Go Hack Yourself: 10 Pentest Tactics for Blue Teamers

all right thanks everyone hey so our first talk is Brent Kennedy with uh C and then Jason Frank with the Varys group go hack yourself 10 pen test tactics for BL

gamer I know it's a little bit early so

good morning everybody I was less enthusiastic than I was Hing for U thanks for coming uh thanks to everybody at uh bides Pittsburgh for putting on the conference uh really appreciate it um my name is Jason Frank uh again I'm with uh various groups of De threat division we're a small uh DC based security consulting company um I run a team called the Adaptive thread division um group of about 20 pentesters so if anybody's looking to jump into pen testing we're looking for senior to Junior um I also teach the Adaptive uh penetration testing class at black hat coming up here um in my specialty has been focused on uh building and executing penetration testing programs for both the federal

government as well as uh large Health Care Providers uh most recently as well and I'm Kennedy you hear me all right uh I work across the city at C uh it's on Carnegie melons campus it's part of software software engineering Institute um I'm one of the lead pentesters there uh we partner with Jason's company uh and some government clients who do a lot of pentesting for federal state local governments as well as a lot of critical infrastructure uh so if if you happen to work in any of those domains you know come talk to me we talk after we can do some really cool work after you guys um at a very good price I can tell you um and uh will

Shader uh he helped write a lot this presentation we apologize he couldn't be here um follow him on Twitter as har jooy he does a lot of cool stuff um he's one of the lead researchers at varis group uh he's one of the co-authors of the Vil framework if you're familiar with that it's an AB bypass uh bypass Tool uh and he's the sole author of the power tools uh which uh will we getting into a lot today so big contribut for there uh between the three of us we have about 12 12 years experience leading pentest engagements we go from anywhere from federal government like I said to you know private customers so we kind of

get to see the broad spectrum of everything so uh why are we here so you know like I said we do all these pen tests and we you know kind of start seeing a theme uh you know usually if there's any peners out there you know usually outbreaking on the last day you're talking to customer you're telling what you found and we started to see this trend where you know we would get you know sisin uh you knock guys sock guys they start coming up to us and they just you know start asking your questions you know how do I get involved with this you know how do I you know is there any stuff on pen testing online

you know what books can I read what tools are you using um and especially we'd start doing findings you know we'd say you know here's our attack path and we got in through this this web app and they were like I've been here a year and i' never seen that web in my life how did you find that in two days so you know we started thinking to ourselves you know we're using all these specialty tools you know why aren't the blue teamers using the same exact things um it could be for a couple reasons you know obviously it's different sides of the fence you know they may not have the offensive training you know uh the

skills say black high classes are expensive all right um and you know really just thinking offensively is always a different mindset you know you know even though the attacker and the defender they're playing in the same space it's just a different way of thinking um and also sometimes the hacker tolls so to speak they kind of get the bad connotation you know people start thinking oh it's a hacker toll it's just going to break my network everything's going to go down where in actuality as you'll see here a lot of the stuff is really just you know mapping information gathering things like that it's not you know your cut execution and those things quick poll

how many people here uh operate on The Blue Team okay good good for you yeah for you um it's kind of strange you know we'll be we'll execute one to two week engagements and in the course of those 5 to 10 days we'll know more about people's Network than some people people in the blue side know and so that's kind of daunting right you go into the out brief and you're they're like wow I don't even know those those Network ranges and those we apps exist like man so so we're trying to give you some tools and tactics to kind of get the lay of the land and really kind of dive into your network a little bit

more so as Jason said for your blue teamers out there um I will seriously valy you a beer later because your job is so much harder than our job um and part of that like I said we find stuff because you know that's our job we're there to but you are so you know you have so many things you have to worry about the biggest thing is you were just trying to find everything on your network if you work for a big Corporation things like that there could be stuff every um you know especially if you work for University type settings we do those where you have students researchers they have the freedom to kind of throw stuff

