2020 - Red Teaming is Fun! - Donovan Farrow

perfect perfect okay hopefully everyone's good to go all right um so I was kind of do this a little different um I've been in the industry for a while um one of my favorite things to do is um is actually help people get into the industry um I've done some pretty intense talks and and as you guys felt watching you guys you guys have some pretty in-depth stuff which I think is wonderful and I really appreciate that um working with a lot of people they always want to know like you know I want to be a pin tester because that's what everyone wants to be and and it's sad cuz the blue team gets sad because they

always get like um like people who like right click and change uh admin accounts and AD and stuff like that so I'm trying to like get more like what pin testing is this is a super high level um we if you have some questions I can go pretty deep as possible um I do have some qualifiers like let you know who I am um if you guys have any questions I could talk about anything you want to talk about um except Bitcoin I don't have any time for that so I think it's a different talk this afternoon so um anyway so this is me who am I uh I I have a company doesn't matter um

entrepreneur of the Year 20 years of experience um I worked over 2,000 court cases 200 pin tests 150 incident response engagements um and also some in Vegas so if you go to Vegas you guys let me know um I'll let you guys know the best places you can win at the casino also if you guys didn't know um I was there when the guy hacked the um the temperature gauge on the fish tank um and he was able to uh laterally move into the casino and breach that I don't know if you guys caught that it was actually it was it was really cool so um so again that's who I am if you guys

have any questions about this stuff just let me know um and I kind of start this from the get-go first of all I love this this uh this this movie if you haven't seen it please do kung fu Fury I'm not sponsored by them but it is it is hilarious because this is this is the hacker man right so um anytime you get into like a red team incident everyone's like man I want to get in there I want to I want to run all these scripts I want to hacker man if I have a background of coding can I be the best hacker um I would say out of all the pentests that that I've performed um you

don't you don't have to be that we'll say um code intelligence one thing I I can do a little bit of coding but I'm not a coder nor have I ever been um my I have heavy background in uh networking and digital forensics and um stuff like that Network forensics you know even desktop support so I've came up through the ranks even starting at like a help desk um learning what a computer does how it works um a lot of vulnerabilities aren't really like you know a new vulnerability just got re or an OD day right those do happen but to actually get a hold of those and actually be working for a client unless you just you know you you

you do it for fun um at midnight on your VPN client coming in from Russia um you know you don't you don't really get to get a lot of that stuff so working in in the the private sector like what I do I'm just trying to take take the you know the hacker man kind of thing and everyone wants to be one which is it's fine it's cool but maybe like maybe if you could make some money and not go to jail um might be might be another option so that's that's kind of what I do so um offering these ideas and these opportunities to people that feel that they need to be more advanced than they

are um so I'm just going to go through that the methodology that that I've come up with um at I go through and I'll just show you some steps you know without using like heavy exploits and stuff like that and what I've done to um take over companies um within you know 5 to 10 minutes just using uh tools that are free and are basically generic networking tools so again high level um this is more for a crowd that that wants to get in the industry and I always always try to be a huge advocate for people that want to learn because I feel like and the more we share the more we grow and and I'm always looking for

people's feed back and people come in Industry because we it's pretty limited so I went off my soap box so getting in into pin testing so like first you got to get a baseline for security like what what does that even mean um getting a pin test is um it's just saying like Okay why are you doing it what's the whole point of it and what are the goals um some people don't want you to just break in and start just uh just we'll say trying to exfill their data that's not really what they want uh there's more value out of um hey you know your email server is open to the internet for some reason I don't know why uh we had a

client that just had a Baseline and they wanted to Red Team exercise was their term uh they wanted it on one IP address and it was their email server and just generically we were able to trace their their email routes and find that they were going through some it was like an old email um admin had actually set up some boxes at his house and all that company's emao was going through their um was going through that guy's house uh for about about six years and he had been gone for four of those six years and what does that mean that means that uh he was potentially didn't say was was stealing uh their company information

private information for four years I'm kind of writing this into the blue team um because if you don't know blue team it's hard to do red team and if you don't know red team it's hard to do blue team right so kind of kind of bringing those together um and the second is I always discover a vulnerability you know what what does that mean is that uh everyone wants to talk about again you know the and greatest vulnerability that's happened um you know my favorite you'll talk about is eternal blue and I'm so upset that people are upgrading their stuff because that was super fun we're going to go through that um but like even like an open port um I'll give

you easy example um if you guys use there's like a uh open port scanner or angry IP or something like that um ports right so people don't think about that as a vulnerability it totally is like you don't have to have like some type of you know Nessa scanner or even your open source scanner or whatever qualityy just run a port scan and uh what you could do is find like I mean generically like even last week I ran one on a client we were working for and they had FTP open okay that's not maybe abnormal kind of weird to use and still FTP so I just pull up my file Zilla because it's super

easy and it's free and then I just log in anonymously and maybe you guys think that's kind of weird and that doesn't happen well it happens all the time um I do appreciate that the industry is way ahead of its curve on some big heavy pin testing items but I would say like you know I mean 95% of all companies have never had a pin test may maybe 90 they they know what it is they know they need it and if they do get a pin test it's not a pinest it's it's a nessus scan and and whoever builds them for that calls it a pinest um personally I mean even just having a port scan and what's open

