1 00:00:00,410 --> 00:00:03,490 [Music] 2 00:00:06,080 --> 00:00:09,360 how do youall I'm Sam Moses and 3 00:00:09,360 --> 00:00:11,320 hopefully you are here for the easy ways 4 00:00:11,320 --> 00:00:14,280 to make my job harder um I'm a pentester 5 00:00:14,280 --> 00:00:16,359 so this is a pentesters perspective on 6 00:00:16,359 --> 00:00:19,119 internal network 7 00:00:19,359 --> 00:00:22,960 security as I said I'm Sam Moses um I 8 00:00:22,960 --> 00:00:25,240 work at rapid 7 I'm a cyber security 9 00:00:25,240 --> 00:00:27,160 consultant there focused on penetration 10 00:00:27,160 --> 00:00:29,720 testing um been doing that for about 4 11 00:00:29,720 --> 00:00:31,359 years also did pen testing in my 12 00:00:31,359 --> 00:00:33,719 previous positions where I worked at BYU 13 00:00:33,719 --> 00:00:37,040 and also as a student um I presented 14 00:00:37,040 --> 00:00:39,239 both nationally and internationally on 15 00:00:39,239 --> 00:00:41,640 different variety of cyber security 16 00:00:41,640 --> 00:00:45,480 topics um and yeah as I said before 17 00:00:45,480 --> 00:00:48,079 rapid 7 I worked at BYU and noticed some 18 00:00:48,079 --> 00:00:52,120 BYU people in the audience oh hey even 19 00:00:52,120 --> 00:00:53,440 more BYU people in the audience than I 20 00:00:53,440 --> 00:00:58,079 noticed before um and yeah so I'm a nerd 21 00:00:58,079 --> 00:01:00,559 all the way through sci-fi fantasy 22 00:01:00,559 --> 00:01:03,359 got my dog play D and D currently I am a 23 00:01:03,359 --> 00:01:06,360 dragon born monk which is pretty 24 00:01:06,360 --> 00:01:11,320 sweet um so yeah that's basically 25 00:01:11,320 --> 00:01:14,119 me um so for this talk I'm going to be 26 00:01:14,119 --> 00:01:16,400 talking about um go through and kind of 27 00:01:16,400 --> 00:01:18,119 talk about what the first Common path 28 00:01:18,119 --> 00:01:20,840 that I use to exploit internal networks 29 00:01:20,840 --> 00:01:22,920 and then I'm going to individually break 30 00:01:22,920 --> 00:01:24,680 it out into pieces and talk about the 31 00:01:24,680 --> 00:01:27,040 recommendations or remediation 32 00:01:27,040 --> 00:01:28,400 recommendations for that and then I'm 33 00:01:28,400 --> 00:01:30,159 going to do the same thing with another 34 00:01:30,159 --> 00:01:32,360 common attack vector and then talk about 35 00:01:32,360 --> 00:01:34,600 some variations with security and depth 36 00:01:34,600 --> 00:01:36,640 and how that would 37 00:01:36,640 --> 00:01:39,960 work so diving in first Common attack 38 00:01:39,960 --> 00:01:43,479 Vector Man in-the-middle attack where I 39 00:01:43,479 --> 00:01:47,600 llm Nar is enabled on the network so LMR 40 00:01:47,600 --> 00:01:50,680 or link local multicast name resolution 41 00:01:50,680 --> 00:01:52,000 I always have to read it and make sure 42 00:01:52,000 --> 00:01:53,079 it's in my notes because I never 43 00:01:53,079 --> 00:01:54,320 actually remember it I always just call 44 00:01:54,320 --> 00:01:58,759 llm Nar um it's a leg Legacy um 45 00:01:58,759 --> 00:02:00,479 auxiliary name res resolution service 46 00:02:00,479 --> 00:02:04,119 for Windows and um it's used to resolve 47 00:02:04,119 --> 00:02:08,080 host names um before DNS and so that's 48 00:02:08,080 --> 00:02:10,318 part of the reason why it's Legacy um 49 00:02:10,318 --> 00:02:12,800 systems configure to use it it actually 50 00:02:12,800 --> 00:02:15,239 broadcasts out name resolution 51 00:02:15,239 --> 00:02:18,879 requests um and so using that we can 52 00:02:18,879 --> 00:02:21,440 sniff and then poison those requests and 53 00:02:21,440 --> 00:02:25,200 