Evasion On Aisle Five: From Bacon To Beacon

hello and welcome to evasional aisle five I'm Brad storen I'm the global red team manager at BDO I also head up the dfir department as well um I come from quite an interesting background of private investigation where I learned a love of breaking in covertly to places so today we're going to run through a nice red team engagement it's a red team engagement by one of the largest Supermarket chains in the UK let's call them Jesco so Jesco have asked us to perform a red team but it's a full adversary simulation so we're going to go external internal and we're going to break into one of their buildings but I would like you guys to join in I

want to make it Interactive so whilst we start and I just take a show of hands of blue teamers good we're hopefully going to avoid you today a show of hand of c-suites any it directors Etc and finally any hackers aspiring hackers we've got one more it admins please show your hands just you I'm so sorry okay cool so let's start with some Flags so the client has set us multiple flags and as per any red team we need to try and capture them in any way that we possibly can so we start externally they've asked us to compromise accounts all we need to do is compromise an account it could be via phishing smishing we could befriend an employee

we could go dumpster diving for their password or we could simply just guess it physically they want us to gain access to one of their depots their Depots for them as a supermarket chain is one of the largest targets that they can they have the supermarket chain itself has multiple Depots across the country they haven't shared which one they want us to break into and we have free reign of choosing it but there's quite a severe footfall at the Depots so it's pretty good for us the second flag they want us to capture once we break in fighting talk I know we need to successfully deploy a network Beacon internally they want us to compromise multiple

domains it's not just the one and the last one is on their parent domain the last and the most important flag of any red team is do not get caught we're working against the sock sorry blue teamers and we need to try and evade you in every way we possibly can so let's start with some oh sync or open source intelligence for those who don't know osin is the most important phase of any red team we need to think about what the client is exposing and how we can use that to exploit them so we start with some sub domain enumeration the subdomain enumeration phase is really important because we need to know what the clients exposing

so we can start with some DNS and enum looking at their registered SSL certificates a good site for this is called cert.sh finally we can just do some simple Google docking to identify any subdomains that we haven't picked up yet the second area we're going to look at is usernames and usernames are super duper important because our external flag is to compromise an account if we need to compromise in an account but we don't know what usernames they have how the [ __ ] are we going to do it so we start looking on social media we extract their information from LinkedIn we can rob all their information because everyone loves social media so they

register their company and they say proudly this is my job title we're going to here we're going to aim for c-suites any big dogs that we can try and break into because unfortunately you're not very renowned for having good passwords the second thing we can look at is previous breaches now for the past seven or so years I've been creating a database of previous breaches a bit like have I been poned if any of you know it but this is really important for us during our red team because it means that we can look back at previous passwords set and when we try and compromise accounts later on we can extract the information and use it to

our advantage the second thing is the very well-known social media site I mentioned earlier also has been breached quite a few times in the past couple of years which is really good for us because not only can we extract the company emails but we can extract their mobile numbers for any future fishing we can also extract their job roles and any other juicy information that we need the final stage of ocean I'm going to run through is now that we've gathered the info we need to try and look at the data the client is exposing is there any documents that we can see that we can extract that will help us reach our goals remember it's a

flag-based exercise so we need to reach them so firstly we can look at the subdomains that we very nicely enumerated earlier the subdomains would get a bit unlucky with we hit the first four or five and then we come across their Extranet which they very nicely shared a pretty [ __ ] password policy on thank you Jesco so Jesco have shared this password policy to help their clients design a secure tenancy and secure logging on however we can see from it that they're only enforcing an eight character password upper and lowercase alphanumericals and one numerical but no special case so it's a pretty good start we can actually spray just passwords with a zero and a capital P

and we'll probably get some accounts second place we can look at is social media again now Jesco very very kindly uploaded a pretty nice video of a tour around one of their Scottish Depots and I certainly not this is actually how I've broken into a default in the past but throughout the video they they leak quite a significant amount of information they leak what we should be wearing where we go where I T sit in the building how they dance if that's what you're into but they also leak the entrances their access cards so we can just clone what they look like the final place we can look at and this is quite important when we're

doing a physical breach but we can look at the government sites for some plan information documents now when someone applies for plan information they upload a floor plan these floor plans for us and later on when we eventually break into their building are really useful so we know where to go now let's start with the external compromise now this is our first Port of Call because it's exposed everywhere we don't need to travel anywhere and we can use it to extract as much information as we possibly can so you guys where do you think we can start just shout out password guessing thank you Lewis a bit of a cheat I work with them um but we can start with password

