff has been complaining that the network is not

working and they are there to help troubleshoot the problem giraffa vpn or the not so secure vpn client it has command and control capabilities it's fully undetectable by current protection solutions it actually works we've pinpointed it to a aws server and the vpn actually works so you can't uh see what's going on it's developed in python electron gs and it uses google pub sub for uh communication it is also integrated into a telegram but so we can use it as our command and control uh point uh the telegram bot also alerts the controller whenever it is executed uh here is a screenshot of the of the actual software but i don't think you can actually see that clearly and uh

on the right uh there are the control and uh command and control capabilities by executing the system info comment uh just as a uh demo for the for the product uh this included uh creatively gifting of the evil mercantiles uh so uh we created some toad bags some access badges notebooks and t-shirts and of course the usb which contained the uh the trojan horse that was disguised as uh giraffa vpn in this way uh we maximize the chances for the cl for the actual uh client to believe us that we are a legit company and uh the the initial access will be way more easier in this way going back to phishing attacks attacks we

usually phishing attacks are conducted via various channels such as social media or phone calls or emails et cetera in this case we also used giraffa because the company had software developers that worked there and we kind of knew that the chances for them to order something on giraffe were very high so we faked an email uh saying that the order has been confirmed we also uh in the right part you can see the look alike domain name that we bought that's not actually jarafa 50 is jarafa50 so the disguise was in my personal opinion it was pretty good and the results were also pretty good uh over 15 different employees clicked on untrusted links and fell

victim of that phishing attack that included entering credentials or downloading malicious software into their company computers all right so after initial access time uh it's time to abuse internal applications the main communication channels that were used were discord and slack we talked about that earlier and now it's the the really interesting part also in this phase we're going to talk about other misconfigured internal applications such as team city and vdq inventory the result of all this were lots of creds so going back to discord once we identified that the client uses discord for internal communication we were able to copy the whole directory of discord of one of the uh infected uh company's staff and by just pasting it

into a virtual machine we were able to obtain an active session on their discord channel what this allowed for us is that we were able to uh to create a mass surveillance of the communication that was happening inside and we also uh were aware of any uh issues that the uh staff were reporting of how they structure their passwords where do they store sensitive data how do they troubleshoot physical access problems etc slack the attack vector is identical as in discord we were able to copy the main directory and push it on a new virtual machine we got an active session uh on their slack channel the result of this was that the company was uh

communicating with uh external clients by using slack and a lot of client data were leaked in that process now for the team city team city is a build management software offered by intellij i believe and if misconfigured it can lead to various problems uh in this case the application was using the default credentials which are usually admin admin or admin password you can find a list usually online for every application and their uh default credentials uh since we got initial access on this application uh we were able to load the custom script which was a payload for a reverse shell and the tim city uh service was running with administrator privileges the result was an anti-authority system

shell which uh for you that don't know is a very highly privileged shell more traditional stuff on this red teaming engagements includes run finger crack map exact evil win rm impact and other standard red team utilities however this was uh those tools were helpful but the main focus was not here the underlying issue uh in the in this engagement was the weak passwords uh configuration insecure storage of credentials and the the human factor that uh people tend to forget passwords they don't use password managers uh they are always prone to saving passwords uh in uh files which are easily accessible in case they just access a laptop and can't figure out the password they just

say oh i'll push it on a sticky note or i'll just save it on my desktop for another service and so on and so forth i've put a list of some of the files that were identified during the engagement which included the bitlocker keys used for the encryption of the whole company's hardware the the second file which is the acc underlying path this was a local administrator account that was enabled on all company devices the third one is the git credentials which one of the developers saved and there were credentials for github which gave us access to internal code and to see how they work things out the result was an administrative access on over 100

staff computers by using the local administrator account that was enabled that was enabled on all devices i've also included a list of some passwords cracked but i don't think you can see it here uh to crack those passwords at ease and since this was a time box engagement and meaning that we were limited uh on the amount of time that we can spend on this one we use the cracking station by using some online services that uh provide virtual actually they provide physical graphics cards so we can just run them and we can use them for our own purpose we used a combination of several geforce rtx graphic cards and kraken anti-alarm hashes was very fast and efficient

missing security patches some may think that they are not a big deal some may just uh postpone that some system administrators are tend to be a little bit more lazy than others and they just say i'll do that next month i'll do that next week but are they really a big deal the client uh was vulnerable to zero logon which was uh cve 2020 1472. uh at that time it was a little-known uh exploit uh but by using uh the publicly available poc we were able to identify that the client is vulnerable and as a result we had a domain administration domain administrative access on the active directory of the client after that we used impact to dump some

credentials to further spread into the network uh there we saw some credentials for pdq deploy uh what is pdq deploy pdq pdq deploy and pdq inventory are applications that are used by mostly used by system administrators to manage the computers of their staff remotely so by not going and troubleshooting problems for each of them individually the pdq deploy and vdq inventory applications store their credentials in local security authority secrets which can be dumped by using the uh impacted python module secrets dump many of you have heard of it for you that haven't heard of impact i totally recommend to go on their github and see what the project is about it's a very helpful project

here i have attached a screenshot of the pdq inventory app this was basically a remote access tool and at that point we had full control over the whole infrastructure of the client the end result uh was that we were able to compromise domain administrative accounts uh we compromised business emails we compromised internal communication systems uh client data and internal applications to highlight this impact for the executive part of the company the executive part of the company usually tends not to really understand the technical stuff so to highlight that impact better we use some pictures taken from internal computer cameras uh we key logs sensitive information and recorded uh voice messages via microphone here you can see

uh one picture taken from an internal camera uh on the second uh picture there are some redacted client data and on the third one there is a screenshot of an active computer that was within the network uh this is the the last slide of the presentation and for that i'll try uh to ask you to please remember that red teaming can be very fun if you wanted to be and let's just not go always on the traditional ways because they are not so fun thank you