on the network and then it becomes your problem um and you have to worry about patching it updating it and it's not just OS level patches it's all the little software people are installing custom apps third party stuff and you're just trying to be consistent you're trying to you know you might have like a a standard base image or something that everyone uses but then you're going to get the special request you're going to get the CEO and whatever saying I want this I want this music I want whatever and you they you know they get to break policy then you have to wor about yeah and not to mention cost you know everyone in this room probably knows

this we're always up against you know probably no one in here has the unlimited budget to do whereever you want with so you kind of have to pick and choose what tools that give you the best value um and finally you know it kind of goes into the whole political thing you know security is always going to be the trade-off you always you know I think it's getting a little bit better and I think that's just because CNN is saying the word hack every day but you know you have to get everyone to buy off on you know getting the security products because some of them isn't cheap um and until until something happens people don't think it's it's

important until you get breached and something like that so we know that's what we're trying to put aim here that we can kind of maybe give you some of these tools some of these tactics that can give you that leverage down the line to uh you know have some political capital I guess so on the flip side you know as an attacker you know we'll talk about from a high level you know what's an attacker looking for they're looking for that same thing they're trying to find what hosts are on your network they're trying to find what what's what's out there your domain structure you know are you a big ad shop what groups are you what are

the admin groups is it default is a custom those sorts of things also it's software patching because they're going the officite r they want to know what patches you have so they can exploit them you know what version of IE are you running what version of job are you running those sort of things and it's all to find those attack vectors those exploitable conditions that they can you know find their way into your network and find their way you know in pivot around um and certainly you know attackers are there for a reason they're after your crown jewels they're after to make money or to embarrass you or to do something um but it's not so much as

just finding uh what your crown JS are that may be obvious depending on what business you're in but it's also how to get there um and attackers always take that path of lease resistance you know they might not be trying to break into your database directly to seal all the information they're going to Pivot around your network and steal the DA's credentials and just log in so there's always those different paths that are sometimes you know hard to think about that that attackers are doing um and as you can see from you know kind of the list on the last slide to the list on here attackers and offenders are kind of looking for the same information all the

time the whole inventory thing patch Cycles those sorts of things so that's another reason why we started doing this presentation was to you know if we're using the same tools to find this stuff you know maybe Defenders can use the same ones as well so uh some you know Pros to hacking tools this is it uh inclusive to everything every hacker tool out there obviously some are a little worse than others um but for everything we're talking about here you know there tend to be smaller scripts you know it's not the big CS product installation that has to go on everything this is just stuff you can run quickly with python or power sh things like that um some even run in

memory they don't even touch the disc um free is awesome I think everything we talk about is on GitHub uh which is great uh you it's that straightforward easy to use you just read the flags you kind of play with it and kind of most importantly as I said you know the hacker tool is kind of get that bad connotation sometimes a lot of the stuff we're doing here especially the Powershell stuff you know it's using you know valid system calls it's it's talking to the main just as a user what or just how you interact through your computer it may be doing it in bulk and a lot of the time but it's you know

valid calls it's valid traffic um which is good if you maybe U have to get some sign off to run stuff on your network usually this will be a little bit easier cuz it's stuff uh the bad side of it is the package you're using it and it's valid stuff so you know your ids's things like that might not catch it so it's kind of a no much sword there yeah I have conversations with with blue teamers a lot and they say well you know we don't have the budget we don't have the political buy to kind of get there um and so with these are are quick wins it's a list of quick wins

that are going to allow you to kind of build some uh momentum within your organization you'll find information you you'll actually make changes to your security posture um hopefully enough that if you have to invest money down the line you're going to have the cloud to be able to go and say I need this for this right so you're going to see kind of a trend here for uh a lot of the list um we operate as pen testers uh primarily in a Windows environment and now a lot of you are saying okay well you know the crown jewels are on NYX boxes they're on databases that type of thing chances are though um you the most

