BSides 2019 - Tim Medin - Blue about not being Red? How to be more offensive.

hey guys presume that if you're in this room now you're in this room for a trek one super foolish that haven't ever been in here and I don't know if you know Tim but obviously he's the founder and the principal consultant for a red sage it's got plenty of history whether it's this since ms is a program director or author faculty for I ants or you might also know him for basically something legendary from Kerberos T excuse me but I'd like to introduce Tim to take it off this conversation about moving blue and all here sir cool thank you so much

videos grow so much for coming out of the thing thank you to all the sponsors that make this possible by the way I'd like to do my presentation is a little bit backwards so if you want the slides just go to red seems telecom / blue for some reason AT&T will not let you go to red seat calm but dub-dub-dub right stays calm even working AT&T because we can talk to nobody a lot of beers to fix that no okay if you want the slides if you're like halfway through like this isn't get you Stevie got the slides to leave them but I mean cool so what I want to talk about here background be

blah blah blah whatever and the instructor with sans I mean course lead now for the network penetration testing course t6 16 I expect that they all this I think you kind of said and doing pen testing offensive things many perspectives for a number of years now but what I wanted to do now how many of you first up how many of you are consider yourself blue team members I like on the left like there's a one blue guy in the front otherwise blue is tightly in the back that's uh I feel the good tells me something who's my red team people is it okay the four of us fantastic who is green plaid any other

colors who's like why I have this conference my spouse my dad dragged me purple get uses buzzwords adhere to it towards the blockchain for next generation hey I didn't have a lot of pen testing back in the day right and I can do this for a number of years and I wanted to tell you it's kind of a little bit of my story how to get into the offensive parts if you will and some cool things you can do on the blue side if you want to play with some of the red tools and techniques both to make your organization more secure but also this is it's kind of a lot of fun right and I

find that the best red teamers oftentimes you start off with that blue background and it doesn't have to be a defensive security role to be systems administrator my back rotor systems administration in network engineering when people who understand the guts of those technologies it means how their heads has to read TV they can really dig it to the customer and then afterwards they can make recommendations to the recipients of those reports of that information and talk to them at their lone right and have some of some sort of soul if you will behind their recommendations because they used to be in the trenches and they understand that other than just having some of that red

team perspective so I'm already right company that I've got we do read to me but the speak let's be honest here there's something special about the red team in fact the only team red team is one here we are now the only reason that exist is to make the blue team better and if we fail to do so we are a giant waste of time and money right we'd like to show up like I like you know I like the fighter pilots and like leather jackets and come in - gasps can you say that in here yeah they're nothing just did you know tear them apart so all we are they say won't you guys clean up on

the way out and of course that's not super effective right our goal is to make blue better and if we show up we shame them that doesn't help anyone but as literally the term purpley has heard the purple team concept before obviously I think purple team is what red team he should be right the goal the red team is to make the blue better and we have this purple team concept because the red team showed up you know made a mess of things did some cool fun stuff but then just kind of left blue team hanging there like that you pulling you sort of shamed us and you showed us a little bit of how

to move forward but sit down with us help us right and that's some of the goals here the key here is that we're on the same side right the red team and the blue team should not be at the set if we are that's a problem because the sole purpose of the red team have pentesters is to make the blue team better right so the blue team themselves have a lot of you learning smaller organizations who works in organizations where you're not maybe big enough to have pentesting team or red team yeah significant number of haters right and maybe don't have some of the budget what are you doing it's every so often what should we do it

you know some of those red teeth tools renting tactics to sort of test ourselves and of course there's maybe a limit to that as a blue team or it's not your goal to know like literally every single thing that red team people do and how do you is absolutely every single tool but we can still use some of those tools in the basic ways to move the needle one of the big problems that we see in security is that we really couldn't throw the baby out with the bathwater if something is not 100% or let's grab let's get rid of it how many of you ever say give it if antivirus is crap right last night that's crazy

