1 00:00:01,150 --> 00:00:05,840 [Music] 2 00:00:06,080 --> 00:00:07,600 what's up everybody 3 00:00:07,600 --> 00:00:09,200 today we're gonna be talking about pen 4 00:00:09,200 --> 00:00:11,679 test story time my favorite hacks from 5 00:00:11,679 --> 00:00:12,240 the past 6 00:00:12,240 --> 00:00:14,960 year my name is heath adams aka the 7 00:00:14,960 --> 00:00:17,840 cyber mentor and i am a husband hacker 8 00:00:17,840 --> 00:00:20,480 military veteran and day to day i am the 9 00:00:20,480 --> 00:00:23,039 ceo and founder of tcm security 10 00:00:23,039 --> 00:00:24,480 which is an ethical hacking and 11 00:00:24,480 --> 00:00:26,640 penetration testing company 12 00:00:26,640 --> 00:00:28,640 on social media as you can see i am 13 00:00:28,640 --> 00:00:30,880 known as a cyber mentor across the board 14 00:00:30,880 --> 00:00:32,880 i do twitch streaming i have a youtube 15 00:00:32,880 --> 00:00:34,399 channel i'm on twitter 16 00:00:34,399 --> 00:00:37,440 and i'm a udemy instructor with over 150 17 00:00:37,440 --> 00:00:40,879 000 students so quickly why this talk 18 00:00:40,879 --> 00:00:43,440 well this talk is going to be about my 19 00:00:43,440 --> 00:00:44,320 favorite hacks 20 00:00:44,320 --> 00:00:46,079 and mostly it's going to be about 21 00:00:46,079 --> 00:00:47,600 internal penetration testing because 22 00:00:47,600 --> 00:00:49,360 that's my favorite thing to do 23 00:00:49,360 --> 00:00:50,320 although we're going to talk a little 24 00:00:50,320 --> 00:00:52,160 bit about external pen testing and 25 00:00:52,160 --> 00:00:53,680 really what i want to do is i want to 26 00:00:53,680 --> 00:00:55,280 talk at a high level this is going to be 27 00:00:55,280 --> 00:00:55,920 for 28 00:00:55,920 --> 00:00:58,320 people interested in the red team side 29 00:00:58,320 --> 00:01:00,160 the blue team side 30 00:01:00,160 --> 00:01:01,600 and for those who just want to hear 31 00:01:01,600 --> 00:01:02,960 stories so i'm going to try to keep it 32 00:01:02,960 --> 00:01:04,239 very high level so that you can 33 00:01:04,239 --> 00:01:05,199 understand 34 00:01:05,199 --> 00:01:07,040 and i'll provide resources if you want 35 00:01:07,040 --> 00:01:09,280 to get deeper into the weeds on this 36 00:01:09,280 --> 00:01:10,799 but these are going to be my stories 37 00:01:10,799 --> 00:01:12,799 from the past year or so 38 00:01:12,799 --> 00:01:14,640 and we're just going to kind of cover 39 00:01:14,640 --> 00:01:16,240 what i thought has been 40 00:01:16,240 --> 00:01:18,960 really eye-opening or educational that i 41 00:01:18,960 --> 00:01:20,560 can pass on to you 42 00:01:20,560 --> 00:01:22,240 so the first story i've actually told 43 00:01:22,240 --> 00:01:23,759 before but this is one of my favorite 44 00:01:23,759 --> 00:01:25,680 stories and it's kind of outside the 45 00:01:25,680 --> 00:01:26,080 last 46 00:01:26,080 --> 00:01:28,240 year but it's within the last two years 47 00:01:28,240 --> 00:01:30,240 and i think it's very interesting 48 00:01:30,240 --> 00:01:31,840 so i was doing a pen test against a 49 00:01:31,840 --> 00:01:33,840 company and we were doing external 50 00:01:33,840 --> 00:01:36,400 and internal so the goal of the external 51 00:01:36,400 --> 00:01:38,640 pen test is to try to break inside the 52 00:01:38,640 --> 00:01:39,360 network 53 00:01:39,360 --> 00:01:40,880 once you're inside the network that is 54 00:01:40,880 --> 00:01:43,119 called the internal pen test 55 00:01:43,119 --> 00:01:44,960 so here's a little bit about the story 56 00:01:44,960 --> 00:01:46,320 but before we start 57 00:01:46,320 --> 00:01:48,399 let's talk a little bit about how we got 58 00:01:48,399 --> 00:01:49,840 in 59 00:01:49,840 --> 00:01:51,840 so in order to talk about how we got in 60 00:01:51,840 --> 00:01:53,280 we have to talk about something called 61 00:01:53,280 --> 00:01:54,479 credential stuffing 62 00:01:54,479 --> 00:01:56,479 now credential stuffing takes breached 63 00:01:56,479 --> 00:01:58,240 account data and you can think about all 64 00:01:58,240 --> 00:01:59,680 the breaches that are out there you hear 65 00:01:59,680 --> 00:02:01,280 about them all the time 66 00:02:01,280 --> 00:02:03,840 and we take this user credentials so you 67 00:02:03,840 --> 00:02:04,960 can see here we have 68 00:02:04,960 --> 00:02:07,920 joe abc123 and this might show up in a 69 00:02:07,920 --> 00:02:08,800 breach 70 00:02:08,800 --> 00:02:10,318 so we'll take these credentials and 71 00:02:10,318 --> 00:02:12,560 we'll try to pass them along to 72 00:02:12,560 --> 00:02:14,879 web servers or anything that the company 73 00:02:14,879 --> 00:02:15,680 owns 74 00:02:15,680 --> 00:02:19,120 via a website or login page etc 75 00:02:19,120 --> 00:02:21,280 so with that out of the way we can 76 00:02:21,280 --> 00:02:23,120 utilize tools 77 00:02:23,120 --> 00:02:24,959 such as a tool that i wrote actually 78 00:02:24,959 --> 00:02:26,319 called breach parse 79 00:02:26,319 --> 00:02:29,200 that utilizes these breach credential 80 00:02:29,200 --> 00:02:30,000 lists 81 00:02:30,000 --> 00:02:32,720 so for example here i'm using tesla.com 82 00:02:32,720 --> 00:02:34,400 but that's just a pure example 83 00:02:34,400 --> 00:02:36,800 just to show that you these accounts 84 00:02:36,800 --> 00:02:38,160 come up in breaches 85 00:02:38,160 --> 00:02:40,319 and what we're looking for are obviously 86 00:02:40,319 --> 00:02:42,480 the usernames and passwords for these 87 00:02:42,480 --> 00:02:45,120 but also any sort of patterns so are we 88 00:02:45,120 --> 00:02:47,040 seeing first initial last name 89 00:02:47,040 --> 00:02:49,760 are we seeing just first name last name 90 00:02:49,760 --> 00:02:51,360 how are they showing up on the email 91 00:02:51,360 --> 00:02:52,319 patterns 92 00:02:52,319 --> 00:02:54,640 and do we see any password patterns or 93 00:02:54,640 --> 00:02:56,000 repeat offenders 94 00:02:56,000 --> 00:02:58,879 such as shark tesla.com you can see the 95 00:02:58,879 --> 00:03:00,480 same password is used twice 96 00:03:00,480 --> 00:03:02,480 just a little bit different so if i know 97 00:03:02,480 --> 00:03:04,000 that maybe i'm going to try to 98 00:03:04,000 --> 00:03:06,480 use this password in some format that 99 00:03:06,480 --> 00:03:07,680 includes 907 100 00:03:07,680 --> 00:03:10,800 814 and then some variation of dade here 101 00:03:10,800 --> 00:03:11,760 in the middle 102 00:03:11,760 --> 00:03:14,159 or anything else where people have been 103 00:03:14,159 --> 00:03:16,000 breached on multiple occasions that can 104 00:03:16,000 --> 00:03:16,480 give us 105 00:03:16,480 --> 00:03:18,800 any sort of indication as to how we're 106 00:03:18,800 --> 00:03:19,840 going to utilize that 107 00:03:19,840 --> 00:03:21,360 so that's one part of this attack so 108 00:03:21,360 --> 00:03:23,280 let's go back to the story now 109 00:03:23,280 --> 00:03:24,640 so you just saw the tool that we used 110 00:03:24,640 --> 00:03:26,640 called breach parse and all i did with 111 00:03:26,640 --> 00:03:27,519 breach parts was 112 00:03:27,519 --> 00:03:29,840 do some credential gathering i took the 113 00:03:29,840 --> 00:03:31,599 credentials uncovered with breach parts 114 00:03:31,599 --> 00:03:33,120 for this company 115 00:03:33,120 --> 00:03:35,760 and all i did was pass them around and i 116 00:03:35,760 --> 00:03:38,159 passed them around to a login form 117 00:03:38,159 --> 00:03:39,920 which i found to be lotus notes which 118 00:03:39,920 --> 00:03:41,760 lotus notes is very old 119 00:03:41,760 --> 00:03:43,680 okay so i found lotus notes running 120 00:03:43,680 --> 00:03:45,599 externally passed it around 121 00:03:45,599 --> 00:03:48,159 and i did credential stuffing i took the 122 00:03:48,159 --> 00:03:49,120 username 123 00:03:49,120 --> 00:03:51,440 password threw it at the login form and 124 00:03:51,440 --> 00:03:52,400 wouldn't you know it 125 00:03:52,400 --> 00:03:54,959 i had a successful login now