common way into an organization at this point is spear fishing right send an email a lot of people click on emails people click stuff all the time they're not supposed to and so what's going to happen is when people click on those emails chances are you're going to land on a Windows box that Windows box is probably going to be the user land space which is connected to a domain environment which is a pentester or an attacker we can leverage to move around your network get the access we need the Linux the DB admins they're going to have windows boxes that we can leverage to just log directly in to those Crown jeel Target boxes so that's kind of our attack path

that's that's what we use and a lot of it because we are using valid credentials or using valid calls and things like that the blue teamers can tend to be blind to our activity that's why we're trying to educate you on how we're doing it so anybody use poers shell in their day-to-day uh operations yeah so if you haven't jumped into poers shell yet I only saw a few hands um for Windows this has been a huge step forward from the admitting side and I always talk to people I say pen testing is just admitting with a different intent right um everybody was afraid when Windows 7 uh Windows 2008 came out they're like oh all these memory

protections all the traditional buffer overflows they're not going to work uh because of you know aslr and DEP and all that and like well okay but then people started hooking in Powershell and seeing the real power behind it and what you can do with it and we've actually put together on our team a a library of offensive tools that uh we can use to uh carve through a network pretty quickly there's a note here uh that I want to cover real quick um Microsoft intended to put a an execution policy uh in so that by default you can't just import your own uh scripts and modules and things like that and extend uh Power shells functionality if you just put

that little flag there just bypasses it all kind funny so let's take a look at our Arsenal some of the stuff you might know nmap's been around forever a lot of the tools here uh stuff we write uh internally uh a lot of my guys write uh Power exploit with the exception of power exploit that's written by a different uh group of people uh uh Chris Campbell and M rer um but head map used for you know kind of mapping out your network eyewitness uh we'll talk about it's a screenshotting service for your websites uh Power spit offensive uh Power sh sh toolkit PowerUp is kind of neat because we use that for C escalation heavily Power view uh we use

pretty extensively um kind of querying uh your network and we'll talk about a lot of the features there and then erress assess to kind of test your boundary uh defenses and detection for data that leads your network so now we'll get into these fun stuff uh so we're going to go over kind of 10 tactics um and they kind of follow a theme so you know each of them kind of has three things they're they're quick quick to run uh they generate a lot of data for you and uh they're free as we said most these are on GitHub so our goal there is kind of you know when you combine those three things for each of

these that it's going to give you kind of an immediate value um you know we like to say it's stuff that after this you know you might be able to pull that together in a script you might be able to run this you know if you have Assist or something you might to run this while drinking your coffee daily weekly those sorts of things and and see some changes there so I'll let Jason start off here with the asset so the biggest thing what's in your network a lot of people are like I don't know they actually they said we're going to use your pentest as our inventory exercise okay all right so um kind of

free and cheap right use end map to conduct a network discovery in your network you know how you know your range hopefully you don't ask um and then put a Chron job out there every 25 hours go ahead and scan your network um what this will do is over the course of the month it will detect throughout the day uh changes within your network there's going to be some Network enclaves that you should see a lot of change it's going to be user land right as people put their computer to sleep and wake it up and all that um but there should be things that don't change like your server enclaves your database enclaves that type of thing if you do see Deltas

there uh you can script up alerts real quick uh and kind of take care of them as needed um what we do once we uh find the end points as we do a service detection and we find out okay what TCP services are available anything that comes back that's common the web 8443 88 those types of things um or what tells us is a website we throw into a tool called eyewitness written by Chris trer one of my guys um and what it does is it reaches out and it creates an inventory of all those websites um and it's in an HTML document local HTML document um and you can just quickly see all the web applications within your

network uh these slides are going to be posted so here's some syntax that you can use uh both for um end point identification as well as service identification and then what you can do for with eyewitness there um and here's a screenshot real quick if eye witness uh what it does is it summarizes at the top what it's finding it does attempt categorization between printers and network appliances and and potentially highly vulnerable web servers uh and then it also gives you a running inventory here of a screenshot as well as uh the um a little bit of information about the requests okay so um as Jason said earlier you we talked about spear fishing uh it is kind