actually catch credentials um then I 54 00:02:25,200 --> 00:02:27,200 take those credentials and I use that in 55 00:02:27,200 --> 00:02:31,440 an SB relay attack SNB is servers server 56 00:02:31,440 --> 00:02:35,599 message block um it's widely used for 57 00:02:35,599 --> 00:02:39,040 sharing files S&B shares printers 58 00:02:39,040 --> 00:02:40,800 various Port Services and stuff so it's 59 00:02:40,800 --> 00:02:42,200 used in a lot of different ways 60 00:02:42,200 --> 00:02:44,080 especially on Windows Active Directory 61 00:02:44,080 --> 00:02:45,840 domains and everything and so it's a 62 00:02:45,840 --> 00:02:47,760 common in architecture that we use and 63 00:02:47,760 --> 00:02:50,519 so once I have the creds with man ofthe 64 00:02:50,519 --> 00:02:52,560 middle attack I can then use the SB 65 00:02:52,560 --> 00:02:55,400 relay to then relay those credentials 66 00:02:55,400 --> 00:02:58,200 and more often than not I use just the 67 00:02:58,200 --> 00:02:59,480 default settings because I'm curious 68 00:02:59,480 --> 00:03:02,200 what'll happen and one of the times on 69 00:03:02,200 --> 00:03:03,720 one of the machines the creds that I 70 00:03:03,720 --> 00:03:07,280 relay has local admin access at that 71 00:03:07,280 --> 00:03:08,799 point in time I have control over that 72 00:03:08,799 --> 00:03:10,480 box and having control over that box 73 00:03:10,480 --> 00:03:12,000 gives me also access to multiple 74 00:03:12,000 --> 00:03:14,440 different things and so having control 75 00:03:14,440 --> 00:03:16,840 of that box allows me to dump the 76 00:03:16,840 --> 00:03:21,080 LSA um which then allows me to check to 77 00:03:21,080 --> 00:03:22,599 see if there's potentially plain text 78 00:03:22,599 --> 00:03:25,400 creds and more than once actually 79 00:03:25,400 --> 00:03:27,920 multiple times this year I found PL 80 00:03:27,920 --> 00:03:30,840 plain Tex domain admin credal IAL and at 81 00:03:30,840 --> 00:03:33,000 that point in time it's all over that 82 00:03:33,000 --> 00:03:35,200 simple um one of the times this year I 83 00:03:35,200 --> 00:03:37,640 had da in less than an hour and that was 84 00:03:37,640 --> 00:03:40,239 because I had to let my dog out and she 85 00:03:40,239 --> 00:03:41,799 took a long time probably could have 86 00:03:41,799 --> 00:03:42,519 been 87 00:03:42,519 --> 00:03:46,760 faster anyways um so first step man in 88 00:03:46,760 --> 00:03:49,920 the middle um so the tool that I 89 00:03:49,920 --> 00:03:51,879 normally use for this is 90 00:03:51,879 --> 00:03:53,840 responder um if you don't know it it's 91 00:03:53,840 --> 00:03:56,760 fun tool look it up it's great uh so as 92 00:03:56,760 --> 00:03:59,200 I mentioned lmar there's also if you 93 00:03:59,200 --> 00:04:02,480 notice there mbns mbns is another Legacy 94 00:04:02,480 --> 00:04:05,680 system I feel like I see llmnr more 95 00:04:05,680 --> 00:04:07,840 that's the reason why I used LMR as the 96 00:04:07,840 --> 00:04:09,400 main focus of this because like I said 97 00:04:09,400 --> 00:04:10,799 this is the common attack vectors but 98 00:04:10,799 --> 00:04:14,319 mbns or net bios name service same exact 99 00:04:14,319 --> 00:04:16,798 thing it's a legacy auxiliary name 100 00:04:16,798 --> 00:04:19,759 resolution service before gns so being 101 00:04:19,759 --> 00:04:22,280 able to run responder I'm literally just 102 00:04:22,280 --> 00:04:23,880 poisoning the network looking for those 103 00:04:23,880 --> 00:04:25,720 requests and once they sniffing and 104 00:04:25,720 --> 00:04:27,960 hitting those requests it's sending a 105 00:04:27,960 --> 00:04:30,880 