these 126 00:03:54,959 --> 00:03:56,879 credentials did not log me into the 127 00:03:56,879 --> 00:03:58,879 network this seemed to be some sort of 128 00:03:58,879 --> 00:04:01,360 old credentials that were out there but 129 00:04:01,360 --> 00:04:03,760 what lotus notes had on top of it was 130 00:04:03,760 --> 00:04:06,400 authenticated password dumping so as 131 00:04:06,400 --> 00:04:08,480 long as we had some sort of valid user 132 00:04:08,480 --> 00:04:10,159 we could dump all the credentials 133 00:04:10,159 --> 00:04:13,360 that were in the accounts there so 134 00:04:13,360 --> 00:04:15,599 now with that password dump what i'm 135 00:04:15,599 --> 00:04:17,358 able to do is i'm able to take the 136 00:04:17,358 --> 00:04:18,880 credentials 137 00:04:18,880 --> 00:04:21,199 and the users that we just discovered 138 00:04:21,199 --> 00:04:21,918 and put them 139 00:04:21,918 --> 00:04:23,840 into an even bigger list so i had the 140 00:04:23,840 --> 00:04:25,440 breach price list but now i've got this 141 00:04:25,440 --> 00:04:27,440 huge gigantic list 142 00:04:27,440 --> 00:04:29,520 well i want to pass that new list around 143 00:04:29,520 --> 00:04:31,040 too right so i'm going to go ahead and 144 00:04:31,040 --> 00:04:32,240 say hey 145 00:04:32,240 --> 00:04:34,560 can i log in somewhere one place of 146 00:04:34,560 --> 00:04:35,600 interest is always 147 00:04:35,600 --> 00:04:37,919 outlook so any sort of outlook they were 148 00:04:37,919 --> 00:04:39,600 running their own outlook instance but 149 00:04:39,600 --> 00:04:42,000 office 365 any sort of email 150 00:04:42,000 --> 00:04:43,360 it's always good because usually it 151 00:04:43,360 --> 00:04:45,199 syncs with active directory so if you 152 00:04:45,199 --> 00:04:46,560 have a valid login on 153 00:04:46,560 --> 00:04:48,080 outlook you're likely going to have a 154 00:04:48,080 --> 00:04:50,160 valid login on a vpn 155 00:04:50,160 --> 00:04:52,160 so we like to target things that would 156 00:04:52,160 --> 00:04:54,000 sync with active directory 157 00:04:54,000 --> 00:04:56,000 now nothing ended up working out of this 158 00:04:56,000 --> 00:04:57,440 list but what did we get 159 00:04:57,440 --> 00:04:59,840 from using breach parts and using 160 00:04:59,840 --> 00:05:01,280 credential stuffing and dumping all 161 00:05:01,280 --> 00:05:02,720 these user accounts 162 00:05:02,720 --> 00:05:05,280 we got user accounts we got we can go 163 00:05:05,280 --> 00:05:06,800 out to linkedin we can go out to the web 164 00:05:06,800 --> 00:05:07,680 we can scrape 165 00:05:07,680 --> 00:05:09,199 and gather as much information as 166 00:05:09,199 --> 00:05:11,360 possible but we're not going to gather 167 00:05:11,360 --> 00:05:12,320 everything 168 00:05:12,320 --> 00:05:14,320 and by the time that it was all said and 169 00:05:14,320 --> 00:05:15,759 done using breach partisan 170 00:05:15,759 --> 00:05:18,400 using the lotus notes exploit i ended up 171 00:05:18,400 --> 00:05:20,400 gathering about a thousand usernames 172 00:05:20,400 --> 00:05:21,680 just for this company 173 00:05:21,680 --> 00:05:24,160 so i got a thousand usernames and then i 174 00:05:24,160 --> 00:05:26,000 think okay well if the passwords don't 175 00:05:26,000 --> 00:05:27,039 work that are 176 00:05:27,039 --> 00:05:29,440 from historical breach data well maybe i 177 00:05:29,440 --> 00:05:31,360 can try something like a weak password 178 00:05:31,360 --> 00:05:32,639 something that might be 179 00:05:32,639 --> 00:05:36,080 reusable something like summer 2019 180 00:05:36,080 --> 00:05:38,800 exclamation perhaps something about the 181 00:05:38,800 --> 00:05:39,919 season the year 182 00:05:39,919 --> 00:05:42,000 and a special character really gets 183 00:05:42,000 --> 00:05:42,960 people going 184 00:05:42,960 --> 00:05:45,840 and they love to do it so i performed 185 00:05:45,840 --> 00:05:47,440 credential stuffing didn't work 186 00:05:47,440 --> 00:05:49,520 found the user enumeration got some 187 00:05:49,520 --> 00:05:50,960 password spraying in 188 00:05:50,960 --> 00:05:53,360 and password spraying led to credentials 189 00:05:53,360 --> 00:05:55,280 which led to 190 00:05:55,280 --> 00:05:58,240 when on the vpn so we're able to log 191 00:05:58,240 --> 00:05:59,919 into the vpn 192 00:05:59,919 --> 00:06:02,240 now we're inside the network at this 193 00:06:02,240 --> 00:06:04,240 point if i break in externally into a 194 00:06:04,240 --> 00:06:04,880 network 195 00:06:04,880 --> 00:06:07,840 i go ahead and do a hard stop i call the 196 00:06:07,840 --> 00:06:09,520 manager whoever's in charge and i let 197 00:06:09,520 --> 00:06:10,639 them know 198 00:06:10,639 --> 00:06:14,080 so i called the manager and here's a 199 00:06:14,080 --> 00:06:16,240 text message format of it but i say hey 200 00:06:16,240 --> 00:06:17,520 i managed to breach your external 201 00:06:17,520 --> 00:06:19,919 network and i gain access to your vpn 202 00:06:19,919 --> 00:06:21,840 i'm in 203 00:06:21,840 --> 00:06:23,919 he said okay well what level user are 204 00:06:23,919 --> 00:06:26,639 you and i said well i'm a low-level user 205 00:06:26,639 --> 00:06:28,319 right now meaning i didn't breach a 206 00:06:28,319 --> 00:06:30,479 domain admin 207 00:06:30,479 --> 00:06:32,639 and he said oh that's it i'm not too 208 00:06:32,639 --> 00:06:34,479 worried then what can you really even do 209 00:06:34,479 --> 00:06:37,919 with a low level account 210 00:06:39,440 --> 00:06:42,720 that was my face exactly my face because 211 00:06:42,720 --> 00:06:45,280 i he's taunting me and i wanted to show 212 00:06:45,280 --> 00:06:46,720 him what i could do 213 00:06:46,720 --> 00:06:48,319 so let's take this a step further shall 214 00:06:48,319 --> 00:06:50,880 we so now we're in the network 215 00:06:50,880 --> 00:06:53,840 and we can do something called lmnr 216 00:06:53,840 --> 00:06:54,639 poisoning 217 00:06:54,639 --> 00:06:56,720 so lmnr is a man in the middle type 218 00:06:56,720 --> 00:06:58,319 attack or this poisoning is a 219 00:06:58,319 --> 00:07:01,199 middle type attack and lmnr itself is 220 00:07:01,199 --> 00:07:04,000 used to identify host when dns fails to 221 00:07:04,000 --> 00:07:05,039 do so 222 00:07:05,039 --> 00:07:07,840 it was previously known as mbtns and 223 00:07:07,840 --> 00:07:09,199 really the key flaw 224 00:07:09,199 --> 00:07:12,240 is that the lmnr uses a 225 00:07:12,240 --> 00:07:15,199 username's user or user's username and 226 00:07:15,199 --> 00:07:15,840 ntlm 227 00:07:15,840 --> 00:07:18,479 v2 hash when it is appropriately 228 00:07:18,479 --> 00:07:19,759 responded to and i'll give you an 229 00:07:19,759 --> 00:07:21,360 example here in a second 230 00:07:21,360 --> 00:07:23,919 so this is common this is out of the box 231 00:07:23,919 --> 00:07:25,360 default 232 00:07:25,360 --> 00:07:28,160 enabled on windows active directory so 233 00:07:28,160 --> 00:07:29,759 we see this quite a bit unless a 234 00:07:29,759 --> 00:07:31,599 company's been through a pen test before 235 00:07:31,599 --> 00:07:34,000 they typically will have lmnr enabled 236 00:07:34,000 --> 00:07:36,560 unless they know better or not to do so 237 00:07:36,560 --> 00:07:38,639 but what it looks like from a high-level 238 00:07:38,639 --> 00:07:39,599 perspective 239 00:07:39,599 --> 00:07:41,840 is you have a victim and the victim is 240 00:07:41,840 --> 00:07:42,800 sitting here 241 00:07:42,800 --> 00:07:44,560 and they're saying hey i'm trying to 242 00:07:44,560 --> 00:07:46,560 connect to a share maybe they type in a 243 00:07:46,560 --> 00:07:48,000 share wrong or 244 00:07:48,000 --> 00:07:49,280 they try to do something and they just 245 00:07:49,280 --> 00:07:50,720 can't resolve so maybe they're trying to 246 00:07:50,720 --> 00:07:52,720 connect to this hack me share 247 00:07:52,720 --> 00:07:54,560 they ask the server hey do you know 248 00:07:54,560 --> 00:07:56,240 where this hack m is because