How We Hacked Your Billion Dollar Company For Forty-Two Bucks

so um the talk basically is uh about stuff we found when you're doing perimeter testing so we're not going to be talking about cobalt striker anything like that just surprising things we found on the perimeter how we leveraged several different issues to to get a foothold so i hope that's what you came for um now i used a billion dollar company but that's we i googled it it's definitely true if you look at market cap i think it's true about earnings as well um so kind of surprisingly these people are not um you know not not better set up really so the basic outline of the talk uh i'll introduce myself um i will give a bit of background to

the problem and then we'll look at four cases where the client thought everything was fine on the perimeter and um basically how we got in in those cases and i'll say we will not be mentioning cobalt strike um it's a great tool but you know other people do it better than me um so i was indeed in the blue team i was also dev for my sins um and i've been a penetration test since 2010 or so um i passed csas which is the crest red team exam um but i didn't really get to do any red teaming until 2018 or so so i'm a relative newcomer to it um a bit of a rant first so

it's very hard to get onto red team in my experience no one will give you a red team job until you've done a reddit job which is a problem um but equally new people bring in new ideas and it's very much a balance of that when you're running your own team you don't need everyone to be perfect you need you know as long as someone's stopping you from like knocking things over then i think there's room for quite a few a few different people on a red team so there we go the threat model is the attacker is trying all the attacks against your stuff and for the red team side you just need to try all the possible ways to get in

and stop when one works now if we if we want to divert the system we do need a reasonable understanding of how anything is working so um doing a few longer jobs gives you the ability to get in and understand how how the system currently works before you can make it do things that it shouldn't do so a bit more specifically the perimeter that everyone has on their um is this is is very permeable so you've got email going in and out for you know classic fishing you've got web traffic going out from corp internet corporate to the internet you've got web traffic going in from the internet to the dmz or where you wherever you call this place you

keep your web servers um then you've got vpns you've got helpdesk um especially password reset you've got cloud authentication you've got citrix you've got file exchange you've got dev boxes um in some cases you've got forgotten assets entirely so can we you know look at the perimeter can we find ways to get in changing some of those issues together and it turned out we could and for our five cases we looked at so i'm too lazy to do physical um so that's not even a joke um no days are too hard there are people who will do not days they're better than me things i dropped usb sticks in the car park quite quite risky and not even very effective so

if you want to work from home you can look at in-house web apps you can look at misconfigured assets you can look at forgotten assets you can look at unforeseen interactions between components because obviously having been assisted i mean i know everything is basically everything is propped up until it works and then you forget about it and you're going to fix the thing that's not working next so no one's probably had a good cohesive look at everything and make sure you know it's all okay the other thing i want to mention is that issues you find on premises they're very rarely independent of each other so um like if you're climbing a rock climbing wall you might have a great hold but if

you can't get there there's no use equally a bad hole that you can get to is is a great help so when someone rates an issue in isolation which obviously cbs2 encourages to do it's not necessarily a wonderful picture of how risky it is for your particular organization so just to follow through on the um title we spent about eight bucks a month on a bps as needed one time we got domain name for 10 bucks um aws account for fireprox which is an outbound proxy to evade rate limiting was a couple of bucks a month as we were using it and a scripting language google patients all free caffeine actually you can see my coffee

spend dwarfs everything else um that's that's two weeks of coffee so um before we get into the examples user enumeration is where you have some function on your parameter which will um reveal to an attacker whether a user exists or not so it can be a time delay it can be an explicit message so password resets common one area it literally says you know this user doesn't exist or built into it we sent you a password reset email um you can also have timing tags so we'll see later with owa for some reason valid users come back quicker than invalid users and then the office.com login ms online logins literally just say no that user doesn't

exist which is obviously really helpful when you're trying to build up a list of users so we just need some observable observable difference between you know the two cases and then password spraying so the the only distinction between that and normal just password guessing is firstly we need a lot of user ids to make it work properly and then we take one password and we try against all the users so um you know if you've got a thousand users it'll probably take a couple of hours to run through and by that time the naive yeah which i'm not being rude by not even like the normal ad lock-out counter will have reset itself so you can then

think of a new password and you know winter 2021 is probably a good guess to start with um so if you're trying against ms online you might need to use fireprox which you can google and it just rotates um source ip addresses so essentially they don't notice necessarily and um good guess is a thing like month year season year welcome 23. we got two people trump 2020 obviously coming up to the election that's fine thank you very much but um