is is is pretty amazing um it's also a good idea using a port scner to um see CU you have these super crazy you know crafty it guys that um will change the ports right so they they'll say hey man a tell net it's not what it is and it's like 1337 which is one of my favorite ones anyone tries to change a port to Lee is a is I'm all in I think they're the guy in the picture right they're hacker man right so it's on Port Lee also some great Trojans run on that Port anyway but it's good to know like we're all talking about breaking into something heavy but just breaking into

just like normal person um's environment or company they're not running uh they're not closing their ports that are open or they don't even know typically um secure your environment of course right so that's kind of why you do it right because you don't know what you don't know right so a lot of people are like we don't need a PIN test because we're secure well how do you know and if you do know have you done a pin test and if you have a pentest you actually find the right vulnerabilities that's why in any group as you guys if you're many corporate people here is um you should always rotate your pen testers after a certain

amount of time because they're vertical just like Jo was saying earlier your vision your scope is different right whether you come you know from whatever your background is whether it's you know teaching or you know where you grew up like you're your your vision your your your scope of that is totally changed and the focus of the actual attack will be different so it's it's a it's it's a it's a pretty cool thing you know that's why I always like to mix it up and have new people with with new ideas again what this talk is a trying to get new people in the industry with has a different background than us on this U

call today um also another reason pentest right you make Auditors happy and which whatever right so if you need that you should get that and also this kind of pivots Into the Blue Team one of the things I do the most when doing a pin test and I give this to you guys is I highly recommend is when you're doing like a SQL injection or when you're doing some type of um you know some some some type of attack I always recommend that you record those times you write the time down you know you know 11:00 um I was trying to dos the uh Discord server maybe I was maybe I wasn't who knows but you know um did anyone catch

the logs were you guys paying attention if I if if I was attacking you do you even know what it would look like um going back swinging back to the blue team is if you have an attack and when you get into The Blue Team Vibe right you have these like cool you know devices that when something goes bad it blinks right at you and that means bad right so you have this red light and it's like hey man this is bad and then you respond but what if someone broke in your facility and you didn't know so that goes back to you don't know what you don't know so doing pin tests um you

got to document when you're doing your attacks because it's going to help the client it's going to help you guys um even internally if you you know working on your own home network and stuff like that if you do you know cause a Brute Force attack that's cool did you see it and if you didn't why did you not uh kind of going back this goes back to uh even incident response pin testing hacker came in they did a Brute Force well how long were they brute forcing oh well apparently it was three months okay well that's that's not good so and then we have to go back and find those rules um I think pen testing

uh to me is like is like uh the first getting there you got to find the vulnerability you pin test and you can start encouraging The Blue Team um so I just kind of want to throw that out there plus you know you get these cool reports in the Auditors and you know Company still makes money um also the last reason that everyone is a pentester wants to be is because you can be super cool hacker man and um you get to go to cool to cool conferences like this and like Defcon and and you know you can wear black black t-shirts you know and you won't be called like a goth or anything right

because you'll be you'll be you'll be like the new punk rock right you know everyone watches Mr Robot these days so I think that's the that's the new Vibe I like that um during this presentation I actually do like you guys to learn a lot so if you have any questions you just want to interrupt me or or or just tell me to be to be requir to hurry up I'm totally open to that I I have someone actually watching that so if so they can stop me and tell me to stop talking so if you have any questions type them in and give me a hard time and again I appreciate you guys inviting

me okay first thing before I even get into like like hacking so we have a things called a red team exercise you guys may have heard this this is like to me this is a true pentest um a traditional pentest and I'm just trying to give you guys the scope because I feel like a lot of people are always so deep about what they're into um a pin test traditionally is someone comes in and what they do is they they're like come on in come sit down and you plug into their Network and they either have DHCP or they have static and if they have static then they give you an IP and then you start to perform your hacking

to me that's not a real pinest that's that's that is a organized vulnerability assessment internal pin that is not a real pin test because as you guys know when when you got if if you guys ever get get asked to hey man I need to breach this company um you what's the first thing you do and if you don't know I'm glad you're here uh ex you know exposure intelligence right so so I give you guys something super simple right so when we when we're doing like um a full red team engagement so it's top to bottom so we do Vishing obviously voice phone calls um fishing which is you know click emails those are

I mean those are pretty cool and hot and everyone talks about those but to me they're kind of boring just keeping it real um what I like to do is um technically we'll we'll try to do first thing is is whing uh that's a a term I'm for sure that I made up so what I like to do is immediately you know generically go to LinkedIn and then get all the cool technical people because everyone wants to say what they're doing and typically over time you'll know if uh they have a um has a uh their email address so their domain right so um mine if you want to look mine up it's totally cool but you'll know my domain right so

it's either first name domain or first name. last name domain or first letter last name domain what that does is you can basically really quick go on the the internets and Linkedin or Facebook or you know that other uh trash I mean uh social media and uh you can you can quickly find all all the people that you need to attack uh whether they're sending an email or stuff like that there's also free um verify email stuff uh that you can go on you can type an email and see if it punches back there is some resistance in that uh because it is free and if for some reason you use too many a day um just use your VPN just