it's 249 00:07:56,240 --> 00:07:57,120 mistyped 250 00:07:57,120 --> 00:07:58,479 and they say i have no idea what you're 251 00:07:58,479 --> 00:08:00,080 talking about and this is a broad 252 00:08:00,080 --> 00:08:01,840 example it can be way more than just a 253 00:08:01,840 --> 00:08:02,400 typed 254 00:08:02,400 --> 00:08:05,520 or a typo or anything dns just a dns 255 00:08:05,520 --> 00:08:08,160 any sort of dns where dns is failing 256 00:08:08,160 --> 00:08:09,039 here we're going to use 257 00:08:09,039 --> 00:08:12,400 lmnr so what happens is a broadcast 258 00:08:12,400 --> 00:08:12,879 message 259 00:08:12,879 --> 00:08:15,360 goes out on the network and it says hey 260 00:08:15,360 --> 00:08:17,520 does anybody know how to connect to this 261 00:08:17,520 --> 00:08:20,160 share drive that i mistyped and we're 262 00:08:20,160 --> 00:08:21,840 sitting here as the hacker 263 00:08:21,840 --> 00:08:24,080 man in the middle and we say you know 264 00:08:24,080 --> 00:08:25,599 what i do 265 00:08:25,599 --> 00:08:27,039 i'm going to go ahead and tell you how 266 00:08:27,039 --> 00:08:28,879 to get to that location but first you 267 00:08:28,879 --> 00:08:30,400 got to send me your hash and i'll get 268 00:08:30,400 --> 00:08:31,360 you connected 269 00:08:31,360 --> 00:08:32,640 and the victim's going to send over the 270 00:08:32,640 --> 00:08:34,880 hash we're going to get connected 271 00:08:34,880 --> 00:08:37,120 and that is what is called responding 272 00:08:37,120 --> 00:08:38,719 it's waiting for some sort of response 273 00:08:38,719 --> 00:08:41,839 we respond to it it sends over its hash 274 00:08:41,839 --> 00:08:45,760 easy breezy so with that being said 275 00:08:45,760 --> 00:08:48,480 we very easily use responder did man the 276 00:08:48,480 --> 00:08:49,920 middle poisoning 277 00:08:49,920 --> 00:08:52,399 and did some hash cracking now what 278 00:08:52,399 --> 00:08:53,279 happened 279 00:08:53,279 --> 00:08:55,680 well the same manager that i called up 280 00:08:55,680 --> 00:08:57,760 and said hey i'm on your network 281 00:08:57,760 --> 00:09:01,120 and said hey what can you do well we 282 00:09:01,120 --> 00:09:03,680 grabbed his password hash coincidentally 283 00:09:03,680 --> 00:09:04,800 had to be him 284 00:09:04,800 --> 00:09:06,160 it doesn't make a better story if it 285 00:09:06,160 --> 00:09:08,320 wasn't it's his password 286 00:09:08,320 --> 00:09:10,160 guess what he is he's a domain admin 287 00:09:10,160 --> 00:09:11,760 guess what his password was 288 00:09:11,760 --> 00:09:14,320 his first name with the one after it 289 00:09:14,320 --> 00:09:15,920 cannot make this up 290 00:09:15,920 --> 00:09:18,080 you taunt the pen tester yet your 291 00:09:18,080 --> 00:09:19,839 password is your first name with the one 292 00:09:19,839 --> 00:09:20,560 after it 293 00:09:20,560 --> 00:09:23,920 it cracked in a matter of minutes okay 294 00:09:23,920 --> 00:09:26,240 and with that being said we logged into 295 00:09:26,240 --> 00:09:27,519 the domain controller 296 00:09:27,519 --> 00:09:30,880 and we won now there's a common theme 297 00:09:30,880 --> 00:09:31,680 here 298 00:09:31,680 --> 00:09:32,720 okay i'm going to click through these 299 00:09:32,720 --> 00:09:34,080 really fast because we are going to be 300 00:09:34,080 --> 00:09:35,920 short on time i'm talking as fast as 301 00:09:35,920 --> 00:09:37,279 possible to get through all these slides 302 00:09:37,279 --> 00:09:38,000 but 303 00:09:38,000 --> 00:09:40,320 you can see that we have password as a 304 00:09:40,320 --> 00:09:41,040 theme 305 00:09:41,040 --> 00:09:43,120 when it comes to breach parse password 306 00:09:43,120 --> 00:09:44,720 rotation and employee training is 307 00:09:44,720 --> 00:09:46,240 important because the breach credentials 308 00:09:46,240 --> 00:09:47,760 if you're reusing passwords 309 00:09:47,760 --> 00:09:49,760 that's going to be bad password reuse 310 00:09:49,760 --> 00:09:52,160 did occur and got us into lotus nodes 311 00:09:52,160 --> 00:09:53,680 also patching because we were able to 312 00:09:53,680 --> 00:09:56,320 dump the passwords from lotus notes 313 00:09:56,320 --> 00:09:58,959 then you get over into oa and you say 314 00:09:58,959 --> 00:10:00,640 password complexity because we were able 315 00:10:00,640 --> 00:10:01,680 to log in 316 00:10:01,680 --> 00:10:03,519 but more importantly we were able to 317 00:10:03,519 --> 00:10:05,920 brute force unlimited amount of attempts 318 00:10:05,920 --> 00:10:07,279 and there was no multi-factor 319 00:10:07,279 --> 00:10:09,920 authentication that's the big story here 320 00:10:09,920 --> 00:10:11,440 there's no multi-factor authentication 321 00:10:11,440 --> 00:10:13,120 on outlook there's no multi-factor 322 00:10:13,120 --> 00:10:14,880 authentication on the vpn which is even 323 00:10:14,880 --> 00:10:15,680 worse 324 00:10:15,680 --> 00:10:17,839 yeah you're in the email that's bad but 325 00:10:17,839 --> 00:10:19,279 now you're in the network that's even 326 00:10:19,279 --> 00:10:20,240 worse 327 00:10:20,240 --> 00:10:22,480 and once we're in the network password 328 00:10:22,480 --> 00:10:23,440 complexity again 329 00:10:23,440 --> 00:10:25,519 your first name with the one after it 330 00:10:25,519 --> 00:10:26,800 that's terrible 331 00:10:26,800 --> 00:10:29,519 disabling the lm in our broadcast that's 332 00:10:29,519 --> 00:10:30,880 important as well 333 00:10:30,880 --> 00:10:33,200 but password password password passwords 334 00:10:33,200 --> 00:10:34,880 all around here 335 00:10:34,880 --> 00:10:36,880 and of course once you get into active 336 00:10:36,880 --> 00:10:38,399 directory least privilege 337 00:10:38,399 --> 00:10:40,640 so we're getting account credentials 338 00:10:40,640 --> 00:10:42,320 when it comes from lnr 339 00:10:42,320 --> 00:10:44,720 because we're finding them we're getting 340 00:10:44,720 --> 00:10:46,000 these passwords and those 341 00:10:46,000 --> 00:10:47,680 passwords are being used on the network 342 00:10:47,680 --> 00:10:48,720 those accounts are being used on the 343 00:10:48,720 --> 00:10:49,440 network 344 00:10:49,440 --> 00:10:51,519 in theory you should only be using a 345 00:10:51,519 --> 00:10:53,279 domain admin account to log into the 346 00:10:53,279 --> 00:10:54,640 domain controller 347 00:10:54,640 --> 00:10:56,160 and if you're using a domain admin 348 00:10:56,160 --> 00:10:57,760 account elsewhere it generates network 349 00:10:57,760 --> 00:10:59,040 traffic we capture that 350 00:10:59,040 --> 00:11:02,079 we get a hash we crack it we log in 351 00:11:02,079 --> 00:11:04,959 that's not least privilege so that is 352 00:11:04,959 --> 00:11:06,000 story one 353 00:11:06,000 --> 00:11:09,120 lesson learned here use multi-factor 354 00:11:09,120 --> 00:11:10,160 authentication 355 00:11:10,160 --> 00:11:12,800 okay use multi-factor authentication if 356 00:11:12,800 --> 00:11:14,480 multi-factor was in place we never would 357 00:11:14,480 --> 00:11:16,320 have been able to log into the network 358 00:11:16,320 --> 00:11:17,680 we would have do some sort of social 359 00:11:17,680 --> 00:11:18,959 engineering somehow get that 360 00:11:18,959 --> 00:11:20,079 multi-factor 361 00:11:20,079 --> 00:11:22,079 or that key from somebody but it wasn't 362 00:11:22,079 --> 00:11:23,519 there so we were just able to log right 363 00:11:23,519 --> 00:11:24,240 in 364 00:11:24,240 --> 00:11:26,320 password complexity is important don't 365 00:11:26,320 --> 00:11:28,000 use your first name with the one after 366 00:11:28,000 --> 00:11:31,920 it avoid emails as usernames 367 00:11:31,920 --> 00:11:34,560 user training super important as well 368 00:11:34,560 --> 00:11:35,360 okay 369 00:11:35,360 --> 00:11:38,480 and don't taunt your pen tester so don't 370 00:11:38,480 --> 00:11:39,920 taunt your pen tester we're here to help 371 00:11:39,920 --> 00:11:41,200 you don't tell us hey 372 00:11:41,200 --> 