guessing now password guessing especially because we know that their password policy is poor we can simply just spray a couple of passwords and here we're going to use some nice tools there's one made by Ellis spring called credmaster that uses AWS apis to obfuscate where we're coming from so The Blue Team have no idea that we're compromising accounts either way we start spraying a password any guesses of what passwords we're going to use password is one of the ones that we're going to use anyone else have any guesses yeah exactly that June 2023 thank you put your hand up if you have a month a season or a day in your password

thanks Erica we'll hack you later so we're going to start spraying summer 2023. this is my absolute favorite and I always always get hits from it so we start spraying some account um some summer 2023s against the 100 accounts that we've extracted earlier and bingo we get free accounts hits on summer 2023 but we try and log in Office 365 [ __ ] there's MFA in place not to worry though because Beau Bullock has designed a really nice Cut tool called MFA Suite now MFA Suite checks if there's any misconfigurations in their Office 365 MFA deployment and you guessed it there is the API configuration for their deployment is incorrect which means that we can just

bypass mf8 and then run a tool called Azure hunt Azure Hound is a bloodhound collector inspector Ops are in the room um could work but catch them up later because they're tall is wicked but Azure hounds will essentially extract all the information that we need from their Azure tenancy now we've compromised the account and we've extracted a whole bunch of passwords but we were only running against a small sample now we have over 1500 accounts so we just go back to the password guessing stage and this is where the password one comes in really handy in fact we compromise now a service account now service accounts are really juicy for us because they run internal services but

people that Azure sync them don't ever think about logging in and setting NFA which means that when we compromise the service account using our lovely password one thank you very much we can just bypass MFA by entering our own number and bingo we're into their Office 365 we've compromised their external perimeter and we can start our share Drive enum so SharePoint sorry to the singularity admin in the room is a really good tool for companies however it seems to be consistently misconfigured now shared SharePoint is misconfigured in such a way that it seems to be the it documents are always leaked and for our enumeration we've now extracted server listings what tools security tools that they're

using what sock they're using and it's the famous free letter one what else they're leaking is some RFID documents against that nice Scottish Depot that we saw in the YouTube video earlier and we now know that the Scottish Depot the RFID access controls and outdated and pretty poor great news for us so we all jump on a plane and we hop off to Scotland we know it's their weakness we know that that's their weak site we five and the place [ __ ] looks like Fort Knox you start [ __ ] yourself you're a bit adrenaline rushy and you think I can't get anything there's absolutely no way so you walk around the building and I kid you not the place has

air gaps fencing the internal fence is electric which means that you can pretty much throw away your bolt cutters unless you want to have a nice um pointy up hair and those CCTV cameras everywhere which also means that we're probably going to get caught as soon as we try and break in there's man traps on all entrances with RFID controls as expected but there is a car park now Jesco have very kindly left the barriers open so we walk in to the car park dressed in our nice hi-vis cargo pants exactly like they did in the video absolutely no one inside is expecting us to be an outsider great for us so we walked through and we walk through

the stuff blah blah and [ __ ] we reached another internal Man Trap what we're gonna do now so what are we going to do now how do you guys think that we should bypass that internal Man Trap [Music] good stuff indeed however we're going to go down a slightly different route but we are going to socially engineer them so we're social engineer you guys walk up to the card reader pretend like you're fixing it I go up to the card reader too and Joe finishes his cigarette break Joe wanders up he says um what's going on can I go in we said oh sorry Joe we're from it do you mind if you give us your card

um we're just checking that it's working because it's been quite 40 today Joe very kindly hands over his card little did he know we scan it on our flipper zero we clone the um RFID from it and bingo we've got one cloned card so now we've got our in but let's not go in yet because there's no point we take that clone card on our flipper zero and we go back to the pub why not we've accomplished our external goal we can pretty much break in as soon as we want so we go back to the pub we have a nice pint of Guinness calm down our nerves pretty pretty like adrenaline pumps at this point

and we write it from our flipper zero onto the staff card so they're exposed in that very nice YouTube video earlier using the prox monk proxmark's a great tool I advise any physical um people to look into it if they don't know it but we've now cloned the cards and we've got it on our own um staff cards so now all we need to do is go back on site and drop one network Beacon if you remember that was our final flag within physical compromise we don't go back at any time we go back at 7 pm why do we go back at 7 pm because one we know that there's no it gonna be there the offices are going to

be empty it admins love to finish at 5 30. we also know that that's when the shift starts so we can walk through the building with about another 100 Factory workers and blend in perfectly so we walk in the building obviously we've got our Jack get out of jail free card because when Joe finally figures out later that we've cloned his card and broken into the building because of it he's probably going to punch Us in the face so there's two things that you need one a get out of jail free card but you also need to once you gain access get some evidence that you're inside and Jesco very kindly have left that staple