of the most common attack Factor today it's it's cheap we all hate it but it kind of is what it is so you imagine if you get Spear Fish you know 100 people get Spear Fish whatever they're going to land at 100 different places within your network um you know maybe they'll get a CIS admit or something like that probability wise says no they're going to you know it's going to be in the HR department it's going to be the ad Department whatever first thing an attacker is going to do is they're really going to look at that base image and try to find out what it is what's on there and it goes back to you know what

are the patches and things like that and they're going to try to escalate they're going to try to take the the basic user who clicked on that fishing email whoever that may be they're going to try to you know get bigger privileges um and this goes also back to the kind of consistency thing you know you may have a consistent uh you know Windows baseline or something that that rolls out to every single user and this is you know how you want to check that and you know a lot of people say you know but every you know every Patch Tuesday I patch it and that's great you need to do that um but that's just

taking care of the windows stuff you know going back to it's a third party patching it's the custom apps you know things that are specific to your business you might have develop stuff in house that maybe just be kind of running at at higher levels things like that um what's going to happen is uh there's a one of the power tools uh is called power up um up being escalating up and what it does is it goes through all these Baseline checks and it's really uh looking and the invokeall checks function will check everything um looking at kind of screenshot here you can see and really what it's doing it's going to enumerate every single service

that's running on there and it's going to start checking things like what is that service running as what are the permissions to to run the service to start and stop it things like that uh what path is the service in so um you know this runs almost instantly on any Baseline we suggest that if you have maybe multiple baselines you you make sure you're running it on each um but you know for example the one that's highlighted here you can see that this this temp six service is vulnerable um vulnerable service executable what that means is the path you know you know that's a service that's running at higher level privileges and the normal user shouldn't be able to mess with that

service but they can write to that path so what you would do is you would take make your own temp six malicious executable replace that and a lot of these admin Services things like that they start on boot whatever you reboot to machine you're famar with the sticky F sticky keys attack that's what this is re a machine that'll run your malicious executable at that higher level Privileges and that usually gives you a shell back at a different level so that's just one example preg escalation but this tool just kind of goes through and checks checks all of those if you're if you're wondering uh first of all this is not an intrusive it's just checking

stuff um number two the list L to checks are pretty well documented we're going to give you some resources on what exactly it checks for a lot of this is just publicly available information pent testers have been talking about these these escalation tactics for some time now we just made it pretty quick and easy for um you know one power shell script yeah so the next tactic um is my favorite one so I won't say show hands maybe but how many of you you know you're whether you're work or you're like somewhere you know you fire up like Windows Explorer and like you see like the network button and you kind of look it you kind of wait and see everything

popul L down and you see like Joe's computer and you're like take a look at that you know start look through people's file pants yeah do all the time yeah so um attackers and pentesters do it too um because you find a lot of stuff in there you know especially if you're in a big corporate environment you have file shares everywhere because they're needed you know people are doing projects they're sharing stuff different apartments but things can get misconfigured um I know one of my favorite stories is we were on an engagement and we got into this guy's computer and in his home drive he had an Excel file and honest to God it was like 350

lines long it was just column a username caller B password column see what it is and it's just like my 10 credit cards my three bank accounts my retirement my domain password you know just everything I three up my ESPN like everything was on there um and you're like why people have it clear yeah password B um but you know that's just personal stuff and obviously that can be bad but you also think about if your company's you know harboring any sensitive sensitive information some proprietary stuff things like that and so um the next tool we'll show you it kind of looks for all these uh file shares um and it's power viiew which is a very powerful tool this