00:11:43,600 what can you really do with it um just 373 00:11:43,600 --> 00:11:45,360 let us let us go understand the 374 00:11:45,360 --> 00:11:46,000 importance 375 00:11:46,000 --> 00:11:49,040 and uh that's the big takeaways here 376 00:11:49,040 --> 00:11:50,240 now the stories are gonna get more 377 00:11:50,240 --> 00:11:52,160 interesting as we go so 378 00:11:52,160 --> 00:11:53,839 i'm trying to save time for the the 379 00:11:53,839 --> 00:11:55,279 bigger and better ones so let's really 380 00:11:55,279 --> 00:11:57,440 get into the cool ones now 381 00:11:57,440 --> 00:12:00,800 so story time let's talk a little bit 382 00:12:00,800 --> 00:12:02,880 about ipv6 383 00:12:02,880 --> 00:12:06,639 now ipv6 is one of the go-to things i'm 384 00:12:06,639 --> 00:12:08,000 starting to utilize 385 00:12:08,000 --> 00:12:10,079 in pen testing it's been my favorite 386 00:12:10,079 --> 00:12:12,800 go-to almost for like the last two years 387 00:12:12,800 --> 00:12:15,920 and what it is is we all use 388 00:12:15,920 --> 00:12:19,040 ipv4 right we're very familiar with ipv4 389 00:12:19,040 --> 00:12:21,920 so if we're using ipv4 in our network 390 00:12:21,920 --> 00:12:23,680 that's very common 391 00:12:23,680 --> 00:12:27,040 now when we have a domain or we have 392 00:12:27,040 --> 00:12:27,760 something 393 00:12:27,760 --> 00:12:30,079 in our environment and we want to use 394 00:12:30,079 --> 00:12:31,279 dns 395 00:12:31,279 --> 00:12:35,120 we're likely using dns over ipv4 396 00:12:35,120 --> 00:12:38,240 okay but what we don't do and what we 397 00:12:38,240 --> 00:12:39,360 don't really realize 398 00:12:39,360 --> 00:12:41,920 is that ipv6 is also enabled in our 399 00:12:41,920 --> 00:12:43,279 network 400 00:12:43,279 --> 00:12:46,480 so we have ipv6 enabled by default 401 00:12:46,480 --> 00:12:50,800 and who is really doing dns for ipv6 402 00:12:50,800 --> 00:12:54,880 unless we go in here and disable ibv6 403 00:12:54,880 --> 00:12:58,800 or we come in here and we have a dns 404 00:12:58,800 --> 00:13:02,079 for ipv6 we can get malicious 405 00:13:02,079 --> 00:13:05,279 so what we can do as an attacker is we 406 00:13:05,279 --> 00:13:06,000 can say 407 00:13:06,000 --> 00:13:08,639 hey we're going to sit man in the middle 408 00:13:08,639 --> 00:13:10,240 and we're going to say 409 00:13:10,240 --> 00:13:12,639 i'm the dns server give me your 410 00:13:12,639 --> 00:13:13,680 credentials 411 00:13:13,680 --> 00:13:16,880 and what i see a lot of times is 412 00:13:16,880 --> 00:13:19,600 any sort of login event so say a regular 413 00:13:19,600 --> 00:13:20,000 user 414 00:13:20,000 --> 00:13:22,560 logs in that triggers an event if we're 415 00:13:22,560 --> 00:13:24,880 doing dns over ipv6 416 00:13:24,880 --> 00:13:26,959 we can take that login event and then 417 00:13:26,959 --> 00:13:27,920 relay that 418 00:13:27,920 --> 00:13:31,120 to the domain controller okay we can do 419 00:13:31,120 --> 00:13:33,440 what's called ldap relaying 420 00:13:33,440 --> 00:13:35,760 get into the domain controller this will 421 00:13:35,760 --> 00:13:38,079 create a new user account or computer 422 00:13:38,079 --> 00:13:39,120 account for us 423 00:13:39,120 --> 00:13:41,040 this can dump a lot of information for 424 00:13:41,040 --> 00:13:43,040 us this can do a lot of things which 425 00:13:43,040 --> 00:13:44,320 you're going to see here in a second how 426 00:13:44,320 --> 00:13:45,040 robust 427 00:13:45,040 --> 00:13:46,880 this can really be by using a tool 428 00:13:46,880 --> 00:13:48,240 called man in the middle 6 429 00:13:48,240 --> 00:13:51,360 mitm 6 and i'll provide some resources 430 00:13:51,360 --> 00:13:53,360 here in just a second on learning more 431 00:13:53,360 --> 00:13:54,880 about this tool 432 00:13:54,880 --> 00:13:58,399 but ipv6 by default i would say a good 433 00:13:58,399 --> 00:14:00,320 majority of networks are not doing dns 434 00:14:00,320 --> 00:14:01,440 for it so we can just hop 435 00:14:01,440 --> 00:14:04,720 on run ipv6 or man in the middle 6 436 00:14:04,720 --> 00:14:07,040 do ldap relaying and potentially take 437 00:14:07,040 --> 00:14:08,720 over the domain controller in just a few 438 00:14:08,720 --> 00:14:09,440 minutes 439 00:14:09,440 --> 00:14:11,199 so let's go ahead and take a look at how 440 00:14:11,199 --> 00:14:13,279 this works okay so i'm going to show you 441 00:14:13,279 --> 00:14:14,800 a little bit of technical stuff 442 00:14:14,800 --> 00:14:16,560 from my side now this is we're gonna 443 00:14:16,560 --> 00:14:18,320 start with a lab environment that i 444 00:14:18,320 --> 00:14:19,760 built out and then we're gonna go ahead 445 00:14:19,760 --> 00:14:21,360 and talk and show some real world 446 00:14:21,360 --> 00:14:22,320 examples 447 00:14:22,320 --> 00:14:24,000 so we just run this tool man the middle 448 00:14:24,000 --> 00:14:25,600 six and we just specify the domain 449 00:14:25,600 --> 00:14:26,800 that's all we have to do 450 00:14:26,800 --> 00:14:28,839 so in this one i'm running on 451 00:14:28,839 --> 00:14:30,000 marvel.local 452 00:14:30,000 --> 00:14:33,480 and here we run a tool called 453 00:14:33,480 --> 00:14:35,199 ntlmrelay6.pi 454 00:14:35,199 --> 00:14:37,440 and we just specify hey where is the 455 00:14:37,440 --> 00:14:38,880 domain controller 456 00:14:38,880 --> 00:14:41,120 and what are we going to do here we're 457 00:14:41,120 --> 00:14:42,800 going to set up a fake wpad and we're 458 00:14:42,800 --> 00:14:43,600 just going to say 459 00:14:43,600 --> 00:14:46,000 hey i want to specify a loop me folder 460 00:14:46,000 --> 00:14:46,959 which you're going to see here in a 461 00:14:46,959 --> 00:14:48,160 second 462 00:14:48,160 --> 00:14:49,839 and now we're just waiting we're waiting 463 00:14:49,839 --> 00:14:51,760 for something to happen so say 464 00:14:51,760 --> 00:14:55,040 for example that a non-admin user event 465 00:14:55,040 --> 00:14:56,880 occurs let's say somebody logs into the 466 00:14:56,880 --> 00:14:59,440 network that is a non-admin user 467 00:14:59,440 --> 00:15:02,000 here we have a non-admin user of marvel 468 00:15:02,000 --> 00:15:03,360 the punisher 469 00:15:03,360 --> 00:15:05,040 you could see that they logged in and 470 00:15:05,040 --> 00:15:06,639 succeeded here because they 471 00:15:06,639 --> 00:15:07,920 authenticated 472 00:15:07,920 --> 00:15:09,680 so they have valid credentials we're 473 00:15:09,680 --> 00:15:11,600 sitting man in the middle we relay this 474 00:15:11,600 --> 00:15:13,760 to the domain controller it succeeds 475 00:15:13,760 --> 00:15:15,680 and what we can do is we can dump out 476 00:15:15,680 --> 00:15:17,600 this loot directory 477 00:15:17,600 --> 00:15:20,480 so i specify loot me as a loot directory 478 00:15:20,480 --> 00:15:22,720 and we can get all sort of information 479 00:15:22,720 --> 00:15:25,279 we haven't hacked anything per se yet 480 00:15:25,279 --> 00:15:26,079 but we can get 481 00:15:26,079 --> 00:15:29,120 domain computers domain users domain 482 00:15:29,120 --> 00:15:31,040 policy domain trust 483 00:15:31,040 --> 00:15:33,360 all sorts of things here's an example of 484 00:15:33,360 --> 00:15:34,720 what that looks like 485 00:15:34,720 --> 00:15:36,160 you can see here that i could see the 486 00:15:36,160 --> 00:15:38,240 domain administrators 487 00:15:38,240 --> 00:15:40,560 enterprise admins who the administrators 488 00:15:40,560 --> 00:15:42,639 are i can see descriptions which 489 00:15:42,639 --> 00:15:44,720 i see passwords and descriptions all the 490 00:15:44,720 --> 00:15:46,000 time i would say 15 491 00:15:46,000 --> 00:15:48,639 20 of of the time where i dump something 492 00:15:48,639 --> 00:15:50,079 out like this there's a password stored 493 00:15:50,079 --> 00:15:52,000 in the description so if you're a domain 494 00:15:52,000 --> 00:15:53,600 admin and you're watching this 495 00:15:53,600 --> 00:15:56,720 and you see or you're setting passwords 