[Music] right so um first example relatively straightforward they had um on-premise exchange with about 10 000 users um so initially we used foca which is a fantastic tool to just google domain pull down documents find the metadata out of them and you've got a few things that look like user ids you know things like id012567 um so that's great and then obviously we think yeah let's try some in that range that's probably sequential so use the script to create you know a bunch of people in that sort of range and then we used spraying toolkit and mail sniper to actually do the spraying so that's the um that's the user enumeration from the mail sniper

tools which basically you you give an owa server a domain a list of user guesses and it will go and try them so you can see the first one is a baseline it's just made something up that comes back at 3.7 seconds and then a user which actually exists is a much much quicker response at just under a second so in that way you can then work through your list of guest users because even if they were allocated sequentially some people were left they'll be closed or or whatever locked um so you can then you know use that to get a list of actually users who actually exist on the system and login [Music] so it's not i mean it's not difficult by

any means um we didn't need to be patient we started using mail sniper to enumerate on the 16th of the month we've got nearly a thousand valid users from that um which is the kind of numbers you want before you can really do this attack effectively um so we use that list of password spraying and then obviously if [Music] if we did more password spraying we'd get a yes no or doesn't exist and would you know augment or prune lists depending on what happened um and then on the 22nd of the month so quite a long time we got two passwords um and then iwa didn't have two-factor authentication so we now have a mailbox and because we've

got a mailbox within the organization um the mail filtering coming in is a lot stricter than between internal mailboxes so then you can do your um uh what grounds right there and see um cs and you can write your custom implant you can drop in a mail reply to something and say oh i can't open this can you and you know that's that's much easier from that point um and you know we did get code execution in that way [Music] um so another example which was which is a bit different um again we started off with [ __ ] this time usernames things like jsmith um so we just standard a list of common surnames um common first names and

again simple bash to construct likely candidates so obviously it's not going to get everyone but it's going to get enough people properly but in this case the login involved it was a standard msl login but then it would redirect you to an on-premise adfs server which msosprey doesn't cope with um either the normal python version so um it was reduced to confirming whether user existed or not but it wouldn't tell us if the password was correct because it didn't cope with the handoff um so how could we fix that well so you can see here that mso's right up here why um it's the python port of mso or spray and i just don't like powershell so i use

this one um i'm not sure there's any real difference um as you can see we get a doesn't exist we get it could exist and that's that's the limit of this in this scenario [Music] so there's a thing called um selenium i don't know if anyone's used it it's more of a testing tool in a way um because it allows you to drive the browser through the whole process of interacting with the website so it's typically used by people who need to do qa on web apps um but it's very handy so in this case because we had two choices we could have you know read the docs on msol and implemented the the handoff

or we could just literally use selenium and walk the browser through the whole login process so obviously the firing has no way of telling whether it's a real person or not at that point um that's a random snippet of code where you can you can look up an element by id then you write your password guest into it um wait for it check for an error message and then if you don't get an error message that password might work so this is a very brief demo with one failure like one non-existent one wrong password so uh hopefully that will play so you can see it's silly pythons booted office.com clicks on sign in types in the email list very quickly

which you'll see in yeah there you go bang now that usually doesn't exist and we've looked at that webpage we can see unknown user imaginary jeff and then save again restart the browser put in the user that does exist which is uh me in this case um so let's try and sign you in and then you need to in the code you need to handle this extra path of the password so you put in our password guess because my password is not february 2021 and so essentially instead of instead of interacting with the msol api you can simulate that and obviously in that same manner you can simulate any possible web login that exists sorry