it serves a purpose it's not perfect in fact no technology is going to be perfect every one of those things is designed to move us forward just a little bit so you don't have to be an expert at all of these sort of offensive tools use them a little bit the goal is to move the needle it's gonna be a bit controversial people they know we have to get everything that it's ideal but let's be realistic here as well right well I think it's tough out of rings here we go so some of the basic pieces here for below what we need to understand as a defensive person that we don't exist in a vacuum but we're

working the gifts we don't threat actors what that means done is of course we have to understand how do the bad comes out right what are the common tools and techniques they use to get into my network to move throughout my network and then get a date out of my network and be persistent and if we can find a couple of different ways to either stop the bad guy or gee-gees catch the bad guy now we have moved and we can shrink some of that detection time from we oftentimes see from many months down to t12 the shorter point in time one things that we'd like to focus on so much is protections but we want

that big shelf security we get a super that is really tough and nobody's going to get in that's not realistic it's not realistic because we've got zero days also you ever fight anybody you have anybody of your organizations who are upset if no one would know it's raising their hand right if you've got people in organizations who literally couldn't walk out the front that front door with your information right you've got admins who could go rogue you think it's no hit I turn it into a verb make sure we've got some of these things that we need instead of course not only do the prevention but we also have to do some of the detection those two pieces

together are absolutely the key here now again I've mentioned this before but I wanted to get down there again we're going to show you some of the simple ways we can use these tools again the goal here isn't in the next 45 minutes to make you the greatest red teaming that ever lived if I could do that either I'd be richer I'd be out of a job I'm not sure which one right so we need to understand we're going to use these tools and the goal is to move the needle we want to move forward reduce that time to detection and maybe catch the bad guy early or even better of course prevent them from getting in in the first place

so we all know this right so we have so many problems with passwords one of them tremendously useful things to do is look for breach passwords because you know what that guys are doing exactly that there's a breach and fill-in-the-blank company the passwords are now the passwords are password hashes are now posted online so what happens is the bad guys go up there find your email address for your organization or every email address for your organization find those passwords and then attempt to log into your company's email VPN whatever it might be and this is he was so extremely effectively use this all the time on pen tests now it's a blue team you're like

well that's sort of not my job okay cool job is that your organization right something needs to keep an eye on some of those and it's really easy simple way to there's a number of different services we can look at like the have a big poem we can do split things for our entire organization I'm a huge fan of D hash it's $130 a year sorry hundred twenty-nine bucks a year and I can set up alerts for my entire organization so now if a new password and is cracked for my organization I didn't know that they could say English by the law games that use are real quick because as much as we tell users to use

different passwords in at different locations is that effective no and there's it's impossible to have the security control and technological control that purpose to user reviews from the same password on crappy website and it's like my organization but there is no protection mechanism here all we have is ability to detect so we want to be able to follow some of that and then check hey is this being used inside of our organization another thing that can be a really tremendous in the useful inside of our organization we need to monitor the tax Birds etc organization right before bed on it which means we're gonna have to do some password redcap and I'm not saying here this might be a

little bit controversial I'm not saying you have to crack every password with like just crazy hash cat rules or John the Ripper rules what I'm most interested in again we want to move that Neal right the biggest benefit for the least cost what I would really like to find out what the terrible passwords in our organization the terrible ones by that I mean the ones that people can easily guess there's a significant difference between a crackable password and the guessable taps board and a lot of times we security say although it's practical and guessing them is it if I have to have my password cracking rig running for a week trying to multiple trillions of password attempts how long

would that take what the password guessing attacks actually run through right I think you'll be able to Tigers by that point in time so the key here is you wanna find some of those bad patches and there are some very common bad passwords right one of the most common ones I see will be backed up for a second so maybe thank God okay all right so the corners in your organization I think about this is recorded right whatever monitors how often are we supposed to rotate our pattern every how many days 19 you're a lot of nineties right and the reason is no reason behind that it's because when Moses came down from the mountain we had