connect from a different one so you can have kind of an unlimited verification of email um and also what I love the most is when we before we do like a straight like cold red team attack meaning all we have is a company I love it when people put their talents um that is something that they're most proud of and having that knowledge uh that's how we will kind of classify our attack if someone always talks about social engineering through emils and stuff like that we probably won't go that route so then we'll kind of flip the script and what we'll do is we'll probably go to a physical uh pin test we'll we'll try to

um ethically break in uh to the company either through their badge system or their their card system so what we'll do is if we feel there's too much we'll say Talent watching the the uh the actual border of the infrastructure of the network uh we'll go on site we will uh case the place which which is love again we're like uh professional paid Criminal by the way um we'll go and case the place and we will actually look at everyone's badge we will go to Home Depot or Home Depot Office Depot and we can recreate that badge within you know about you know 10 minutes tops right we just got to reclassify it and get it um

and that's kind of another reason how we go in um a good story behind that um as we as I kind of go through the presentation is we had a client who their network was pretty Rock Solid um we couldn't get any spoofing emails through we had already called all the information from LinkedIn Facebook um and we were just not getting anywhere so what we had done was is um we had actually uh Gone case a facility um I found that there was a few people that were outside smoking so we created a badge um for the to get in the facility and it was funny as one of my engineers and I was like hey man do you smoke he's

like nope and I was like you do now so went and bought him a pack of cool camel crushes and uh and I had them sit outside with the smokers and listen what they were saying so the whole point was what we were going to is we're going have to sandwich into the company so sandwiches like like a sandwich right so you got two people here whatever we're going to go in the middle so we were able to scan through and if you guys realize as he went through that he was listening to what they were saying they were talking about what our client does he was able to ride the elevator with them go up to the top

floor and scan in they even said no you go first he's like no sir after you because they were being overly polite and it almost caused us to get caught so um first guy badged in my guy badged in if you guys don't know this when you have a badge it actually will scan it'll go beep um it may turn it it'll turn red or green right but it'll still beep you won't hear a different sound unless it's a different mechanism so all they did was heard a beep right so we're using that the intelligence of normal behavior hey this guy's talking what we're talking about he's come up the same floor I heard a beep and they let him

right in and the cool part about that was I told him to go in and I told them to they were having a lunch so I told them to make him make him a plate of lunch and then that's how we were able to input USB sticks kind of going back through that yes question the difference between pintest okay so a red team a red team engagement again in my vernacular is we have a company name go fight that's pretty much all we ever get um and that's that's the real exercise of trying to attack a company as opposed to a pin test a pin test is more of a uh orchestrated um simulation of an attack

um you could do a quote pen test uh from the internet you could do a pin test internal you could log in you know that's where I say they walk you in and you do your network scanning tools like that I classify that as a pin test um a red teaming is the stuff that I love that stuff is super cool and that's where they give you the the full scope just to hey here's a company name just do what you got to do is that good Teddy okay cool thank you for the question okay I'm kind of going through um as before we attack we have the red team on the pin testing uh man it's so easy like

man you guys can find IP ranges if you guys don't use showan shame on you welcome to showan um it's free all you got to do is type in a company email I mean a company name it won't come back every time but it it will if you just give it some time right you just got to research and research um if they give you an external IP address you can do more research on that um obviously they're business partners another thing we were able to do is we were able to uh call into a company uh what companies love to do is brag about their business business partners and the business they do with those Partners uh we found a

client that had said hey we're doing business with this big development company they're called X and they're here and here's the guy we're doing business with so what we did we took that awesome press release and built a uh built a basically a vising campaign so I called in myself and I was able to convince the uh lead designer that we were going to send them a new upgrade since there was a software development company we have some devs on our side that we created exploit and we're able to um infiltrate the company upload the exploit to the uh test server and that was part of the part of the job and also um known vulnerabilities um again I just

go back to I go generically there's many other sites um even even showan shows no vulnerabilities um they're out there um it's it's that easy and from that point you have LinkedIn information you have uh IP ranges and also net worth right um I think this is where a lot of the ransomware guys I think they're getting smarter about this I mean they they hit up a company and it's called X they got to type in company name net worth and they'll say hey they're not worth 20 million they're worth5 billion and then the ransom goes up and if they don't do that then I just gave them too much information but just saying it's out

there um Pace bin sites oh my gosh man if uh my favorite thing to do probably every day is watch the trending Pace bin site uh trending Pace bin um you can go on there there's L username passwords uh we have some callers that we like to do so when we do reconnaissance maybe we have some leak stuff that's only out there for a day or two um again let me take a step back for some other people uh Pace bin site is when people anonymously post something typically they usually do it for doxing uh it's I mean it's just it's it's what they do doxing or they also do it for um leaked credentials um vulnerability code they

also do it if they're about to breach a company uh they they will put it out there and say hey I'm going to Ransom you and that's how they show proof so they'll throw a pce bin link up uh if a company's getting hacked that's that's another that's another way that they transfer that information saying hey not only did I hack you here's a taste of the data I've seen databases leaked out there um going to tell you another one we worked for um a company uh was got breached and they got a really cool email to their network administrator and it said hey guess what we have all your stuff and if you don't give us money

we're just going to collapse everything so what they had done is they had actually leaked uh they said that they were going to link this information to a pin site uh we got engaged checked it out and it was it was it was pretty legit um lucky enough that that I guess the client decided that that data was old and it wasn't worth their time but it was interesting to see that kind of play out in real time um that there are people out there that that do that for you know different reasons I mean whatever hackers are out there so it's why you guys all have a job if you're in this industry so you can say thank you