496 00:15:56,720 --> 00:15:58,079 in your descriptions please stop doing 497 00:15:58,079 --> 00:15:59,519 that because i will find it 498 00:15:59,519 --> 00:16:01,759 or your pen tester will find it so here 499 00:16:01,759 --> 00:16:03,759 we get information right we can see 500 00:16:03,759 --> 00:16:05,199 passwords and descriptions we can see 501 00:16:05,199 --> 00:16:06,800 when passwords last set 502 00:16:06,800 --> 00:16:08,880 what the flags are when they last logged 503 00:16:08,880 --> 00:16:10,480 in what their 504 00:16:10,480 --> 00:16:13,600 sam name is all kinds of information 505 00:16:13,600 --> 00:16:16,079 now let's say that a domain admin user 506 00:16:16,079 --> 00:16:17,360 logs in 507 00:16:17,360 --> 00:16:19,680 well when a domain admin user logs in we 508 00:16:19,680 --> 00:16:22,079 can utilize that domain admin user 509 00:16:22,079 --> 00:16:24,880 to actually create a new account on the 510 00:16:24,880 --> 00:16:25,519 domain 511 00:16:25,519 --> 00:16:27,600 it actually adds the user to enterprise 512 00:16:27,600 --> 00:16:28,560 admins 513 00:16:28,560 --> 00:16:30,639 and we log right into the domain 514 00:16:30,639 --> 00:16:32,320 controller as this user 515 00:16:32,320 --> 00:16:36,240 it's over okay this is over so dns 516 00:16:36,240 --> 00:16:39,600 ipv6 this relaying it's very quick way 517 00:16:39,600 --> 00:16:41,279 to take over a network 518 00:16:41,279 --> 00:16:43,199 i've seen it happen in as little as five 519 00:16:43,199 --> 00:16:45,920 minutes here's one for example here's a 520 00:16:45,920 --> 00:16:47,680 hospital we were pen testing 521 00:16:47,680 --> 00:16:49,519 uh got domain administrator in five 522 00:16:49,519 --> 00:16:51,199 minutes i've tried to blur out 523 00:16:51,199 --> 00:16:53,680 everything here you can see that we were 524 00:16:53,680 --> 00:16:54,320 able to 525 00:16:54,320 --> 00:16:56,160 relay a user this is up a little bit 526 00:16:56,160 --> 00:16:58,000 here but we were able to authenticate as 527 00:16:58,000 --> 00:16:59,040 a user 528 00:16:59,040 --> 00:17:02,000 that user was a domain admin we were 529 00:17:02,000 --> 00:17:04,000 able to create the user modify 530 00:17:04,000 --> 00:17:07,119 a acl add the user to enterprise admin 531 00:17:07,119 --> 00:17:08,480 and then here we had a username and 532 00:17:08,480 --> 00:17:10,640 password all we have to do is log in 533 00:17:10,640 --> 00:17:11,679 with this to the 534 00:17:11,679 --> 00:17:13,760 domain controller or use something like 535 00:17:13,760 --> 00:17:15,439 secret dumb and just dump out 536 00:17:15,439 --> 00:17:18,559 the information this is it it's over 537 00:17:18,559 --> 00:17:20,160 other stuff that you can do different 538 00:17:20,160 --> 00:17:21,839 hospitals same results 539 00:17:21,839 --> 00:17:24,000 we can authenticate and sometimes we 540 00:17:24,000 --> 00:17:25,760 don't authenticate as the 541 00:17:25,760 --> 00:17:27,599 domain admin but we can authenticate and 542 00:17:27,599 --> 00:17:29,840 get some sort of delegation rights 543 00:17:29,840 --> 00:17:31,679 so it doesn't give us full domain admin 544 00:17:31,679 --> 00:17:33,280 rights but we actually create 545 00:17:33,280 --> 00:17:35,360 a computer instead of a user so this 546 00:17:35,360 --> 00:17:37,280 does it all automatically 547 00:17:37,280 --> 00:17:39,919 we create that computer and we can 548 00:17:39,919 --> 00:17:42,240 actually impersonate so you see a dash k 549 00:17:42,240 --> 00:17:45,360 here we can actually use a ticket or 550 00:17:45,360 --> 00:17:47,520 kerberos ticket to impersonate and log 551 00:17:47,520 --> 00:17:48,080 in 552 00:17:48,080 --> 00:17:49,600 here is an example of where i use this 553 00:17:49,600 --> 00:17:51,120 ticket to log in as 554 00:17:51,120 --> 00:17:55,440 a domain admin on a specific machine 555 00:17:55,440 --> 00:17:57,760 i was able to also dump secrets here's a 556 00:17:57,760 --> 00:17:58,799 sam dump of 557 00:17:58,799 --> 00:18:01,679 a specific machine as well using a 558 00:18:01,679 --> 00:18:02,799 kerberos ticket 559 00:18:02,799 --> 00:18:04,080 so there's a lot of different things 560 00:18:04,080 --> 00:18:06,240 that we can do just because ipv6 is 561 00:18:06,240 --> 00:18:07,039 enabled 562 00:18:07,039 --> 00:18:10,240 in a network again if you have no idea 563 00:18:10,240 --> 00:18:11,919 what i'm talking about because of 564 00:18:11,919 --> 00:18:13,520 pen testing is not your background 565 00:18:13,520 --> 00:18:14,960 you're bug bounty you're just getting 566 00:18:14,960 --> 00:18:15,600 started 567 00:18:15,600 --> 00:18:17,600 that's okay this is very high level 568 00:18:17,600 --> 00:18:19,360 that's why i just want you to take away 569 00:18:19,360 --> 00:18:22,160 from this that ipv6 enabled in your 570 00:18:22,160 --> 00:18:23,440 network can be 571 00:18:23,440 --> 00:18:26,160 very bad here is mitigation strategies 572 00:18:26,160 --> 00:18:28,080 or here are mitigation strategies where 573 00:18:28,080 --> 00:18:29,760 we see that 574 00:18:29,760 --> 00:18:32,799 turning off ipv6 could disable or 575 00:18:32,799 --> 00:18:34,080 prevent this attack 576 00:18:34,080 --> 00:18:36,080 but it could also have unwanted side 577 00:18:36,080 --> 00:18:38,640 effects so this is for you domain admins 578 00:18:38,640 --> 00:18:40,559 if you're curious about mitigation 579 00:18:40,559 --> 00:18:42,000 here's this i'm not going to cover it it 580 00:18:42,000 --> 00:18:44,640 goes way too technical in detail 581 00:18:44,640 --> 00:18:46,720 so a couple things i want to point out 582 00:18:46,720 --> 00:18:48,240 if you're interested in reading more 583 00:18:48,240 --> 00:18:48,880 about this 584 00:18:48,880 --> 00:18:51,120 if you google man in the middle 6 or mit 585 00:18:51,120 --> 00:18:52,720 m6 and you google 586 00:18:52,720 --> 00:18:54,320 dirk just dirk you don't have to do the 587 00:18:54,320 --> 00:18:56,000 rest but dirk janum 588 00:18:56,000 --> 00:18:58,160 is a great resource it covers a lot of 589 00:18:58,160 --> 00:18:59,360 these attacks 590 00:18:59,360 --> 00:19:02,080 how they work way more technical detail 591 00:19:02,080 --> 00:19:03,919 i also have a video on my channel called 592 00:19:03,919 --> 00:19:07,440 domain admin via ipv6 dns takeover 593 00:19:07,440 --> 00:19:09,039 you can hear the walkthrough see the 594 00:19:09,039 --> 00:19:10,720 walkthrough see how it's done 595 00:19:10,720 --> 00:19:12,480 and you can even set this up on your own 596 00:19:12,480 --> 00:19:13,919 if you want to try it out in your 597 00:19:13,919 --> 00:19:15,280 network so i'll provide the tools and 598 00:19:15,280 --> 00:19:16,880 resources in this video 599 00:19:16,880 --> 00:19:19,039 if you're curious to learn more about it 600 00:19:19,039 --> 00:19:21,120 okay on to the next story 601 00:19:21,120 --> 00:19:24,960 so this client is also a large hospital 602 00:19:24,960 --> 00:19:27,679 and they had deep pockets now they have 603 00:19:27,679 --> 00:19:28,799 spent a ton 604 00:19:28,799 --> 00:19:32,160 of money on security they had intrusion 605 00:19:32,160 --> 00:19:34,000 detection prevention in place 606 00:19:34,000 --> 00:19:37,120 they had av antivirus on all devices and 607 00:19:37,120 --> 00:19:38,720 they had cyberark 608 00:19:38,720 --> 00:19:40,960 so cyberark is a privileged access 609 00:19:40,960 --> 00:19:41,919 management tool 610 00:19:41,919 --> 00:19:43,360 if you've never heard of that basically 611 00:19:43,360 --> 00:19:44,960 what it does is 612 00:19:44,960 --> 00:19:48,080 it allows users to log in and check out 613 00:19:48,080 --> 00:19:49,840 credentials so say you're a domain 614 00:19:49,840 --> 00:19:50,880 administrator 615 00:19:50,880 --> 00:19:52,880 and you want to log in you go check out 616 00:19:52,880 --> 00:19:54,559 your credentials and those credentials 617 00:19:54,559 --> 00:19:56,000 are only valid for 618 00:19:56,000 --> 00:19:58,000 eight