a third tablet I've been obviously not right and the reason is they took in the 70s in the 70 people remember you know live to the 7 days holy crap that's only in the seventies it would take 90 days to crack the password these days we can get these water cooled rate with multiple GPUs the cool fire guys just released a product a few years ago reused Amazon for relatively cheap to crack passwords and insanely fast rate when we can attempt you know thousands of passwords for each human who has ever lived on the planet Earth may the speed is just astronomical that 90 days thing is absolutely crazy on top of that let me think I was

talking with her staff what's the average time of bad guys inside your organization currently the Verizon for each report yeah I've heard numbers between five months to like nine months what's up if we're supposed to rotate our password every three months why isn't the dwell time three months or less it's because that control is basically worthless I didn't test all the time it's a week two weeks a month and no point in time I've been like well crap we're screwed now Stephens marketing changed his password dammit Sally with why did you change your password at no point in time has I believe Russia panic commenters good enough that's right this control that we have that it's supposed to be effective

doesn't provide much value and we see that people anybody ever were that helpdesk for January 2nd you're laughing but I think it's there's tears behind that what's the phone call you get it non-stop that day along it what's my password right so what people do is they they come up with schemes to remember these passwords and they look outside and we're in Kansas City right look outside January 2nd there's snow on the ground are actually kids it's ice on the cliff right and then 90 days later it's you know the flowers are coming out and ninety days after that it's like 110 right so when people who are cool I'll just look outside I'll just use this

season so right now we're technically one spring cool my brick my bathroom is spring capital s lower case tree and then they're like oh crap that's uppercase in a lower case and there's a spring this year and ideally there's gonna be a spring next year only there was a number I could use to differentiate this spring from next wait and they sit there for probably 45 minutes to an hour to calm people contemplate this default and of course the end spring 2090 thank you time your passport right away folks oh yeah ten we have these a special character cool spring 2019 exclamation point why top of key in the keyboard right you guys all know this I know this

all the inspectors completed birth notice but we see users do this all the time and as an attacker I don't have to be successful with all the answers I need to be successful with one right that one person that gets me to BPM - gets me ze emailed it gets me on the inside I just need the ones that we're doing password cracking we want to focus on these terrible passwords season in year password followed by a number I saw some organizations when they a new person starts Asus they pick a password for them I was at one organization and they started through your peers first password for everybody was orange one what's my first guest orders to rank is

when they first log in they're supposed to change their password they tell a big ticket secure password they're like well cool if you weren't one to secure orange - is twice this secure right so we would look into those passwords I've seen like the f-bomb company made local sports teams but find those terrible passwords for your organization's crap those password hashes and have those people rotate that their passwords and a lot of the room is exercised well we don't crack them we just tell people not to use those okay great imagine the average person in your organization in a security meeting the other thing they don't want to be them no way and they're like these guys up

front and blah blah blah don't use the seasoning here blah blah blah and then like three like or something bla bla bla season idiot what a great idea right so we need to audits we need to come back and enforce that people are not doing some of these these things so how can we do some of this for first off what we need to do difficult we need to extract the password hashes I was going to show you like six different slides and how to do that instead there's a great link for you what I can do is I can go to a domain controller and I can say they why don't you give me these two files I need

NTDs debt and the system key assistant key is used to decrypt the NTTS dip from that I give the password hashes and then I can use tools like hash tag to perform some of that cracking now how far you want to go with the cracking is up to you I would say the first step is go for the lowest hanging fruit the fruit that is literally touching the ground right the season in here the password with the number the company made with the number those terrible ones find those first our goal here isn't to find all the bad ish passwords is to find the terrible ones that are going to be very very easily decimal on top of that making these past

months that we know have been compromised from people in our own organization right going back to some of this things from link D hatched or any number of other places add some of those passwords to your lasers crack those passwords right uses some of these Red Team tools tell people hey look we need to send you through password training here's how to pick an actual good password now by the way that the in the latest NIST recommendation Microsoft Google etc is not to do the stupid Plessy requirements and I say stupid because it is everybody knows the tricks instead of anime people point while the at symbol right it's probably even the top like they