to them today all right dark web I know this sounds like cliche and I apologize to everyone who's cringing at this point I do as well but it's fine so if you actually can go on the dark web deep web and you can literally buy um exploits be careful because they probably have malware in them anyway um I only give this example because we were able to go on there and buy a rat uh remote access tool was what a rat is sorry about that um where we we paid it was like it was literally five bucks so we have a an off whatever we have a Bitcoin thing that we use and we're buying stuff um kind of

back and forth there some Bitcoin exchanges I said we'll talk about that let me never mind forget Bitcoin but we bought it there and it actually gave us remote access to a client um inside of their financials and how that because again that's the red team right so we found out we got a rat available we were able to remote in and start taking access to that company um what we found out the next thing was we had to immediately contact that client and say yo man we were able to get in this is not good uh and then we have to figure out why did this happen why would this even be available this was when uh Team

Viewer didn't have the Dual authentication uh yet and what happened was the um the head Financial leader adviser whatever for the company um had some computer issues on the weekend and her son's uh friend did computer work so he installed team viewer on there was able to get in with default credentials boom and that's kind of he just never uninstalled it so that's that's how it happens so you kind of have a full circle which I love having the red team having The Blue Team you can learn a lot and again for all you people in the middle purple team as well right so that kind of makes the blend there right you don't know what you don't know

reconnaissance list forums Discovery um purchase data about the company you can do this all the time I mean you can be in forums I don't have too much as I used to I used to do there was like a few accounts I had sock puppet accounts um sock puppeting is like a sock puppet you put a sock on your hand you go in a forum and then you just start like Google translating all your um all your uh English into mandrin or uh or Russian so then you can look super cool and it's a little confusing because it doesn't quite add up but then you can start getting some information and then translate the information

that's in the Forum that could be potentially locked to the outside good luck getting access these days but it is a thing that happens and that's kind of how that works okay any questions yet perfect okay all right here's one tool that we use um you guys can use this it's it's a 3.99 which is my favorite price this tool is called maltego um again it has an example I use theirs because I didn't ask for permission to uh put this in the slide so I'm just using stuff from the internet um so I can't you know I'm not endorsed by these guys but they're super cool it's free it's it's uh it's it's on

Cali um again you can type in an email address uh you can type in you know whether a Facebook account uh MySpace account for you super old people um you can even uh type in a news groups for you really super historic Linux Unix people out there it also come up and it does like this really cool like spider pattern on who's connected to what um also comments on YouTube comments on uh Google uh video rip um all kinds of stuff out there and and if you want to get super a little more advanced about it you can pay for other threat feeds inside of multigo and it's it's it's minimal I mean if you really want to do

some real cool reconnaissance here's what you use um we may or may not use tools just like this before you hire anyone and I think you guys should do that too before you hire someone in the security field you should probably do your own background because you're going to look kind of silly if a client brings it to your attention that what a potential um employee is doing so and also it's a really good thing to see what the internet has about you right it's a lot of cool things um again you can look up yourself look up on me or whatever I mean it's all out there so it's something to look at and see what's

kind of available and kind of Go from it's really interesting um if you guys haven't used it man I I highly recommend it um here's another shot of it um this is one on a span of a of a network This Is Us putting in some IP addresses or even a company name it quickly spans the internet um you got FTP FTP sites you have their Windows accounts you have their 365scores and classified to that company um you have um all kinds of stuff I mean there's there's also um exploits that claim that they may have been associated with the company um you have list serve drops all kinds of stuff um I hope that

you guys are uh currently using this tool if not you should it's really cool oh also rdps um I have open rdps um going I go back a remote desktop protocol that's the tool that you use just from Windows to remote into a machine um it'll also verify if the guest um the guest is is still available which if you still have guest on your computer machines please disable it is because people still today have the guest uh user enable which is which is insane but again going back to you don't have to be super crazy like um hacker man um just knowing how a computer works it would be great now I'm going to give

you uh one other cool uh like thing about like just knowing computers um I was working for a financial institution and uh you guys will love this uh if you guys we were scanning a port and I forget which one it was I think it's like one two three4 um it was it was an old it was an old one called uh you guys remember net meeting like again I'm aging myself now but this is way back in the day so there's net meeting port and this actually was open on this financial institution what they had done is they had actually merged with another company and they needed someone to go through and check vulnerabilities now is that a

vulnerability in itself no it's not it's a it's a port it's an open thing that you can touch right so what we able to do is um since it was actually a Windows 995 machine obviously a lot of exploits for that um so I had to go back and use the old school net bus if you guys don't know what that is that's some super old stuff but it was fun right but just knowing that just being in that when I was like a little kid knowing that information can bring it into this was like three years ago um just knowing that information being an it that makes a really good pen tester it's it's not

so much it's not so much the skills you have it's the knowledge you have about the systems the environments networking and how you would actually perform security so again my Soap Box okay scanning and vulnerabilities what does that mean okay let what I got here um why do we scan an environment well we scan it this is different so we do Port scanning I talked about that way earlier uh vulnerabilities um man it's it's there's so many out there uh I forget the one and and shame on me I always call it green bones but that's not what it's called open Voss I always green bones like the old one has the the green helmet guy whatever the dinosaur anyway