specific function is called invoke share sharef finder and what it's doing is when you run it this is a Powershell script it'll just quer the domain and the domain will be able to return and this is a normal user you don't have to be any elevated a normal user the domain will return every single file share that it knows on every single computer um Additionally you can add the check share access flag and that's going to check the the current user you're running as it's going to check to see what user that has access to so we will always run that and I'll show you with the screenshot here um and as you can see

it's kind of giv a list of things so those are the things that the user is running as the file shares that he has access to so this is obviously a demo environment you know we highlighted there's a secret folder there that's actually hidden so we'll we'll pull back hidden folders as well um but you know we also see a lot of things like you you see ab and dollar sign there in your eyes and light up because that means that you can that user can absolutely remote to that system and actually gain access to the host so this this is one I'd like to tell um you know BL blue Defenders because like I said there's so

many shares out there and it's so hard to keep track and a lot of people have access to different things and you know it might not even be it might just be you know a Nuance where you we see a lot of folders where they are configured nicely you know it's it's only this user this user and this user but then someone checked everyone at the bottom so it just negates everything that they were trying to do and you know we find ways like that and this is a big way that attackers are using the kot around the network for things like the abmin and dollar sign yeah you're going to notice too this really comes down to

configuration issues if if there's a group within a subgroup with an active directory and you add the mother group to you know a share and then you don't realize that you're adding more people than you think to the share you know this tends to happen we actually went into a bank recently and uh we were able to see as a normal user so somebody anybody in the company clicked on the email um we could see all the the personal files of every employee uh because what they did was they added all users uh to the to the uh parent folder and so we were we just jumped on to the president of the bank's uh share

and he had a just an Excel sheet of Socials and pii and all kinds of craziness and he's like yeah we need to verify our accounts that are held by actual people per regulations and it was like tens of thousands of like un encrypted and this is another one where um you know back to the check share access like um if you're a assistant and you have this ability you know make a user in each each different Group whatever groups you have within your company and then run this to see because it might not just be looking for wide open F shares you might also want to check for to make sure that users in

this group don't get to see certain things you know everyone company shouldn't be privileged everything depending on where you are so uh it's good to know who your admins are um especially if you have a complex active directory set up you know depending on the size of your organization right if you're or organization has made Acquisitions right if they've bought companies and you just kind merged uh active directory uh infrastructures together kind of this Frankenstein setup um sometimes it's really hard to derive who the loc the um the admins are right so uh it's good to know that uh and again we talk about the concept of nested groups Powers shell again a situational awareness Tool uh

allows you to get the admin groups um it allows you to rehearse these groups to figure out who exactly is in these groups that has access to what um and here's a quick uh uh screenshot of that um but more importantly where are your admins operating in your network uh does anybody have a policy that says okay if I'm an admin in the network I need to have a regular user account unprivileged that I'm supposed to Opera yeah perfect so how many uh admins actually adhere to that oh good good congratulations you get a later um uh chances are they don't right and so they say well you know I I'm an admin I know what I'm doing um so I'm

you know don't worry about me but if as an attacker I get access or I get one of those guys to click on something my job becomes a lot easier because I don't have to escalate I already have admin proofs on your network um again power viiew uh what we do is we do this we perform this technique called user hunting highly documented by Will Shader uh but the purpose of this is again power viiew reaches out to your active directory uh infrastructure and queries it says where are all my hosts give me all the host and then it reaches out to those hosts and it queries and says who's logged on to this host and then

what you can do is you can say Okay um if this person is in this spef specific group and typically we're looking for privileged groups like domain admins or server admins or that or desktop admins that type of thing if you're in this certain Group return for me the Box the endpoint that this person's logged in currently and the name of the user so I know who to Target right as a blue team where you want to know where these admins are are kind of residing within your network because if you get access to one of these boxes you can uh use that access to move throughout the network so you want make sure that these things are onpl off so