hours once those credentials 619 00:19:58,000 --> 00:19:59,919 expire or you check them back in 620 00:19:59,919 --> 00:20:01,600 those credentials rotate and they're 621 00:20:01,600 --> 00:20:03,840 usually like 15 to 30 characters in 622 00:20:03,840 --> 00:20:04,559 length 623 00:20:04,559 --> 00:20:06,480 and really hard to crack really hard to 624 00:20:06,480 --> 00:20:08,240 do anything with if cyborgs in the 625 00:20:08,240 --> 00:20:09,760 environment it kind of stops us in our 626 00:20:09,760 --> 00:20:11,679 tracks in a lot of places 627 00:20:11,679 --> 00:20:14,320 however i've still managed to take them 628 00:20:14,320 --> 00:20:16,559 down 629 00:20:16,720 --> 00:20:18,960 all right so we use something called smb 630 00:20:18,960 --> 00:20:19,760 relay 631 00:20:19,760 --> 00:20:22,640 so if you remember earlier we utilized a 632 00:20:22,640 --> 00:20:23,200 tool 633 00:20:23,200 --> 00:20:25,520 called responder to do the llmr 634 00:20:25,520 --> 00:20:26,720 poisoning that was the first 635 00:20:26,720 --> 00:20:30,000 example now with lmnr you have the 636 00:20:30,000 --> 00:20:32,480 option of taking that hash going offline 637 00:20:32,480 --> 00:20:33,600 and cracking it 638 00:20:33,600 --> 00:20:35,760 or you have the option to actually relay 639 00:20:35,760 --> 00:20:37,039 that hash 640 00:20:37,039 --> 00:20:39,760 so in order to relay a hash we can 641 00:20:39,760 --> 00:20:40,320 utilize 642 00:20:40,320 --> 00:20:44,480 smb but smb signing must be disabled on 643 00:20:44,480 --> 00:20:46,480 the target this is smb must be disabled 644 00:20:46,480 --> 00:20:48,080 sme signing must be disabled on the 645 00:20:48,080 --> 00:20:48,880 target 646 00:20:48,880 --> 00:20:50,880 and the relayed user credentials must be 647 00:20:50,880 --> 00:20:51,919 added on the machine 648 00:20:51,919 --> 00:20:54,640 for it to be of value they can be 649 00:20:54,640 --> 00:20:56,640 non-admin but you don't get a lot out of 650 00:20:56,640 --> 00:20:57,200 it 651 00:20:57,200 --> 00:20:59,120 so what we're doing in this environment 652 00:20:59,120 --> 00:21:00,960 is we're in an environment now where 653 00:21:00,960 --> 00:21:04,320 smb signing is disabled if we get lmnr 654 00:21:04,320 --> 00:21:05,679 which was all over the place in this 655 00:21:05,679 --> 00:21:07,520 environment we are getting hashes but 656 00:21:07,520 --> 00:21:08,480 remember 657 00:21:08,480 --> 00:21:10,799 that cyber arc was in place if the 658 00:21:10,799 --> 00:21:13,200 password is 15 to 30 characters long 659 00:21:13,200 --> 00:21:14,559 we're not cracking it it's just not 660 00:21:14,559 --> 00:21:16,880 happening so we needed to think outside 661 00:21:16,880 --> 00:21:17,840 the box 662 00:21:17,840 --> 00:21:21,600 and what came up with is hey smb relay 663 00:21:21,600 --> 00:21:24,000 if we can't crack the password why not 664 00:21:24,000 --> 00:21:25,280 pass the password 665 00:21:25,280 --> 00:21:27,440 or relay the password and say hey we are 666 00:21:27,440 --> 00:21:28,400 this user 667 00:21:28,400 --> 00:21:30,080 go ahead don't verify that we are 668 00:21:30,080 --> 00:21:31,919 because that's what smb signing is 669 00:21:31,919 --> 00:21:34,240 smb signing says hey are you really who 670 00:21:34,240 --> 00:21:35,360 you say you are 671 00:21:35,360 --> 00:21:38,240 but because it's disabled uh by default 672 00:21:38,240 --> 00:21:39,039 on host 673 00:21:39,039 --> 00:21:41,360 not on servers just on host we can 674 00:21:41,360 --> 00:21:43,280 utilize that to our advantage 675 00:21:43,280 --> 00:21:46,400 so we can relay some credentials and you 676 00:21:46,400 --> 00:21:47,760 see here that we did a 677 00:21:47,760 --> 00:21:49,760 http relay we actually did this with 678 00:21:49,760 --> 00:21:51,600 ntlm relay x 679 00:21:51,600 --> 00:21:53,840 just like you saw in the other man in 680 00:21:53,840 --> 00:21:55,280 the middle 6 example a lot of these 681 00:21:55,280 --> 00:21:57,360 tools play well with each other 682 00:21:57,360 --> 00:22:00,159 and we were able to dump out the sam so 683 00:22:00,159 --> 00:22:01,840 we're able to dump out the hashes on the 684 00:22:01,840 --> 00:22:02,960 machine 685 00:22:02,960 --> 00:22:06,000 now look the administrator and tech 686 00:22:06,000 --> 00:22:07,679 support and tech support 2 687 00:22:07,679 --> 00:22:11,679 there's also user 2 user 3 user 2 user 3 688 00:22:11,679 --> 00:22:12,559 have the same 689 00:22:12,559 --> 00:22:15,520 hash value tech support tech support 2 690 00:22:15,520 --> 00:22:15,919 and 691 00:22:15,919 --> 00:22:18,400 administrator have the same hash value 692 00:22:18,400 --> 00:22:20,799 okay they're reusing hashes here 693 00:22:20,799 --> 00:22:22,559 if your administrator hash and your tech 694 00:22:22,559 --> 00:22:24,320 support hash are all the same 695 00:22:24,320 --> 00:22:26,000 guess what i'm taking these hatches and 696 00:22:26,000 --> 00:22:27,280 i'm going to try to pass them around the 697 00:22:27,280 --> 00:22:28,000 network 698 00:22:28,000 --> 00:22:29,200 i'm going to try to crack them i'm going 699 00:22:29,200 --> 00:22:31,440 to see what you're using here 700 00:22:31,440 --> 00:22:35,039 so i take these i crack it by the way 701 00:22:35,039 --> 00:22:37,840 it comes out to power 10 power 10. 702 00:22:37,840 --> 00:22:39,440 that's it that's the password 703 00:22:39,440 --> 00:22:42,720 and this password was utilized as well 704 00:22:42,720 --> 00:22:44,080 on the anti-virus 705 00:22:44,080 --> 00:22:46,559 so i was able to disable anti-virus on 706 00:22:46,559 --> 00:22:47,760 all machines i logged into 707 00:22:47,760 --> 00:22:50,000 because they utilized the same password 708 00:22:50,000 --> 00:22:50,799 no bueno 709 00:22:50,799 --> 00:22:53,280 not good now every time you see pwned 710 00:22:53,280 --> 00:22:54,960 here is a machine in the network that is 711 00:22:54,960 --> 00:22:56,080 being owned 712 00:22:56,080 --> 00:22:58,320 because the password is being used or 713 00:22:58,320 --> 00:22:59,520 that admin account 714 00:22:59,520 --> 00:23:02,799 exists on this machine so we went from 715 00:23:02,799 --> 00:23:05,280 relaying credentials and signing into 716 00:23:05,280 --> 00:23:06,000 one machine 717 00:23:06,000 --> 00:23:08,240 dumping password hashes and now here we 718 00:23:08,240 --> 00:23:09,200 are 719 00:23:09,200 --> 00:23:11,840 on this machine or we relay these across 720 00:23:11,840 --> 00:23:12,640 the network 721 00:23:12,640 --> 00:23:14,559 and we're just logging in to all over 722 00:23:14,559 --> 00:23:16,559 the place all kinds of access 723 00:23:16,559 --> 00:23:19,440 all kinds of owns okay and within a few 724 00:23:19,440 --> 00:23:20,159 minutes 725 00:23:20,159 --> 00:23:22,159 we come across an account on a machine 726 00:23:22,159 --> 00:23:23,440 we dump the hash 727 00:23:23,440 --> 00:23:25,760 we're able to log in to that using a 728 00:23:25,760 --> 00:23:27,200 hash we don't even have to crack the 729 00:23:27,200 --> 00:23:28,720 password the password by the way was 730 00:23:28,720 --> 00:23:30,960 welcome one for a local 731 00:23:30,960 --> 00:23:33,760 administrator that is used on a domain 732 00:23:33,760 --> 00:23:34,640 controller 733 00:23:34,640 --> 00:23:37,840 please don't do that okay so lesson 734 00:23:37,840 --> 00:23:39,120 learned 735 00:23:39,120 --> 00:23:41,200 smb signing should be enabled on your 736 00:23:41,200 --> 00:23:42,400 network 737 00:23:42,400 --> 00:23:45,360 lease privilege is important so your 738 00:23:45,360 --> 00:23:47,279 users should not have 739 00:23:47,279 --> 00:23:50,000 access administrative access on machines 740 00:23:50,000 --> 00:23:51,039 if all the users 741 00:23:51,039 --> 00:23:54,400 in that environment were utilizing 742 00:23:54,400 --> 00:23:56,320 low level access they didn't have domain 743 00:23:56,320 --> 00:23:57,760 admin or not domain just 744 00:23:57,760 --> 00:23:59,600 regular admin