um so yeah so you got to scan why because there's vulnerabilities there's cves out there that you don't know about and why would you that doesn't make any sense so you have automated tools we've already done the exposure the intelligence you do and then you do an automated search again for vulnerabilities that may or may not be in that environment it saves you a ton of time um I say this all the time is one scanner good enough abs absolutely not I don't know why you would do that if you have access to use multiples I mean I know time and when you get in like a company a business they may want you to use a specific one because it's

been approved by change control and that's super boring but then if you just use that one then you know use your Port scanner yourself because a lot of those vulnerability scanners um nus qualus um all the main ones uh they typically don't scan all ports unless you specify and I feel like that's the coolest part is scanning just manually even in inmap um that you can uh kind of scan you can get your own basically call your own data um again not practical uh single scan Next Step uh vulnerability is found now what so we talked about vulnerability so a vulnerability again I'm being super generic I know a lot of you guys know this right so it's it's something it's a

it's a it's a way that you can gain some type of access from a computer it's a way that you can get inside or maybe to inject code modify gain access to a device um that's really what a vulnerability is um and again I kind of already went through multiple ways to get it it's not just scanners it's intelligence it's the company's exposure um it's people that have worked for it because again everyone thinks that computer's vulnerable well that's super cool but what about the people right how vulnerable are the people that's a huge vulnerability that's a big one again I go back to the everyone's all about these fishing emails but what about vo

you know a voice um been able to convince people to do stuff over the phone is that a vulnerability absolutely Ely so we're not just doing the scanning we're also collecting all vulnerabilities from the human aspect from the physical door aspect which we talked about earlier and also from the computer aspect because I feel like a lot of people when they do a pen test they're so just like in this little box plus you guys don't like to talk to humans I get that man I a I don't about that either but that stuff's exhausting that's why we work with computers but like like you have to realize like what's a real vulnerability you're you're you're limiting your scope when

you only think that a vulnerability is just a computer so upset about that okay and then another thing I always recommend um if you guys are helping a client out you got to do like another 30 days so after you help them you help them and you kind of hack in or even if you're helping you know your own network um what I love the best is when you provide a cool Rapport to an IT guy and then he gets super upset and then he gets really mad and he's like this dude and he puts on his power glove because he's so upset and he knows way more than you because he's been working in the

field since whatever um just scan it 30 days later and see if they actually fixed it because it happens all the time they always say they fixed it and they don't and that's not what it's about pin testing is about helping somebody to secure their environment business-wise otherwise that's different but I'm saying like you guys that you know work have a full-time job um that's your job your job is to secure the environment it's not there to to make people happy or whatever just tell them the truth we work we talked to robots the robot said you were vulnerable so fix it and then I'll ask the robot If You're vulnerable again and they'll probably say yes or

know so it's it's it's pretty simple I feel like that gets pretty confused in a business as well oky doie this just an example of an open Boss scan see I forgot it's in my my presentation here um oh by the way guys this is free so um if you have never used it please do uh before you scan make sure that you um update your signatures all the time and secondly be careful what you scan according to the court I believe last scanning is not a crime but gaining access or modifying anything is so that's up to you so I recommend doing all testing inside a own your own private network but yeah yes

this is free so you guys should check it out um there's a lot of stuff out there um it's it's it's heavily uh I would say updated by the the the open Voss team and and and thank them for um for being a part of the security uh world because you know a lot of people need to learn and not everyone has enough money to buy um a scanner so I think it's a good good part to donate to that and I I appreciate them for doing that so if you guys ever seen what that looks like it it looks like this so thought you guys might want to check that out okay another cool one if you guys do not know

what inmap is welcome to the internet uh inmap has been around forever um inmap is a scanning tool um again it's more automated but what I love the best this is actually my favorite one is not only can you scan a full um subnet meaning uh you plug into a network you get an IP address and you can scan from one to 255 or whatever the network architecture is what I also love about this there's a lot of vulnerabilities you can obtain from this um when you have the scanners you have to realize is that they're really loud um when we do uh the red team stuff again I appreciate me qualifying that when we do a red team uh

one um we will not use a scanner like a like a A nessus or open Vos because it is too loud um what I realized in the past is when you make obviously you don't want to make enough noise especially if an IDs an intrusion detection system or intrusion prevention system gets you then you're going to be blacklisted and your IP address will be banned and then the in the event is over and then you're super sad because you you lost and whatever you got you got the blue team won so what I recommend is I call walking it so um you can slow down and and in inmap by the way inmap is a you

can use a CLI this is a a picture of Zen map who people who don't have um we'll say uh command line interface skills or terminal skills I know there are some people out there I know probably a lot of you like terminal stuff like that but there is zenmap which is basically the guey um insert for that I want to let you guys so the example here just scanning a an ASUS router it lets me know what ports are available on that I'm looking I can't point to it but it's 80 53 8443 um I only Point those out because that's it's an odd Port someone may know what that is but that's an easy way to

jump in there and say man that's a weird Port what is that again just go to Google figure out what port it was and see how to connect to that terminal um and when I say walk going back to the walking it statement is um when you use a scanner it usually will scream let's just say you did the the basic ports I think it's like one to one or 1024 right Port 1024 and it just shoot like all those sessions say hey I need all this information it'll be scream right in the face of that machine and it'll do it through the whole network but this when you can actually slow it down and say