you'll see things like file servers uh DCS that type of thing you want to make sure that these are kind of protected so it's a little bit harder for the attacker to get there so this will be a quick one I'm not going to bore everyone in the room with passport policy you know we're all mostly security people we're while here um you know you have to probably yell at your significant other your mother your grandmother change your password change them of often um but it can be hard in a big environment to make sure us or change their password sure there's Group Policy sure you can force some things and that's great you know but there's

also you know other things out there there may be systems that are under the radar there may be things people that are excluded you know you get your your SE level your board of directors you don't want to have to deal with all your crap so you know but they still change their password so this is just a quick uh quick check to uh be able to check for um you know last time passwords were changed uh so nothing too crazy here is you see the get net user command which is part of power viiew but that's really just the your standard net user commands which enumerates everything um but then it kind of gets piped through a lot of

com through there that's really checking for at this at this one you can see the -2 meaning a year 12 months um checking for those accounts so when you run it um what it does it gives you kind of a nice listing of your entire domain of of usernames that hav't had their password changed within a year um like I said you know for the most part this is probably going to be taking care of a group policy but this is a nice way to just check to make sure that nothing is fed under the radar plus you see a lot of like service accounts that were pulled from this demo that's probably true in

your network because they're not probably OB see adhering to your policies you're set up or they're not in that um and you know some of these may or may not have to be changed but you know service accounts can be just as juicy as regular ones on some occasions would do you service no but I mean appliances Services yes so and those are things that service accounts can have going back to the service Checker power up you know they may be running under specific service account you know for whatever specific you know custom software and they might have elevated privileges so yeah like in point management you'll see usually as a service account if some

admin's putting in like some sort of like management hack to you know do something they might create like their own service account that runs around and those stuff or the admin group might just share some some Global admin account which is great um so talking about domain trust there's I can we can give a whole talk on domain trusts um but again think back to the concept of Acquisitions right if somebody if a company buys another company and they're hooking their active directory infrastructures together a lot of times to make things work right away what we as attackers will tend to see is they'll just Global trust each other and so what that means is that an admin in

domain a can then become an admin in domain B and so if a subsidiary is getting Acquired and maybe they didn't have as much money they didn't have um as robust of security posture and the mothership is sitting there and they just hook together then you can just ride in through the subsidiary and get up to the Mothership and then get the crown jewels of the mother ship and so that's that's how we tend to operate uh again power viiew can do this for you um it has a function called map domain trusts again these are all just system calls to your active directory infrastructure um and you can export a CSV um what Justin Warner another one of

my guys did is he figured out a way to visually represent these domain Tru [Music] using software I think it's called yed it is free yeah um so what what will tend to happen is we'll jump into like the core Network you know spear fish in and these are kind of shaky uh jumps up to the Mothership and then we might jump over to contracts and then just ride trust down into another company um and then jump into the crown jewels eventually right it takes a lot of kind of figuring out where you are in the network and typically this is a a little bit of a longer term engagement uh but it can be done and something like this

uh is very good to kind of present to uh your management structure to figure out okay you know what's what's talking with each other excuse me the other thing is your domain controllers and active directory uh tend to be highly critical boxes within your network um also you know other high value servers but who has low admin access on your domain controllers uh sometimes you know obviously the domain admins or the Enterprise admins in the domain are going to have access to the domain controllers or the FL servers or things like that but what we'll see on occasion is we'll see other people other you know admins you know we we find that some admins tend to be a little bit lazier

than others and they might just add themselves to the local admin group on the domain controller so in instead of me running around your domain infrastructure if I know that I landed via Spearfish on this specific admin I might just try logging into the DC directly excuse me directly so it's good to know all the different ways into your domain controllers into your high value servers um again as an attacker I'm going to take the path of lead

resistance just uh uh you can also do this in Power view uh figure out your uh domain controllers and you can figure out um uh you can look at the local admin group here and here's just a quick screenshot of what uh you might see so you might might be a little bit hard to tell but uh you'll see you know domain users versus local users here so um you say you starting a job you you're get a computer you have a desktop computer you get a laptop you know you log in you log into that thing um and all sorts of things you know there's things on your desktop you might already have printer set up they might

be some file share set up for you all that stuff is being set up with Group Policy preferences um and really what that's doing is you're logging in your computer it's going to query the domain uh the public CIS ball folder it's going to look for these XML files uh those contain all the actions needed to you know whatever let's just say setting up a printer um you know it does it um some of these though can uh need local admin so in that XML file there a c password file um containing an encrypted password I think it's encrypted as and then it's B 64 I think and your computer brings that down and it has a built in