said well like a bunch of the insurance people and somebody came up to me afterwards or like hey Tim I don't just use the VA I was like okay it's like I got other ones too like Oh tell me it comes up to me like instead instead of animo and no joke the dude looked around and South Koreans were there waiting for this moment Lee to this dude important hey instead of a now and then I felt like I need to look around as well because I don't know it's around this is North Korean series keep talking here I'm like he said that he'll do use up one language with all these people where we take characters if we substitute them

for others it's a method of communication but people are using these in their passwords and it's making their passwords trivially the more complex significantly more difficult to remember right so he doesn't move me the only corrective actions recommendations of course we want longer passwords we don't want these complacent requirements that we would like to get rid of a pasture rotation unless the the passwords breach of course two factor is fantastic so anyways go back to the nice if you want to crack those passions this is just a simple straight up crap no bells no whistles I'm going to provide a list of the passwords that are terrible and we're going to give a list of password hashes it will say go

and the bad passwords we then talk to people we say need to change your password and we can perform this on a regular job now be very careful with this if you're walking around with all of the password hashes on a USB be careful with said us baby right don't just send these things across the network they move them all over and put them on a normal system take this thing off line as an attacker I have come across a corporate cracking device a little bit logged into it was a Kali bucks username root password tore right T call root spelled backwards law I didn't get all the password hashes and use them I usually read team's own tools

occasionally well that's not fair afterwards he's like bro we're on the same side here I read your bread like make it bad but no I don't know beans right so so fixing fixes testing out their other other techniques out I'm a little bit partial to this as you probably heard in the introduction the common thing we see with attackers with red teamers with malware these days is something called Kerberos I'm not going to go into the detail that is literally talked about this for hours and have a spirit to expel you the short version is you can have service accounts that any user can request a ticket for that ticket is encrypted using the password hash of the remote

service shortly but a short version what that means is and the authenticated user on your network is able to crack some of the service accounts I know service accounts usually have access to very privileged data oftentimes have a privilege to security so we need to be very careful with things now before what I was talking about abusers I was mentioning you know we can we don't have to be super crazy with the cracking let's just focus on some of the terrible passwords with this because what a lot of organizations don't do is they don't rotate as often for service accounts but often I mean right and these I'm wearing the traditional accounts have been accessed very sensitive data so when

these types of account what I would like to do that is to over the floor aggressive crap so what I do first off to get those those hashes and they can see which accounts are tied to su-kyong as we call it on my community an offensive tool here invert evoke Kerberos so I can use PowerShell to extract this information and send it to my cracker here I'm using a hash cap using the EM 131 double zero which sells its Kerberos I'm gonna give it my hashes full options I can give it a big list here of bad passports and then they can add some additional say you know what let's let's take that list and let's add

three characters to the end now let's do it again for now let's add three characters to the beginning and we can get once we get quite in depth with the cracking here but we want to be on the bit more aggressive because the bad guys are gonna do this inside your number and remember we talked about this earlier all the bad guy needs is a single account any bad guy here but in your network or frankly trusted insider which is a bad guy can request this information and do offline backing other service accounts and you can't see that attack happen right so we mentioned this a little bit before but according like the fries the breach mentored and others

it takes many months for people to detect the breaker that guy's in bad guy is taking data it's long gone to get persistence very in the network for many months so it means that a protection is failing protection is ideal I would like to keep the bad guy out right deal goal here but realistically there will be failures if we're relying on that egg to never crack we're going to be very disappointed when we end up with yolk everywhere because it will happen we need detection detection is absolutely key so we can focus some of our tools now let people like oh we use such of such an agent and we've got this EDR product in this sim

cool have you tuned it let's test some of that against some of the real world attacks right so talking about Kerberos tea Kerberos team is kind of loud so I talked about requesting information for those tickets great why is Stephen market there's salient accounting why are they all of a sudden requested a ticket for a database server that's not normal and why all of a sudden is one of my engineers requesting I don't know all of the tickets that's an intention mechanism right we need to look at some of these events we need to tune in so that we actually get notification here this means something is going wrong someone is mad inside my network now let's spin