it's Port One open port two three four and you get it all the way to 65,000 whatever 65,000 I forget but you guys what you can do that it's actually keeps it um low profile and typically IDs IPS systems will not U utilize this type of transaction because it's not loud um it does take more time but if the point of the red team is actually breach control and not be caught um this is a way to do it and it's funny because it's an old tool and again how you could subvert this which uh we have done for other clients is no one should be running this ever so if there's like any type of user

agent you can ban if it says inmat probably should ban it um or any type of use of a scanner inside of a we'll say the finance group why is someone using it in the finance group you can write Blue Team Tools and and uh and also snort rolles for this stuff that's that's a whole different discussion but I was kind of bring that full scope on how the red team can encourage and help the blue team learn so if you guys don't know what that is if you can't do command line interface use zenmap um it's easy peasy okay all right you guys ready it's hack man time um all right so what we talking about so Cali um if

you're super old use backtrack and I'm gonna make fun of you forever um and we can hang out and we can talk about the good old days so Cali uh Linux is a Dean based Linux distribution aim at Advance penetration testing and security auditing okay what this is is so I'm not going to go through through this because I feel like there's probably like eight other like presentations on Cali but I'm going to tell you this is the tool that you use when you find the vulnerabilities and I'm just kind of explaining this for people who who may not be aware right so let's go back we're intoing a red team uh we found intelligence the intelligence brought us

into a company uh we were able to get into a port that we found we'll say again just Port 22 we used the Met exploit tool in Cali um and it'll do a scan say hey this FTP server is vulnerable to X then you use the uh the executable or the uh the uh you execute the uh whatever execute on the machine that way you can take full control so you can use basic other hacking techniques this is more of a I would say a full access graning uh taking control of that um if you guys again I don't talk about Cali too much but using those different exploits that you can download um um is is a good place to start

there's so many uh resources out there um again I highly recommend just downloading a Windows XP machine and put on your network and start using uh again you can run the scanners against it you can find what's vulnerable to and you can use those exploits from met exploit to take over machine and gain full access um the next part of this presentation is going to be probably pretty quick but I want to let you guys know like um kind of using like you don't have to be super hacker man and know a lot about you know Linux and stuff like that to be a good hacker I'm just going to give you guys a few

examples just knowing technology um to to kind of basically take over a company and you you guys can do this at home all right so his first example is um what I was able to do uh this is again I this is a a printer no one cares about printers this is so stupid no one no one wants a printer right what a printer does is it usually has email addresses right so if you can exploit a printer address with the the magical password of admin admin uh was able to gain control of this printer and it had a full list of every uh employee in the company okay that's super cool so I was able to get

that information and then I was able to start then we actually planned a an email attack on the side at this same course is we were able to also get um access since we had admin access to the printer um every email that was sent to that printer we had it xfill we put a forwarding rule anything that was scanned into the machine we forwarded outside the company and we were able to xfill the company through multiple pi and stuff obviously we were hired to do this this was an ethical engagement what I'm saying is a lot of people think that hacking is like you know using you know the Met exploit tool again I agree with that I think

that's great but just knowing that a stupid printer if you just typed in the model name and typed in default password the stuff is still out there um these screenshots are not that old um even I would say even a month and a half ago I was able to get into a printer and do the exact same thing which was even cool because I set up SMTP on it so I made it a mail server just to send out my mail and my messages from the printer that way if anything came back to me as the hacker um it actually would come back to the company and they would get the letter from the FBI and that's so whole

another thing um this was a really cool thing so uh we talk about just IP scanning um what I was able to do uh just using a scanning Tool uh what I had found is uh again I was on site I was able to just run my scanning tool I was able to identify a solar winds box and again just using the default credentials um I was able to someone set up a solar winds box and I had asked the client said hey do you have solar winds they said absolutely not um but what someone did who used to work there and this is typically it's just it you know neglect from the network I was able to find all

their entire network to the entire company within 5 minutes because someone was super generous and was able to put every Subnet in their solar winds product that was hilariously expired but it was still running on a box that they had no idea about that's super cool that's quick reconnaissance and that was quick take over the company that wasn't crazy hacker man I always think people especially RI are super intelligent but I think they always overthink everything and sometimes you just got to take a breath and just take a step back and just kind of keep it simple as you run into you know a difficulty then you can start turning up the the you know

running scripts and and maybe running custom exploits and stuff like that but um again this is you know if I started running exploits you know custom exploits I would have totally miss this had I not just run just a just a port scan right pretty cool um again I talked about this one uh FTP that was open um what I was able to do was we were able to um just anonymous log into this no password file zills free and we're able to actually put execution code on this and uh take over a box so again having right access to a machine via FTP because it was open and they quote don't use FTP in their

company what that means is we shouldn't be using it and I don't know um who is actually doing it typically what that means again doing something super simple uh taking over a client executing something FTP because we had a read write access were're able to take control of that machine and kind of Move Along um and then uh kind of again keeping it simple U just getting into so this was this was a a vault that no one had ever seen ever in their life uh that was what they said we were able to scan the network uh I was actually when I did a scan I found this port that this uh this camera was running on um I put the