Microsoft decrypt key and it decrypts the password and it runs the administrative process and now you have a printer great anyone know what the problem with that was yes static key yes not just that but Microsoft published that key to like to like the internet yeah so um attacker lit up with that one and this is we using um Mac River's whole power spit really what that's doing is doing exactly what your computer just did it's going to you know CER the domain look in that syall folder it's going to pull um all the XML files and it's going to look for anything that says C password it's going to use the key that is just built into the tool and

it's going to start decrypting them and here you can see where those keys live um you know and some some password some administrator passwords because that needed to do the function because it's an administrative function um yes this has been patched I think it was the 14025 ms425 patched this um so you know most people are probably good with this now but once again you know on pet we see everything you still see XP machines you see 2000 so this is just a nice quick way to get gpp password to be able to make sure that you know you're you're rid of this in your entire domain found a Windows 2,000 bucks on a pentest one time and uh the

guy was like oh yeah we usually um unplug that whenever the Auditors and pentesters turn around what do you guys use it for CD burning great all right um last one's a little bit of uh it's a biggie um especially with a lot of the breaches uh that are happening um we've actually gotten a lot of interest within the healthc care space most recently about this um but what you can do and this kind of requires a little bit of an infrastructure setup you can use an Amazon free instance um but you can use a tool called erress assess again written by one of my guys um essentially what it does is as an attacker once I

get to the point in the network where I know that I have access to your crown jewels whether that's you know patient data or if it's like Financial Bank data or um you know anything choose your poison um what I want to do is I want to test your erress capability so I'm in your network I want to see if you can detect sensitive data leaving your network and you know I might try to be you know kind of quiet at the beginning I'll it in h you know SSL and you send it out if you don't see that then I'll say okay well do it an HTTP clear text do it an FTP oh you're still not seeing

it well now you have problems um but what we what we use this tool for is to generate a a bunch of of data fake data either credit cards socials you can generate uh as of last week you can generate full identities uh fake identities uh random usern uh first name last name address um social that type of thing and so what you do is you set up an a a border box maybe like I said an Amazon and you set up the server uh piece and the type of uh mode you wanted to drop it into and so in this case it's going to be a web server excuse me and then on the client

you know kind of like you've been doing all along with the windows uh Powershell stuff is you can import the Powershell module for eag SSS and then specify the mode specify where you're going to send the data to um and then the data type and hopefully what you see is this is a screenshot I know it's hard to see this is a screenshot of snorby which is the front end for snort uh you'll see an alert pop and you'll see the data right so this checks for two things right it says okay one am I actually getting the alert that I'm supposed to no okay stop we'll you know tune your stuff um or if you are getting alert do

you have the process in place to actually act upon this if you actively see xfill happening within your network are you in a position to rapidly stop it and then eradicate whatever's on that box that's causing the xill if no then we we have to have a discussion so to conclude here um you know what did you learn and don't say nothing at least not to my face um we hope if you take anything away from this is that you know maybe you know if you got people out there that on the blue side of the fence you know you won't be as scared as hacker tools or you may start looking into the hacker Community

um and start trying to pull down things that may make your life a lot easier um you know every with the tactics I think you know like I said before we're trying to make sure that they were quick uh they give you a lot of data uh and they're free so uh as you saw here a lot of these are easily repeatable you may not want all of them or deal with them but you may be able to take a couple of them may be able to script them together even more and like I said run it run it in the morning while you're having your morning coffee um and a lot of these is