up IR or try to kick them out or a hunt team trying to figure out what exactly is going on something to say let's move that a needle of detection time for many months there's something that much much quicker this specific active entity that were interested in here is going to be the 4769 now your average users will use Simoes events you cannot just say alarming for everyone is not usable what we need to look for is a typical pattern or a large number of requests in a short period of time great records from Shawn Metcalf here on ad security things to look for here tremendously other great great blog post here but we want to see here is our

things under the goal a large number also are we requesting tickets that are formatted in a very specific weather are they using rc4 encryption your typical system is not going to request that it's easier and faster to crack so if you get a single one that uses rc4 you might have some reason something on the inside you might have to tweak this a little bit but the vast majority the time someone bags inside a network we do use a password spring so can we detect this so one of the attacker oftentimes it's going to do is try some of those terrible passwords across your entire organization they're going to try that season in here this is

not a password guessing attack to the traditional sense traditionally we would take a single account and they would type piles and piles of piles of cash box as an attacker it has a defender what's the protection with that lockout right so it is an attacker the attacker doesn't want to cause the locking because a lot account is no longer useful so instead we take this we flip it sideways and we're gonna try one password for a large number of accounts now there's no protection against this now Microsoft of the majority now has protections against this but the vast majority of expert organizations do not have this configured so because we don't have a protection we need a detection

mechanism hey why all of a sudden is somebody checking the password everything one of my accounts is he coming from the inside is it coming from the outside can every strip that are there additional compensating controls like to factor that you could mitigate some of this so we can try some of these tools on the inside and say can we get tech this right so we're going to fight these tools up say hey this is show up the we don't learn on this because this is going to be a bad kids let's think about the mind of an attacker the bad guys they have kids to be right there just like you and I just

II blur and then cheese to feed they let it Betty's to one of they wanted central organization financial information it could be you know credit card information it could be transferring money it could be you know in all of your stuff your sensitive information we need to understand from a defensive perspective we don't exist in a vacuum what are we trying to defend in or a castle and then let's look for that how am i exposing that instead of our organization and there's some great tools that we can use for some of you for some of this we've got a number of tools with a color view what do you do with Power View now there's a a newer

version of Power View it's in the development branch is not in the evokes the branch yet but a very simple PowerShell command what's going to do is is once you search our network for open file ships and then it's going to search those file shares by default for a list of file is named password or law again working fit and of course we can tweak all these things but the very simple approach is who said let's look everywhere and then let's look for these sensitive files we've gone up against as a red team or as my company we got to get up against some very difficult defenders which is fantastic right the goal is to make the blue team's better

and we were not able to laugh family move or escalate but would step like a cold let's just look around what can we see from where we laid think about the bad guy if they land on the finance person's computer and all the mega company numbers are right there do they need to move no it's all right there they lay in an engineering workstation where they have all the characterized for the super-secret missile system do they need to move no if they link in the marketing person's computer and they would run the file shares all over the place there are the financials or the super secret plans do they need to move again not really

and I've seen time and time again in organizations we've got these excessive flower commissions this is now sort of the goldmine that we go for first let's look around and see what we've got laying around there the pella a bank and simply killing us we looked around we found bank accounts of running numbers all over the place they had all the technical controls are places it to keep us contained but that we didn't need to move we just grabbed it from where we sat so the engine the useful information in here again sort of offensive Pearce's tool tremendously useful as a defender so we can find what information is where and we can apply the proper security

controls right reduced access remove access except another day bad guys gonna get in your network he's gonna want to move often time again we don't have to but oftentimes the bad guy wants to move to another system trick detect that if it's valid credentials there's not gonna be this is a security control that is going to prevent some whatever who argued in the systems to which they have access but we want to do is see they're going to have to poke around they may not have the full knowledge and all of a sudden Steve the county is trying to connect to all sorts of systems are you following up with that previous like you just Badfinger right Sally Smith instead

so what we can do is we can - we can attempt to log in a number of different ways that it's similar to what the tankers going to use very common tools that we use as offensive people frankly as systems administrators as well but offensive people you t vs t tuc it allows me to run a program on a remote system same with w bay and there's tons of different tools that do the same sorts of things and a bunch of different features in free tools like powershell implant now of course you don't have time to go through all the polish of empire to be like a four-hour session but the key here is what i want look for