[Music] so um we're going back to brewer again we use our sins got some example uids generalized that list um sprayed a couple of thousand usernames as it turned out only getting existence checks um [Music] then to using that selenium process we got about 10 passwords out so a couple of thousand and again it was you know month month year season year things like that um now the business had enabled two-factor authentication for everything but um it was registered at first log in and because of what the business did a load of people had never logged in so in this case we could simply register our own two-factor tokens for those accounts and started using them

so again it seems obvious in hindsight but obviously somebody's gone yeah two factors enforced so it's it's fine isn't it um so in terms of um user enumeration we tend to see either you know first name last name things like that or an id and obviously those those are relatively easy to generalize to more people um occasionally people have like a couple of initials and then a three digit number and that makes the third space quite big and um potentially intractable so that might cause problems [Music] so this is the only bit where phishing appears um because um essentially on our perimeter checking we had um we'd already guessed two credits but they didn't really have

enough privileges for our purposes like i think no uh no youtuber access but there was an open url redirecting the holiday booking app and obviously people care about being paid and they care about holiday um so what we did was we hosted a cloned page um so i mean obviously everyone knows how to do a phishing page but we were upfront with our clone page had no that was wrong please try again um because we knew it was going to get bounced off um and so essentially the phishing email had a legitimate link in it um and the ssl cert would have looked fine and everything like that so um really quite difficult and then we

sent out a mail to a bunch of people said just sort of things like um we had a system crash some of the holiday bookings recently have been lost please could you check and of course everyone wants to check that um so the users would get external in the subject line but the link it was very obviously to their own site um so the real site when you entered your username and password uh it would it would create a valid session but because of the open url redirect bug it would then redirect to our fishing page which had like no that didn't work please try again um at which point we would log the creds

they retyped and then we'd redirect and then they got back into a valid session so no one even really noticed they've been finished um so i can i'll just go through uh because i don't want to use the actual client um i'll use the asus router which which was a fixed and long arrow so um but it's very much the same bug there's an open url redirect on the page parameter there um so you could fish someone by going you know please update the firmware on your accessory to visit this page which i'll say is fine um an asus which will resolve that domain name to itself essentially on the way out if you're behind it

um so the initial page would look like that absolutely normal you'd enter your credits if they're correct which they probably will be um it will redirect you to the phishing page which already says no that didn't work um because we want people type it in again um so this is our fake phishing page at router dash asus.com we log the credits people type in then we dump them back into their existing session and you know they don't and unless you notice like your passive auto complete doesn't work there's no real way of knowing that um so although it'd use the domain squatting service and blocked area around the core proxy um it was middle of cobin and it was kind

of chaos everyone's working from home and there was a major holiday coming up so um that got us about 12 sets of credits um including some with remote access which is what we'd uh would ask for and um yeah it didn't get made aware that there was a phishing attempt because the people who got phished didn't notice and they blocked everyone who's actually on site so [Music] so last example um again it was a hybrid id in msol in the cloud we had numeric id so we could guess a good you know good range um and this time everything was two-factor except for um activesync which is a what i considered legacy protocol until i

found it in use um but you can use windows 10 mail to send email uh effectively if you if you can give the right creds we you need to give two factor and then you can synchronize your mailbox which means you can send the receipt mail um so the tool used to tell us this was called mfa suite which is really good so if you have valid valid credits for msol um like the office.com authentication um mfa suite will try i think about seven different services um to see whether two factors in use across everything if it finds anything it's not it will suggest tools so in this case it said use windows 10 mail it's like oh

brilliant um and if you're wrong it'll lock the account out because it tries seven different things so you do need to be a little bit careful um and equally if you're trying any web logins you need to be aware that a common way of doing mfa is to text people and obviously that that might alert someone especially if you take them in the middle of the night their time [Music] so somewhere in the uh config you can go and set up an exchange active sync account um and then you should just synchronize mail and as i said before filtering from outside typically people remove axes and remove anything that's got macros in it um even you know

zip files on occasion um whereas if you're sending from one in 10 user to another a you've got the context of what the conversations they've been having is which is great and um you'll be able to send a bunch more file types so you just say oh i can't open this can you open this and then see what happens um so this is the kind of aphorism you hear quite a lot but you know generating your path through the graph is quite a hard thing you need to try many things you know breadth first search essentially try to try some things follow the promising leads but also load will be dead ends and you won't go anywhere and you need to come