Santa lying around so we walk upstairs we know exactly where we're going we walk in the building we take a right we got the stairs and unfortunately there's no computers there [ __ ] what we're gonna do everyone's gone home and they're all using laptops but we see one network printer and we attach our Network dropper to it our Network dropper is a tool called fan tap it's built by NCC group it's a really good Network dropping tool not only does it allow for you to bypass network access control it clones the um the device name so you're not adding a new device to the network and finally it has a 4G dongle that you can call

home on so now we've not only got a device on the network that no one knows what it is but we've also got an external egress point so the sock are going to have absolutely no idea that we're exfiltrating their data Wicked we go back to the pub and we have a good couple of Guinness you have to we've got to celebrate them wins so we move on to our domain compromise we're using an SSH tunnel from our reverse from our dropper back to our C2 it's only SSH but it's fine it does everything that we need so here's what we've already got we've got credentials and we know we've got credentials because we've logged on to

them externally so we know they work and we know that they're juicy we've got server lists we've extracted them from their SharePoint we know what security tools they're using carbon black is their EDR Sophos is their antivirus and finally Microsoft Sentinel is their theme we know that they've got multiple domains have we compromised one already not sure but we also know that they've they're migrating their current domain to Azure which means that it's probably going to be pretty secure because it's only just been built so from our reverse dropper or from our reverse tunnel on the dropper we can run some passive listening tools we start with responder and unfortunately we are plugged into a

network printer so we're on a segregated VLAN oh what we're going to do we then look at running some active directory enumeration now ad enum is loud as [ __ ] the sock should identify it however from our SharePoint enum we also know that they're using ad Explorer and Microsoft assist internal tools so we can run ad Explorer to export a snapshot of the domain and we're going to do it at a certain time why are we going to do it at a certain time because we need to obfuscate when we're running the tool so we're going to run it at 9am when everyone else is logging in this way when we're pulling all the

attributes from the DC it's going to be slightly hidden by everyone else pulling attributes for their own login so now we've got ad Explorer snapshot we use a tool used built by c3c called adx4 snapshot.pi and we can convert the snapshot image that we've taken from ad Explorer into Bloodhound data really wicked you've just converted a Dap file into Json we load it into Bloodhound and what do you guys think we should do now remember we're against a sock so we're trying to be as absolutely quiet as we possibly can we've already extracted all of their domain information so we want to try and do everything locally now remember what we've already got we've got server lists

we've got accounts but we don't know what they do so any guesses on where we should go next Rachel yeah yeah we could tell each other they're um not very good but yeah but we've already got her in so we don't we've got credentials so we've got credentials but we don't know what they do at this point so we take them credentials and we load them into Bloodhounds and remember that juicy juicy service account running password one earlier guess what it's a server admin but only to Jessica's second domain however it's a server admin which by default means that we're a dome Adam domain admin which is the highest level that we want to achieve on that domain

which is by far the stupidest da I've ever gotten an exposed account running password one come on guys right so now we've got a computer where we're da on one whole domain we've only got one more domain that we need to get to and it's Jessica's domain one but we need to find some form of persistence in a red team the most upsetting feeling you'll ever find is when you lose that initial Beacon you lose access to that company it's the worst so don't ever try and find a form of persistence anyway we start doing a bit more Bloodhound enum we look at the old operating systems on the network and it looks like they're running a 2003 box

which I don't know how good you are at maths but it's pretty much 20 years old now it was pretty crap so we start doing a bit more research into our security tooling that we have carbon black does support Windows 2003 but only 32-bit and we can confirm this later on the article fortunately for us that lovely server is also running 64-bit so from our reverse dropper we remote desktop into that box we're not going to use PS exec we're not going to run anything that could get caught by stock at this point we're replicating exactly what an IT admin will do so we log in and we don't even need to worry about obfuscating our payload we