is deviations in logins right all of a sudden why is Steve in the county log into other systems that probably shouldn't be accessed but if you've got the capability why is all the sudden Steve's log income information coming from somewhere that Ukraine is that normal for him especially when he walked into his desktop 15 minutes ago right there's no plane that gets him there fast enough for this to make sense this accessible log is a little bit more difficult we need additional tooling to sort of monitor some of that but the interesting one here is users are not allowed to log into the computer now all of a sudden Steve's trying to log into that database sir that's not typical

there is no reason that Steve needs to know that this even exists let alone attempting to log in so we see some of these these are the highest fidelity indicators but as a decent indicator especially if we see this at breath if all of a sudden sadly is trying to log into all sorts of systems it's likely something's going wrong with Sally's account or Sally's computer and we need to dig into them again not a sector of protection this is going to be a more on the detection side there's a great post here with all sorts of with other event event IDs and great ways to listen to detect this highly recommend checking that out those ways to go

through all that so we've got you know all these sort of useful tools used by red teamers that you a blue teamers commute relatively straightforward relatively simple to use we can use them out of the box you don't have to turn on all the bells and whistles the goal here again is to move the needle right get the biggest bang for at least cost it's not gonna necessarily take you don't get absolutely everything out of it thinking that's not your job right any incremental step is a good thing right we're not gonna be necessarily perfect ideally we would give all of our end-users twenty characters perfectly random password usability of that crap right Sweeney's please these are these ways into it to

detect bad guys in their network and we can sort of try to detect ourselves we could turn our own blue team into a mini pump we'll team where we go over red from time to time right kids and they don't have a talent if you look so nice has so much I've got the link to the slides here which is the full language is it's just a pointer to a Dropbox folder if the Dropbox link is like this long and my shoulder URL for our etsy.com slash blue is like this long any questions just shout them out we'll keep the question yes sir

so as question is if I can crack some of these bad passwords winter 2019 speaking for teens whatever do I have a bad password policy yes enough I mean to prevent people from using a bad password I need some sort of a shim on a domain controller to say I'm not going to like this like this pass work because it's it's terrible right if we don't have that sort of protection mechanism we have to go back and audit and then you know it meets all these it checks all the boxes right with that turbo password uppercase lowercase in numbers and it's helped me go back it's really difficult to tell whether it's a terrible password

or not yeah so any question that is can we go quickly got to go back to the business we yeah you should be able to write this could be a political game that I'm not gonna jump when they read for you but this is to be specially not to heavily look then this guidelines suggest this change let's go to 15 characters let's cure the complexity and then it gets rid of spring 2019 it doesn't fit and now there will be new spring 2019 that evolve now with these longer passwords but ideas can be much harder for that laters cool other questions you got another minute or two yes sir

yes so this is the question is related to two factor I think if X was fantastic we got to be careful of that two factors not perfect you can still fish to fact people are your two factors were totally good no no no I have still finished to battle it just means they compromised password is now more difficult to use right it definitely moves that legal forward they were like well it's not perfect no it's not doesn't mean we throw it out it is a good thing to use and it allows us to have those worst passwords sort of made their way for you but we have the digital protection there as well what about so preventing your

corporate email amusement how much get ready corporate email that'd be awesome any question

oh yes your designer mechanism so the comment is sometimes is backup mechanisms for to factor that go be insecure methods it can be yeah yeah that's that's what was the issue there as well cool all right I think we're out of time I will be downstairs in the fender area I got a bunch of stickers that say offensive because you want some of those cue feeling have questions sweet but have to talk to you slide deck is on the left a registry site pop / blue my contact information is on the right another thing I would ask you helped make us help make this conference even better the fantastic event I love this venue by the way but you know give

feedback because talk sucks cool let me now tell me how I can make it better I'm not even mind great let us know what the conference the events anything else with that thank you so much for attending

you