port in Google just being super generic I was able to pull in uh what what tool runs on that um I found out what vendor it was downloaded the application tool to authenticate with it it was all default credentials were default so I had like a I had like the this was the server I was the host I installed everything default and then I was able to connect to it and authenticate and I was able to see in their vault there had been people that had work in there for eight years who had never seen inside this room and we were on site for just a little bit and I was able to see so

pretty cool um okay also if you guys uh this is this is more of the the metpo this is is not as as as cool as it used to be cuz it's kind of played out but again if you guys there's a full instructions on the SMTP open relay um this is something that has been available externally um people put the ow you remember may remember that for Outlook and people are trying to move away from that but there's still multiple out there um you can even go to showan and type in owwa there's still a lot of sites that are vulnerable to this um if you kind of look um it says mail from um

it says Kenyan Kenya Prince at kenar room.com um we sent it to the guy who who brought us on and if you look at the subject it was Nigerian prince needs your help and I said yo I said hey bro please send a Bitcoin wallet can you conference and I said I will expect uh to hear from you with respects and irregardless which I try to be funny uh another thing we use this on again this was something that was open and the cool part about this one I'm not going to go too deep into it but and what it does it actually um when people connect their ow and you don't need password credentials

it actually hijacks that session and gives you full access also at the same time you can download all their attachments in their mailbox um another client we did this for um I actually told their whole team they could go take a vacation day because the guy who hired us I hijacked his mailbox and told this whole team they could go home on vacation so and he actually let him go home so it was funny so it it was good times okay and if you guys are unaware of the Eternal blue which is my sadness that everyone's patching it it breaks my heart um it stuff's really not that difficult um if you use met exploit

there is a walkth through uh just on how to do this um I love this one just because in the bottom it says whenn um what we were able to do is again scanning the machine uh found out it was vulnerable to Eternal blue run the med exploit tool it's really almost that easy but I think a lot of people really want to be super hacker man but they don't want to actually do their own research I I really I hate to say but they and plus they don't understand networking and how all that works um kind of saying we were able to exploit it using metas sploit and it said the word win which gets me super pumped um

after that um and here's kind of The Next Step so if you guys don't know what this means I'll kind of walk you through it um I'll I'll tell you because I know you're reading it now but um once we gain access to the machine one of the machines um I made myself a a net user and it was called Alias password is this a net user is a user uh agent on or user profile on the machine that I actually input into the computer I create a username I created a password and then if you look at the bottom there I made it a local group of the administrators this goes back to me knowing how

computers work making a local myself a local um administrator on the box what I further did um since we didn't have domain access I know that the the uh typical because this was a server that a lot of the server admins would log into I know that the server admins would have probably domain access so I put in a booby trap we put in a if you guys aren't familiar with this we put in a booby trap so I put in a batch file that when when X logs in I put the the batch file in the startup file for all users so when they log in it makes the Alias account a domain uh user for the entire

company which they did because they had maintenance because it was Patch Tuesday gave us uh domain access that way and we're able to take over the whole company so again just knowing how a computer works you don't have to be super hacker man I just kind of wanted to share those different um examples and let you guys know that if you're kind of wanting to get into it I highly recommend it you don't have to be again extreme Cod or something like that um there's always a way just understand how computers work and maybe it's don't think too difficult about it um oh I was just showing you that I was able to get into the machine get uh get access here

so I made myself an admin account I was able to log in and take control of the machine uh some takeaways um let's see here exposure intelligence it kind of brings it down to this um we talked about that like you know see what see what this client see see kind of what you're working even your company what do you guys exposed to have you ever looked on Pace bin for your company ever looked for your name on on the company have you used multigo um there's other tools you can use that are out there that have some really good intelligence um behind them big fan uh scanning and vulnerabilities we talked about open Voss uh inmat please use

those um those are the greatest things in the world depending on the objective of your of your goal if you just want to scan and check vulnerabilities use open Voss if you want to do maybe more pinpointing and maybe see if there's some audity ports open um you can do a port scan enter IP address do a drop down and collect um uh select all IPS or all ports and it'll give you a cool rundown of that um hacker time I talk about understanding met exploit U once you find the vulnerability that's when you can start executing um the executing on the box um and see if you can take control there's so much stuff that's

released all the time there's a few companies that are really behind uh the med exploit development and if you do have some questions at communities I feel like is always there to help um as for myself if anyone ever has any questions about stuff like that I'm always down to help it's not too difficult to find me on the interwebs um shoot me an email whether it's about blue team or something you're seeing or red team or any of that stuff I do like to help and that's why I really like to participate in as much bsides as possible and then um again after you you know you show you know whether your boss or whatever yourself that you're able to

fix it uh from an IT perspective um make sure you rescan that way everything's actually secure and when you actually put your s of approval on it it is complet completed and then at the end good luck have fun for all you Gamers out there and then that's the end I'm definitely here to have questions I ended a little early but if you guys have any questions again about red team blue team purple team incident response penetration testing all that cool stuff let me know yeah one question that came up well first off thanks very much um one of the questions that came up in Discord is what are your thoughts on the use of zerod day vulnerabilities during

a pen test and I know that's kind of a holy war to some no uh so I guess the answer is um so a zero day I would say um did it first thing is did the client want it is the client aware so we have had um clients that said you bring whatever you want so we are able to create our own OD day you know exploits because of the in infrastructure they have that it wouldn't be seen by AV or anything um typically that kind of starts moving into the the code pinest also which also is quick into the web app pinest which is like a new vertical that is really cool to get into using burp for burp