local admin access on 745 00:23:59,600 --> 00:24:01,279 their machine the relay would never 746 00:24:01,279 --> 00:24:02,480 would have worked we never would have 747 00:24:02,480 --> 00:24:04,880 been able to dump the the hashes out 748 00:24:04,880 --> 00:24:07,200 account tiering as well because for 749 00:24:07,200 --> 00:24:08,000 example 750 00:24:08,000 --> 00:24:10,400 you should have again the domain admin 751 00:24:10,400 --> 00:24:12,640 only login to the domain controllers 752 00:24:12,640 --> 00:24:15,039 and bob if he's the domain admin should 753 00:24:15,039 --> 00:24:16,080 have a bob account 754 00:24:16,080 --> 00:24:18,799 and a bob bob-d-a account that he only 755 00:24:18,799 --> 00:24:20,799 logs into his domain admin 756 00:24:20,799 --> 00:24:23,200 uh with or domain controller with so 757 00:24:23,200 --> 00:24:24,640 account tiering is important 758 00:24:24,640 --> 00:24:27,440 and oh yeah don't reuse passwords super 759 00:24:27,440 --> 00:24:27,840 bad 760 00:24:27,840 --> 00:24:30,559 why do we do this i see it all the time 761 00:24:30,559 --> 00:24:31,200 all right 762 00:24:31,200 --> 00:24:33,520 and this is my favorite story from the 763 00:24:33,520 --> 00:24:34,880 past year 764 00:24:34,880 --> 00:24:37,919 which is called digging deep now we're 765 00:24:37,919 --> 00:24:39,840 again at a large hospital come on you 766 00:24:39,840 --> 00:24:41,520 already knew we're three for three on 767 00:24:41,520 --> 00:24:42,720 hospitals here 768 00:24:42,720 --> 00:24:45,760 this hospital had no llmnr 769 00:24:45,760 --> 00:24:49,679 ipv6 was disabled everything was patched 770 00:24:49,679 --> 00:24:52,480 looked really good from an environment 771 00:24:52,480 --> 00:24:53,200 so 772 00:24:53,200 --> 00:24:55,120 what options do we have in that case if 773 00:24:55,120 --> 00:24:56,320 the man in the middle attacks aren't 774 00:24:56,320 --> 00:24:57,679 working everything's patched we don't 775 00:24:57,679 --> 00:24:59,200 really have an exploit 776 00:24:59,200 --> 00:25:01,440 we have to think outside the box so we 777 00:25:01,440 --> 00:25:03,760 have to dig deep 778 00:25:03,760 --> 00:25:05,679 all right so what i did was i started 779 00:25:05,679 --> 00:25:07,120 looking around the network 780 00:25:07,120 --> 00:25:10,640 i started looking for different websites 781 00:25:10,640 --> 00:25:13,440 in the environment so you can use 782 00:25:13,440 --> 00:25:14,080 different tools 783 00:25:14,080 --> 00:25:15,360 to do that but basically you're just 784 00:25:15,360 --> 00:25:17,760 hunting port 80 port 443 785 00:25:17,760 --> 00:25:19,760 seeing if there's any responses and 786 00:25:19,760 --> 00:25:21,120 going to them 787 00:25:21,120 --> 00:25:23,120 what happened was i was going website to 788 00:25:23,120 --> 00:25:25,279 website to website and this was a large 789 00:25:25,279 --> 00:25:26,960 large hospital environment they had a 790 00:25:26,960 --> 00:25:29,279 lot of websites most websites did not 791 00:25:29,279 --> 00:25:30,880 have default credentials 792 00:25:30,880 --> 00:25:34,159 all it took was one okay all it took was 793 00:25:34,159 --> 00:25:34,960 one 794 00:25:34,960 --> 00:25:38,720 and we logged in and plain text 795 00:25:38,720 --> 00:25:41,039 sitting here in plain text it says local 796 00:25:41,039 --> 00:25:42,480 administrative password 797 00:25:42,480 --> 00:25:44,880 you can see the 70 i blurred the rest 798 00:25:44,880 --> 00:25:46,400 now this had nothing 799 00:25:46,400 --> 00:25:48,799 to do with the environment itself this 800 00:25:48,799 --> 00:25:50,720 had nothing to do with the network 801 00:25:50,720 --> 00:25:52,559 this was just a local admin password 802 00:25:52,559 --> 00:25:54,480 stored for something to do with this 803 00:25:54,480 --> 00:25:56,480 application itself 804 00:25:56,480 --> 00:25:58,559 now why it was stored in clear text i 805 00:25:58,559 --> 00:26:01,120 have no idea that's on the application 806 00:26:01,120 --> 00:26:04,159 that benefited us on top of that the 807 00:26:04,159 --> 00:26:05,600 application had default credentials it 808 00:26:05,600 --> 00:26:07,279 was just something they were testing 809 00:26:07,279 --> 00:26:08,880 out it was nothing that they were even 810 00:26:08,880 --> 00:26:10,320 utilizing in their environment they were 811 00:26:10,320 --> 00:26:11,600 just testing it out 812 00:26:11,600 --> 00:26:14,240 they used this password okay we start 813 00:26:14,240 --> 00:26:16,159 there 814 00:26:16,159 --> 00:26:17,840 certainly they wouldn't reuse that 815 00:26:17,840 --> 00:26:19,360 password we haven't seen that in the 816 00:26:19,360 --> 00:26:20,559 past right 817 00:26:20,559 --> 00:26:22,320 well i don't know anything about the 818 00:26:22,320 --> 00:26:24,240 environment yet at this point so i just 819 00:26:24,240 --> 00:26:25,679 say hey crack map exec 820 00:26:25,679 --> 00:26:27,760 which is what we used previously and 821 00:26:27,760 --> 00:26:29,679 just i want to see if the user 822 00:26:29,679 --> 00:26:32,640 administrator had with this password 823 00:26:32,640 --> 00:26:34,159 could log in anywhere so i'm just 824 00:26:34,159 --> 00:26:36,159 sweeping across the domain seeing if 825 00:26:36,159 --> 00:26:38,080 there's anywhere where this user 826 00:26:38,080 --> 00:26:40,480 has administrative access and wouldn't 827 00:26:40,480 --> 00:26:41,440 you know it there's 828 00:26:41,440 --> 00:26:43,840 one machine one machine in the entire 829 00:26:43,840 --> 00:26:45,760 network where this works 830 00:26:45,760 --> 00:26:49,120 okay log into that machine yeah yeah 831 00:26:49,120 --> 00:26:50,559 this is how i felt by the way 832 00:26:50,559 --> 00:26:52,640 log into this machine and you can see 833 00:26:52,640 --> 00:26:54,000 that we have 834 00:26:54,000 --> 00:26:55,760 the administrator user when we dump the 835 00:26:55,760 --> 00:26:57,679 sam hashes we have the 836 00:26:57,679 --> 00:26:59,200 administrative user but we also have 837 00:26:59,200 --> 00:27:01,440 this other admin user 838 00:27:01,440 --> 00:27:04,080 and wouldn't you know it it's the same 839 00:27:04,080 --> 00:27:06,000 password hash look at that 840 00:27:06,000 --> 00:27:09,200 which means what it's the same password 841 00:27:09,200 --> 00:27:11,279 so now we have a little bit more 842 00:27:11,279 --> 00:27:13,200 information at our disposal 843 00:27:13,200 --> 00:27:16,400 there's this admin account what if we 844 00:27:16,400 --> 00:27:19,279 pass it again oh we passed it again and 845 00:27:19,279 --> 00:27:19,679 we 846 00:27:19,679 --> 00:27:23,120 saw everything light up okay so again 847 00:27:23,120 --> 00:27:25,840 just like the example you saw 848 00:27:25,840 --> 00:27:27,760 guess what this is one of those other 849 00:27:27,760 --> 00:27:29,760 tech support type accounts 850 00:27:29,760 --> 00:27:31,840 where they were utilizing all across the 851 00:27:31,840 --> 00:27:33,360 network locally 852 00:27:33,360 --> 00:27:36,159 so we have this local account and we're 853 00:27:36,159 --> 00:27:37,600 just passing it along 854 00:27:37,600 --> 00:27:39,279 we're getting access to machines you can 855 00:27:39,279 --> 00:27:40,880 see here's the authority system where we 856 00:27:40,880 --> 00:27:42,640 logged in on the network 857 00:27:42,640 --> 00:27:46,320 and eventually we just keep going around 858 00:27:46,320 --> 00:27:49,520 dumping credentials so this 859 00:27:49,520 --> 00:27:51,919 environment itself was using windows 7 860 00:27:51,919 --> 00:27:53,039 windows 7 861 00:27:53,039 --> 00:27:54,799 is known for having something called w 862 00:27:54,799 --> 00:27:56,720 digest now w digest 863 00:27:56,720 --> 00:28:00,080 provides your credentials in plain text 864 00:28:00,080 --> 00:28:02,240 they are stored in plain text you can 865 00:28:02,240 --> 00:28:03,120 see here's fall 866 00:28:03,120 --> 00:28:05,760 2016 with three exclamations i told you 867 00:28:05,760 --> 