just simply drop the simplest of cobblestripe beacons Bingo we're in so now we've got this 2003 Bots and we're going to use that to connect to everywhere else why because the sock is probably going to identify if we're using a network printer to RDP into all of the other boxes so now we've got a nice little backup of the reverse dropper or the reverse tunnels from The Dropper and we've got this 2003 box as our persistence mechanism which gets me swiftly onto where we're going to go next so the most important phase like I was saying earlier is of course enumeration we need to know what we're up against and we need to know what we can extract

without performing anything malicious so we start looking for Panther files these are old deployment files um they don't tend to have passwords in anymore but sometimes you get a bit lucky we can look for deployment documents deployment shares have you uploaded your golden image and are you reusing your password for that image so are all of the machines on the network using the same password and we can download that image and extract the Sam and system hives and then run them against secret stump we can also look for memory dumps Now Memory dumps from my experience are about 50 successful however they're created upon a server crash and sometimes they contain the entire of the

LSAT process which means that we can essentially run mimikats by exfiltrating this file and loading it into win debug or volatility and extracting the passwords in plain text which is exactly what we want we can also look for admin tools um I don't know if any more admins have come into the room but by show of hands does anyone ever use these tools [Music] we'll be looking for them we're also going to run for plain text passwords um we also like finding some nice plain text password documents on desktops it's it's sin of anyone working in it and the majority of other people marketing of departments as well and lastly we can look for SSH keys

this will help us naturally move to Linux boxes that probably won't be holding any EDR either so now we know what we're looking for let's start our domain two well the final domain compromise we know we're going to start with server enum but we start enumerating through services and again we're only going to be using RDP we're not going to piss around with anything that will get us caught because things like PS exec are so heavily fingerprinted now they will get alerted so we're just going to RDP into other servers we log into about two or three and we find one or two memory dumps fortunately for us we've extracted a memory dump and that memory dump holds a

reused local admin password Wicked so now instead of using that da account that we compromised earlier we're going to obfuscate where we're coming from by using that admin account this way if we do touch wood we don't get caught by the sock they're only going to disable that local admin account which is actually really difficult but they're going to disable that local admin account and then we're going to have a backup as our da either way we're about five or six servers in now RDP into them all and we're actually going to RDP section it so we log in from our 2003 we move over to a 2008 box and then to a 2012. this way if we get

caught along the chain they're probably not going to expect that we're at the 2003 box either way we start enumerating the user data files or the user profiles and it in one of the updators is that lovely tool we saw earlier and remote Ng now for all of you that put up your hands please don't use this tool is absolutely not secure it backs up all the passwords in an encrypted format but it has no master password which means that when we exfiltrate that file it's an XML we load it into a local version of mremo NG and we can simply just export the plain text passwords in CSV format Wicked for us because we've also

just compromised their esxi esxi is a really really good tool for us to use when we're performing a red team why because one esxi came out a couple of weeks ago and said esxi does not support any Edo in fact they said they don't support any security tooling because it's not meant to be um that way either way we've now jumped into the esxi and we can also now exploit one more thing and it's I.T creating backups of VMS now we have access to esxi we can start in stock machines whatever but we don't want to make noise and blue team are probably going to catch on if we start just turning off servers but fortunately

for us Adam let's call him the it admin has made a backup of their newly migrated domain so we just simply back that domain controller or download that domain controller we load it into 7-Zip and extract the Sam system and security hives finally the ntds.dit and I don't know if any of you saw Andy's talk earlier but the ntds.dit is the golden file we call it um a golden waterfall but it's it's not the same as either way we've now completely owned the company we've loaded these files into secret stump and bingo we've achieved every single flag that the company has set Wicked for us so let me just do a quick recap before we move on to questions although I'm not

sure we have time one when you're performing a red team enumeration is the most important phase if you don't know what you don't know you're not going to get anywhere seconds act as a human would why are we using malicious commands why are we using Powershell when we know that it admin actions cannot be alerted to every time they're used free look for hosts that can't use EDR I covered a 2003 box and the sxi but things like VoIP phones um printers great targets for us because they just simply can't support it and this is literally the weakness of the country let's exploit it the fourth point is just look for some useful files a covered memory dumps I

covered M remote NG when SSH term is very similar you have to download and exfiltrate the entire configuration with the entire document file but you can just simply load it up and finally if we use all of this you can absolutely compromise any red team that you want to thank you and do you have any questions [Music] thank you