back and think again so yeah we we were surprised that it was so not easy but it should have been harder to you know to get that foothold inside for those four companies um essentially um so i guess in in conclusion and i've kind of color coded this slightly um minor issues that are not always minor especially in combination um and a lot of things on the perimeter will give you using the enumeration of one sort or another um if you want password spraying to work you need to really have a lot of users for it so where we've been you know been scoped down today or you can try these sort of 200 people i'm probably not going to get

it but if they're a bit more generous with the scope and say do what you can then it's you know it's certainly an option um and indeed bigger companies can be easy to get into in this manner because obviously you know we had 10 000 users to have a go at whereas if you've got 100 users and they all sit in the same room as the it guys that's you know very different problem um from the blue team side it's it's essentially the combination of of us being able to identify users and just have a go at getting passwords without anyone intervening so obviously you need to be aware if people are trying this attack

and just because you've outsourced some of your authentication to microsoft doesn't mean that microsoft are going to be looking at this for you unless you pay them to do so so you can mitigate it at various points obviously you can get rid of weak passes like summer 2020 um but also you should be aware of if you know if people are trying this and um i'd recommend testing your own stuff to make sure uh yeah essentially you to answer some of these questions you don't need to engage your pen test company you can just try it and see what happens like do you notice accounts being locked out on mass and so that is it essentially um

are there any questions uh nick [Music]

um [Music] i don't i don't know um i mean i think of it as legacy protocol it seems it's actually current um but i mean it used to be that if you had an old device like a um you know with some of the older phones they would talk activesync and therefore that would be a reason why you wouldn't necessarily have to factor on it um but i'm not aware of anything none of my stuff speaks out sync so [Music] sorry oh yeah so in our workflow

have you [Music]

um so i haven't personally but i mean it's a very flexible tool but obviously you need to put in the dev work and therefore if there's an off the shelf tool that does the job then i will use that because it saves everyone in time um whereas we we had to develop this because i couldn't find anything that would do the job um but i apart from that i don't have great experience of a great deal of experience of of selenium because i don't test web applications um but it's a it's a very useful tool and it can be very handy when you need it i guess [Music] [Music]

i think um so i think in some cases because they had a password you know windows has a password policy and if everyone's got a strong password and especially if you particularly everyone must use two-factor box maybe you you would think that everything was okay um but i'm i'm kind of suspicious and i i always like to look at at least authentication failures and you know if you've got a lot on whatever system because especially with acquisitions people tend to accumulate more companies and kind of merge them in but not entirely so it's not like you have one central source of authentication either some you know some various other things may give you a yes or no or a password so

actually tracking everything through your whole organization is quite a hard problem but i suggest at least at least your normal id and whatever you've got in the cloud should be monitored quite carefully even just so you can sleep better at night [Music]

what what timeouts and what process you use for azure ad like you can't really be attacking one box yeah we used um we used fireprox so there's an amazon service which i think is uh outbound apis um but essentially what it gives you is it is a outgoing proxy rotating around different ip addresses and that um i thought i think we didn't have to use it in one of those cases but in another we did and that that seemed to get us around the rate limiting on on a zero d um [Music] okay oh sorry this one's back

i'm sorry sorry tim can you take your mask off

um so there's there's a lot of decent log analysis stuff these days i'm used to collecting everything in a big syslog and grabbing it myself um because we didn't have that tooling when i was doing it so i'm sure there are and i'm sure splunk would do it but equally splunk is expensive um and there may be you know intermediate options but i'm sure there's many things you can put later in an inquiry for authentication failures and equally people shouldn't be the same user should not be rotating around ip addresses and things like but that might have to be a custom query and obviously you're like your inbound reverse proxy might be destroying that sort of information and all these things

so um yeah that's definitely this thing if you can capture that kind of stuff but it's not the same at every organization

right um well i guess we'll wrap up there i have no idea for run to time or not