Jason I think kind of mentioned before uh you know we weren't really exploiting anything this wasn't you know it was safe it was just you know domain queries things like that things on the network so and what they're really trying to do is just find those misconfigurations because nowadays you know the you know externals getting smaller things like that people are getting better with patching you know it's still out there you still have those you know exploitable conditions where you need that new new great remote code exploitation whatever A lot of the times attackers are getting in spear fishing they're moving around their Network they're trying to find that one misconfiguration that's going to give

them that those that domain admin and then they're just going to walk in your database or whatever it may be so our goal here was to hope that these tax will help kind of you know rid those of your network um and help find those misconfigurations we want to get to the point where we're not in our out briefs and as pen testers we're asking The Blue Team about their Network and saying well I didn't know that existed right that's the whole point like a lot of this stuff is s situational awareness and gaining a a deeper understanding of what's going on within your network right and finally like a lot of the oper too you know we

have you know we'll you know we'll see a great it crew but they may be like three people deep and it maybe this major organization and they're just like we just don't have time because like I said your job is hard and you have to cover so much ground so we're hoping that with this being free and and repeatable that it may give you that some of that leverage that you can maybe take up the chain you can show your bosses this you know look up you know look at the holes we have in our Network and it's not a matter of just oh I can go fix them right now it's we need resources we need

appliances to detect you know EG stuff things like that so yep so I mean the take away from this is you gather information uh to make immediate impact uh you gain your political Capital do what you need to do profit all right so again my name is Jason Frank uh on Twitter it's Jason jrank um we have a whole bunch of stuff uh at our blog vers group uh adaptive threat division right there um a lot of the writeups and things for how to really I we quickly went over a bunch of these tactics but for how to really jump into the tools and extend the functionality is all written up a bunch of use cases are up there as well and

then you can actually get the tools most of them are on our site uh because a lot of our guys are writing these things uh but then some of the third party ones as well questions you guys said that it's important to isolate your domain controllers and your important systems but you also said about of these enumeration attacks run on regular active Rec call so how do you isolate your servers but allow them to be open sure so the question was you're saying that we need to isolate our high value servers however a lot of these are writing over SMB and active directory calls which need to talk to the end points anyway there's a couple different

ways to do that um things that I've seen are authentication firewalls um where you know in order to actually yeah you can query the DC but in actually in order to log into the DC only certain accounts are allowed to do that the other thing that I've seen is Microsoft uh and we can talk off a little bit offline about this but Microsoft has put out this concept of a red Forest um and essentially what this is is a um it's a domain setup that employs um some readon uh type setups and that type of thing I I can't really jump into the specifics but there's there's definitely ways to kind of onclave off and not allow for

direct login access there any other questions yep how is uh configuration management like puppet and Chef helping prevent people from needing to log on at all and have those privileges on this boxes I I'd use puppet like a little bit and I think um you know we talked to some people that do and you know correct me if I'm wrong you know it's it's certainly good if you can get if it's configured well and if you have full control over things because you're right if you can use puppet and you can you know everything's going through that you know for a fact that every machine is going to be configured the way you want to configure it um but I think a lot of

people they struggle at getting to the point where either they have full control over that they can make those decisions or you know those sorts of things where you know other people just still need this they still need that they can't get everyone in the organization to buy in the puppet or those sorts of things so um though it is can be a bottleneck obviously if you have something wrong with your puppet configuration then you're in trouble because then it's going to light up the whole Sky yeah and what we'll see too is you know we'll make recommendations and we'll say okay well there are things that you can do um but what ends up

happening for a lot of the environments that we're going into is they're not they're not ideally set up right you know the yes EMT exists yes there are other controls out there that you can put on however people aren't doing it and usually it's a function of time budget that type of thing but um yeah I mean puppet is definitely a good step forward any other questions cool thanks for the time everybody