site for all that um if the client wants it sure typically they get they get kind of pissed off because they're like we didn't know about this how would we know if we didn't hire you it wouldn't even exist um so I guess that would be uh I guess I'm like 5050 so if someone wants to pay me to do it then I'm down if not then I probably won't put the extra effort in unless we're our the goal is like a capture the flag which I didn't talk about capture the flag is another um pentest that um you can be uh used for that says hey uh we want you to get access to you know this server just

specifically that server or domain access or you know we want you to uh attack our our our you know core switches that's a little different so I'm I'm kind of 5050 on that one if someone wants to pay for us to develop an OD day when we're on site that's that's cool and if they don't then I wouldn't do it just because it's a waste of time professionally because we don't we don't we don't drop those either so some and some companies they make money off that and that's cool too and sometimes we we use those during engagements so so that's a great uh transition talk to us about scope of work yeah so um that was kind of like I

think that's a huge problem with uh like our our industry um there's so many I I literally just kind of went through like multiple pin tests again I'm using the word pinest generically there's web at pinest there is external pin test there's Network pin test that means someone's going to walk you in hand to hand and plug you into the network and let you do their work right there's also um again we talked about pen testing physical pin testing and you talk about social pin testing that's where you send do the voice fishing and the email fishing um people don't ever Define scope they're like I want a pin test I'm like what the hell does that mean do you

want a vulner AB ility scan because it's probably what you think you're asking do you want me to just tell you what You're vulnerable to like what you need to patch or do you want us to try to break in and if we do break in do you want us to try to get access control and if we do get access control do you want us to try to modify something and then all that is something that needs to be defined when you get into a scope because I think people when they ask for a pent test which is good uh one of our biggest problems in this industry is no one really knows what the health

security is but now people understand what a pinest is but they don't understand there's different levels of a pinest and how how far the scope can go because you can get yourself in some hot water Cas in point uh company out of uh the the area that you guys are in uh was arrested because the uh scope of work wasn't uh really nailed down and qualified and they got arrested for um on three felonies they have been released um I personally put out a call to drop those charges well because it was BS um but just saying I I would even though they didn't get you know they got released all stuff I can't even imagine

uh someone in our field like that just trying to do their job getting arrested I bet that was pretty pretty pretty wild so um hope I answered that question right and one of the topics that has come up in chat a couple times now is that uh classically if you exceeded the scope of work you might get your hand slapped but recently we saw a pretty uh high-profile case where two pent testers were arrested and ultimately boiled down to a game of politics uh there's a great article in wired that goes through the entire story it actually has body cam footage of sheriffs talking to them the whole works um and there's more more in the the

Discord chat about others that have been arrested so definitely something to keep in mind yeah again this again I even hate to to bring these Knuckleheads into these but you know um maybe run it by legal you know make sure their scope is understood um make sure that uh typically um and I always make sure that um I have a really good relationship with the with the client itself make sure and if they are super sketchy about it you know I have to take a step back and you need to think about that when you guys are out there doing this is if your client doesn't trust you the security guy then you probably need to

be very careful if they're asking you maybe too much questions about what are you doing or where you like I mean there's a difference between asking qualifying a a vendor and there's a difference between like I don't think I trust you I think there's something going on here you need to be very careful because most likely they're going to probably set you up for some type of trap so um I also recommend when we do any type of if I were do any exploiting or anything like that um call has the record button the video button because I've even said hey all this stuff was vulnerable I give them the report and they're like this is not

vulnerable this is all fake so then at the end I'm like scroll down to the bottom there's an appendex that has a screenshot and in the bottom right there is a date and and time so you must have changed it and I'm not trying to get on to you it guys but just let me do my job no one's in trouble here we're on your side we're probably going to be better in your court if you let us do our job because then you'll have more money for your budget plus you can show your boss you're doing work because we found the vulnerability and you fixed it I think that's a big huge gap between the

security and the IT world that we need to come together to understand we're on the same team right and see that's a great Point uh I did contesting for 13 years and one of the things that we did that I strongly encourage is that while the report will carry some evidence to show what you found and what you're able to do make sure that you keep extensive logs logs of your shell sessions logs of your web proxy log everything keep it for 10 years or more just in case someone comes back on you and has a question that you can present the full evidence if needed yeah absolutely because you never know because you know

also those companies you're working for sometimes get traded and they want to know the security posture of that business and you if if the contracts in it if they have a huge MSA that you didn't read um you may have to produce that during a a a merge or a sell of that business so keep be very mindful of the contracts you sign yep and keep your statement of work if you get a jail out of free or get out of jail free card for doing physical testing not only keep a copy on you keep a copy in your car a copy at home a copy in a safe deposit box basically you just want to make sure

that you are fully protected when you're doing this work well said I yeah well said with that absolutely okay with that we're going to kick you out of here we're going to put you back in the Discord uh so if there's more Q&A or anyone wants to have a discussion feel free there's already two people in The Voice channel so if you want to hop over and maybe kind of poke at them and see what they're talking about they're probably cracking jokes about how old telecon is but uh we'll see uh thank you so much for your time Don uh we really enjoyed your presentation and we look forward to seeing you next year maybe yeah

absolutely see you guys bye