00:28:07,279 people love this password 868 00:28:07,279 --> 00:28:09,279 and there's this whole other one here 869 00:28:09,279 --> 00:28:10,559 which i wouldn't have guessed i don't 870 00:28:10,559 --> 00:28:11,840 think we would have actually cracked 871 00:28:11,840 --> 00:28:12,799 this one 872 00:28:12,799 --> 00:28:15,600 but you can see it says is setup which 873 00:28:15,600 --> 00:28:16,559 was actually a 874 00:28:16,559 --> 00:28:18,559 service account running in the network 875 00:28:18,559 --> 00:28:21,120 running as domain administrator 876 00:28:21,120 --> 00:28:23,120 now you take this domain admin 877 00:28:23,120 --> 00:28:25,200 credential you take it to the domain 878 00:28:25,200 --> 00:28:26,640 controller you log in 879 00:28:26,640 --> 00:28:28,640 and guess what you're on the domain 880 00:28:28,640 --> 00:28:30,960 controller and you've owned the domain 881 00:28:30,960 --> 00:28:34,159 so we took it from completely 882 00:28:34,159 --> 00:28:37,200 no access seemed well patched had 883 00:28:37,200 --> 00:28:38,880 no lmnr no man in the middle 884 00:28:38,880 --> 00:28:40,480 capabilities and just 885 00:28:40,480 --> 00:28:43,600 one configuration one default 886 00:28:43,600 --> 00:28:45,039 creds that were out there if there were 887 00:28:45,039 --> 00:28:46,880 no default credits on that page 888 00:28:46,880 --> 00:28:48,640 we would have never owned this this 889 00:28:48,640 --> 00:28:50,080 network okay 890 00:28:50,080 --> 00:28:51,840 uh without the default creds wouldn't 891 00:28:51,840 --> 00:28:53,919 got there default credits were stored in 892 00:28:53,919 --> 00:28:55,919 plain text if they weren't stored in 893 00:28:55,919 --> 00:28:58,559 plain text wouldn't have got there 894 00:28:58,559 --> 00:29:01,440 if they didn't reuse that password on 895 00:29:01,440 --> 00:29:02,399 the network 896 00:29:02,399 --> 00:29:04,880 we wouldn't have got there if they 897 00:29:04,880 --> 00:29:06,559 didn't reuse that password with a 898 00:29:06,559 --> 00:29:07,919 different account we wouldn't have got 899 00:29:07,919 --> 00:29:09,039 there either 900 00:29:09,039 --> 00:29:12,000 and if they weren't using windows 7 we 901 00:29:12,000 --> 00:29:13,039 wouldn't have got there 902 00:29:13,039 --> 00:29:15,039 there's a lot of chain events here that 903 00:29:15,039 --> 00:29:17,120 happen in pen testing 904 00:29:17,120 --> 00:29:19,679 and it just is sometimes where you have 905 00:29:19,679 --> 00:29:21,440 to dig deep and you find these weird 906 00:29:21,440 --> 00:29:23,200 paths and you get there 907 00:29:23,200 --> 00:29:26,080 and this is just another example of you 908 00:29:26,080 --> 00:29:26,799 you have these 909 00:29:26,799 --> 00:29:28,799 things on the surface where just one 910 00:29:28,799 --> 00:29:30,399 little mistake or one 911 00:29:30,399 --> 00:29:32,480 one tiny mistake across the board can 912 00:29:32,480 --> 00:29:33,600 lead to something 913 00:29:33,600 --> 00:29:36,880 bigger you take one default credential 914 00:29:36,880 --> 00:29:39,039 login on an account that you weren't 915 00:29:39,039 --> 00:29:40,000 even worried about 916 00:29:40,000 --> 00:29:41,840 because it was just an example it was 917 00:29:41,840 --> 00:29:43,679 just something you were demoing 918 00:29:43,679 --> 00:29:45,840 and that went all the way up to domain 919 00:29:45,840 --> 00:29:47,840 admin access in a network 920 00:29:47,840 --> 00:29:51,679 it happens this is real life it happens 921 00:29:51,679 --> 00:29:54,240 now i know i went through this fast and 922 00:29:54,240 --> 00:29:55,679 i did that because i wanted to share a 923 00:29:55,679 --> 00:29:57,120 bunch of these stories 924 00:29:57,120 --> 00:29:58,960 so if you have any questions on this 925 00:29:58,960 --> 00:30:01,120 feel free to at me on twitter at the 926 00:30:01,120 --> 00:30:02,240 cyber mentor 927 00:30:02,240 --> 00:30:04,000 you can ask questions i'll be happy to 928 00:30:04,000 --> 00:30:06,399 respond i'll be available the next hour 929 00:30:06,399 --> 00:30:06,880 or so 930 00:30:06,880 --> 00:30:08,559 in chat as well if you want to ask more 931 00:30:08,559 --> 00:30:10,480 questions about anything that you saw 932 00:30:10,480 --> 00:30:12,480 and of course i'm very responsive so 933 00:30:12,480 --> 00:30:14,000 please feel free to reach out to me at 934 00:30:14,000 --> 00:30:15,360 any time 935 00:30:15,360 --> 00:30:17,360 doesn't matter if it has to be today but 936 00:30:17,360 --> 00:30:18,880 just feel free to reach out and i'll be 937 00:30:18,880 --> 00:30:20,240 happy to answer questions 938 00:30:20,240 --> 00:30:22,720 on this specifically hopefully this is 939 00:30:22,720 --> 00:30:24,000 valuable for you 940 00:30:24,000 --> 00:30:26,240 this is the end of the presentation i 941 00:30:26,240 --> 00:30:27,760 really do hope you found value 942 00:30:27,760 --> 00:30:30,799 again just big key takeaways 943 00:30:30,799 --> 00:30:33,279 use multi-factor authentication use 944 00:30:33,279 --> 00:30:34,320 strong passwords 945 00:30:34,320 --> 00:30:35,919 a lot of this where we saw throughout 946 00:30:35,919 --> 00:30:37,520 the whole thing had to do with passwords 947 00:30:37,520 --> 00:30:38,799 right we got in 948 00:30:38,799 --> 00:30:40,640 externally because of weak passwords or 949 00:30:40,640 --> 00:30:42,000 reused passwords 950 00:30:42,000 --> 00:30:44,640 we've owned machines internally because 951 00:30:44,640 --> 00:30:46,480 of reuse passwords or because 952 00:30:46,480 --> 00:30:49,279 you want to be a jerk and also use your 953 00:30:49,279 --> 00:30:49,760 name 954 00:30:49,760 --> 00:30:53,120 as a as a password and we saw local 955 00:30:53,120 --> 00:30:55,919 admin accounts just take down networks 956 00:30:55,919 --> 00:30:58,240 enterprise networks with millions of 957 00:30:58,240 --> 00:31:00,320 dollars and spent in security in one of 958 00:31:00,320 --> 00:31:01,279 the examples 959 00:31:01,279 --> 00:31:03,519 with the cyber arc and everything else 960 00:31:03,519 --> 00:31:04,720 local admin 961 00:31:04,720 --> 00:31:06,559 local admin is so important everybody 962 00:31:06,559 --> 00:31:08,080 forgets about it you can spend so much 963 00:31:08,080 --> 00:31:10,720 money protecting your domain credentials 964 00:31:10,720 --> 00:31:12,159 that you forget about the local 965 00:31:12,159 --> 00:31:14,159 administrator local administrator 966 00:31:14,159 --> 00:31:16,559 will kill a network as you see here will 967 00:31:16,559 --> 00:31:17,440 kill a network 968 00:31:17,440 --> 00:31:18,960 there are times where i don't ever 969 00:31:18,960 --> 00:31:20,960 access a domain account until the very 970 00:31:20,960 --> 00:31:21,440 end 971 00:31:21,440 --> 00:31:22,720 and it's because of that local 972 00:31:22,720 --> 00:31:24,799 administrator and in fact we never 973 00:31:24,799 --> 00:31:26,559 access the domain account in the third 974 00:31:26,559 --> 00:31:27,279 example 975 00:31:27,279 --> 00:31:30,080 so keep that in mind local accounts can 976 00:31:30,080 --> 00:31:31,360 take you down as well 977 00:31:31,360 --> 00:31:33,679 so if i want to take away these big 978 00:31:33,679 --> 00:31:34,880 takeaways 979 00:31:34,880 --> 00:31:36,799 passwords are important utilize 980 00:31:36,799 --> 00:31:39,120 multi-factor authentication 981 00:31:39,120 --> 00:31:41,519 remember your local accounts exist and 982 00:31:41,519 --> 00:31:44,000 do not reuse passwords on local accounts 983 00:31:44,000 --> 00:31:45,279 if you're using privilege access 984 00:31:45,279 --> 00:31:47,679 management store those as well 985 00:31:47,679 --> 00:31:50,720 and don't taunt your pen tester 986 00:31:50,720 --> 00:31:52,559 that's it for this talk i really hope 987 00:31:52,559 --> 00:31:54,320 you enjoyed it again i'll be around for 988 00:31:54,320 --> 00:31:55,360 the next hour or so 989 00:31:55,360 --> 00:32:01,840 thank you so much 990 00:32:02,240 --> 00:32:04,320 you