response back and so that way I can get 106 00:04:30,880 --> 00:04:33,320 them to send those credentials that they 107 00:04:33,320 --> 00:04:36,039 are trying to find to my 108 00:04:36,039 --> 00:04:38,680 system um and so by doing this I can 109 00:04:38,680 --> 00:04:39,840 catch 110 00:04:39,840 --> 00:04:42,160 credentials I hit too many buttons where 111 00:04:42,160 --> 00:04:45,360 am I right spot 112 00:04:45,720 --> 00:04:49,639 yeah yeah so um catch ler credentials 113 00:04:49,639 --> 00:04:51,000 the most common one that I end up 114 00:04:51,000 --> 00:04:53,960 catching is SNB credentials because SNB 115 00:04:53,960 --> 00:04:56,080 is used a ton on the network for logging 116 00:04:56,080 --> 00:04:58,440 on machines connecting to services use 117 00:04:58,440 --> 00:05:00,400 connecting to file shares 118 00:05:00,400 --> 00:05:03,360 and so it focuses on setting up various 119 00:05:03,360 --> 00:05:05,960 rope servers to connect to SMB it also 120 00:05:05,960 --> 00:05:08,440 does uh structured query language I 121 00:05:08,440 --> 00:05:11,400 actually had one that I actually got um 122 00:05:11,400 --> 00:05:14,800 SQL crads for this last year um but 123 00:05:14,800 --> 00:05:16,720 normally it's S&B creds that I'm seeing 124 00:05:16,720 --> 00:05:21,080 and being able to use um and so once I 125 00:05:21,080 --> 00:05:24,360 have the creds well start 126 00:05:24,360 --> 00:05:28,720 off remediation for LMR turn it off it's 127 00:05:28,720 --> 00:05:31,560 Legacy don't need it there's no reason 128 00:05:31,560 --> 00:05:32,960 to really have it running same thing 129 00:05:32,960 --> 00:05:36,560 with mbns I have notes there on how to 130 00:05:36,560 --> 00:05:38,960 turn it off you can also Google that but 131 00:05:38,960 --> 00:05:41,360 I made sure to put these the remediation 132 00:05:41,360 --> 00:05:42,600 steps are we going to be a little more 133 00:05:42,600 --> 00:05:44,160 text Heavy in case when anyone wants to 134 00:05:44,160 --> 00:05:45,759 take pictures or anything also if you 135 00:05:45,759 --> 00:05:47,680 ask me for I will just email you these 136 00:05:47,680 --> 00:05:52,319 slides um so this is something that will 137 00:05:52,319 --> 00:05:55,479 stop me from being able to get hashes um 138 00:05:55,479 --> 00:05:57,520 while I'm saying hashes and before I was 139 00:05:57,520 --> 00:05:59,639 saying creds part of the reason for for 140 00:05:59,639 --> 00:06:01,680 that is sometimes if things aren't 141 00:06:01,680 --> 00:06:04,319 configured properly you can catch plain 142 00:06:04,319 --> 00:06:06,840 text credentials too which is makes it 143 00:06:06,840 --> 00:06:09,039 real nice and real sweet generally 144 00:06:09,039 --> 00:06:10,639 speaking though it is configured right 145 00:06:10,639 --> 00:06:13,599 and so it is hashes you're catching 146 00:06:13,599 --> 00:06:17,560 so a gotcha warning so before disabling 147 00:06:17,560 --> 00:06:20,880 L RN mbns make sure all your systems are 148 00:06:20,880 --> 00:06:24,759 configured to run DNS other and LMR mbns 149 00:06:24,759 --> 00:06:27,599 is not being relied on chances are that 150 00:06:27,599 --> 00:06:30,479 is the case but double check because 151 00:06:30,479 --> 00:06:31,680 otherwise you're going to do this and 152 00:06:31,680 --> 00:06:34,360 it's going to break everything and you 153 00:06:34,360 --> 00:06:35,720 don't want 154 00:06:35,720 --> 00:06:38,599 that so double check that before you 155 00:06:38,599 --> 00:06:40,160 start turning things off right away and 156 00:06:40,160 --> 00:06:41,840 make sure that everything is properly 157 00:06:41,840 --> 00:06:43,560 configured to run DNS before you start 158 00:06:43,560 --> 00:06:45,800 turning things off um but the moment you 159 00:06:45,800 --> 00:06:48,440 do this from my perspective it makes my 160 00:06:48,440 --> 00:06:50,280 job 161 00:06:50,280 --> 00:06:53,800 harder so now that we're running the 162 00:06:53,800 --> 00:06:55,680 poisoning attack we catching credential 163 00:06:55,680 --> 00:06:57,680 hashes and things like that I set up an 164 00:06:57,680 --> 00:07:01,080 SMB relay attack so so SMB relay like I 165 00:07:01,080 --> 00:07:03,280 said it's connecting and doing 166 00:07:03,280 --> 00:07:06,840 everything um there are lots of ways to 167 00:07:06,840 --> 00:07:10,039 find whether a system has SMB signing or 168 00:07:10,039 --> 00:07:11,319 not turned 169 00:07:11,319 --> 00:07:15,520 off um so most systems SMB signing is 170 00:07:15,520 --> 00:07:16,720 default 171 00:07:16,720 --> 00:07:19,919 disabled that makes it great for me um 172 00:07:19,919 --> 00:07:21,160 there other message that I have 173 00:07:21,160 --> 00:07:23,800 highlighted here uh message signing 174 00:07:23,800 --> 00:07:27,199 enabled but not required as a hacker 175 00:07:27,199 --> 00:07:28,400 that is the same thing that's disabled 176 00:07:28,400 --> 00:07:29,639 to me if it's not required I'm just 177 00:07:29,639 --> 00:07:31,000 going to skip the requirement there's no 178 00:07:31,000 --> 00:07:31,840 reason for me to go through a 179 00:07:31,840 --> 00:07:33,400 requirement if it's not 180 00:07:33,400 --> 00:07:36,599 required so those are basically the same 181 00:07:36,599 --> 00:07:38,879 thing to me when I see them and I can go 182 00:07:38,879 --> 00:07:40,520 and find those by running it's an inmap 183 00:07:40,520 --> 00:07:43,160 script for that one um there's two SMB 184 00:07:43,160 --> 00:07:46,319 security modes again Google Fair friend 185 00:07:46,319 --> 00:07:48,199 um I think it's literally sb- security 186 00:07:48,199 --> 00:07:51,560 mode and then SB security 2- security 187 00:07:51,560 --> 00:07:54,159 mode but anyways Google friend um I 188 00:07:54,159 --> 00:07:55,879 actually generally speaking use crap map 189 00:07:55,879 --> 00:07:59,800 exact instead to do it um responder also 190 00:07:59,800 --> 00:08:01,720 has a good tool with it called run 191 00:08:01,720 --> 00:08:04,199 finger um makes it sound a little dirty 192 00:08:04,199 --> 00:08:05,960 but basically it fingers the host and 193 00:08:05,960 --> 00:08:10,520 lets you know information about it um so 194 00:08:10,520 --> 00:08:13,360 uh but yeah SMB signing as long as it is 195 00:08:13,360 --> 00:08:17,039 disabled or not required I can then use 196 00:08:17,039 --> 00:08:19,800 ntml relay it's in the impacket another 197 00:08:19,800 --> 00:08:22,319 great tool to set it up so that when 198 00:08:22,319 --> 00:08:25,560 responder captur poison hashes I can 199 00:08:25,560 --> 00:08:28,000 then forward it to those services that 200 00:08:28,000 --> 00:08:31,000 do not have SMB signing required and I 201 00:08:31,000 --> 00:08:34,039 can catch hashes you will notice that 202 00:08:34,039 --> 00:08:35,519 the hashes are not blurred all the ones 203 00:08:35,519 --> 00:08:37,519 that are not blurred I pulled from 204 00:08:37,519 --> 00:08:39,200 proper sources online the ones that are 205 00:08:39,200 --> 00:08:40,799 blurred I could not find and made those 206 00:08:40,799 --> 00:08:43,039 myself so if you're wondering about that 207 00:08:43,039 --> 00:08:44,519 those are fine they're 208 00:08:44,519 --> 00:08:48,200 kosher um so yeah in tml relay I'm 209 00:08:48,200 --> 00:08:50,120 relaying those and I gain access to the 210 00:08:50,120 --> 00:08:53,640 machine it's great um if it's set up 211 00:08:53,640 --> 00:08:55,680 properly then I would not be able to do 212 00:08:55,680 --> 00:08:58,200 that because S&B signing would be 213 00:08:58,200 --> 00:09:01,200 required 214 00:09:01,360 --> 00:09:03,959 which leads me 215 00:09:04,600 --> 00:09:08,440 to the way to fix it um configure your 216 00:09:08,440 --> 00:09:11,399 Windows system so that it it is enabled 217 00:09:11,399 --> 00:09:12,320 and 218 00:09:12,320 --> 00:09:15,360 required um I've seen companies have 219 00:09:15,360 --> 00:09:17,320 like all their systems enabled but not 220 00:09:17,320 --> 00:09:19,680 required again it's basically the same 221 00:09:19,680 --> 00:09:22,079 thing to me and so if it needs to be 222 00:09:22,079 --> 00:09:25,040 enabled and required um you can actually 223 00:09:25,040 --> 00:09:26,360 do it through group policy which makes 224 00:09:26,360 --> 00:09:29,640 it nice can push it all out 225 00:09:29,640 --> 00:09:31,959 um there are look it up because these 226 00:09:31,959 --> 00:09:33,360 are just some of the basic notes but 227 00:09:33,360 --> 00:09:34,959 there are more in-depth notes of walking 228 00:09:34,959 --> 00:09:36,560 you through the steps and everything of 229 00:09:36,560 --> 00:09:38,240 course 230 00:09:38,240 --> 00:09:41,480 um another gotcha warning though make 231 00:09:41,480 --> 00:09:43,920 sure that enabling digitally signed SB 232 00:09:43,920 --> 00:09:45,920 requests won't break anything check all 233 00:09:45,920 --> 00:09:47,680 your SMB servers to make sure they 234 00:09:47,680 --> 00:09:51,800 support SB signing they should um SAS 235 00:09:51,800 --> 00:09:54,240 servers as well you can have them 236 00:09:54,240 --> 00:09:57,680 enforce SNB signing as well so it's not 237 00:09:57,680 --> 00:09:58,920 purely Windows if you got some Linux 238 00:09:58,920 --> 00:10:00,200 system system is working with S&B as 239 00:10:00,200 --> 00:10:02,480 well you can enforce it through 240 00:10:02,480 --> 00:10:06,360 SBA um so yeah as long as it is enabled 241 00:10:06,360 --> 00:10:09,519 and required I can't forward creds I 242 00:10:09,519 --> 00:10:11,680 can't use them that 243 00:10:11,680 --> 00:10:16,160 way and then yeah user has local admin 244 00:10:16,160 --> 00:10:20,040 access so once I default imp packets um 245 00:10:20,040 --> 00:10:24,360 inl relay it will try to dump the Sam um 246 00:10:24,360 --> 00:10:26,360 and so often if I'm seeing enough creds 247 00:10:26,360 --> 00:10:27,959 passing through I will instead of trying 248 00:10:27,959 --> 00:10:29,720 to set up a proxy and everything be like 249 00:10:29,720 --> 00:10:31,480 curiously just let it run and see like 250 00:10:31,480 --> 00:10:33,519 okay are any of these going to hit and 251 00:10:33,519 --> 00:10:36,320 be able to dump the S I am surprised how 252 00:10:36,320 --> 00:10:39,760 many times I actually get a Sam and then 253 00:10:39,760 --> 00:10:41,160 I got and the nice thing about those 254 00:10:41,160 --> 00:10:43,680 type of hashes are they are passable 255 00:10:43,680 --> 00:10:46,839 hashes and 256 00:10:47,079 --> 00:10:50,279 so it's goes back to the basic 257 00:10:50,279 --> 00:10:54,160 principles uh review your roles and your 258 00:10:54,160 --> 00:10:56,519 organization and principal lease 259 00:10:56,519 --> 00:10:59,680 privilege um which sometimes can be 260 00:10:59,680 --> 00:11:01,440 difficult especially like you know you 261 00:11:01,440 --> 00:11:02,880 if you haven't done lece privilege 262 00:11:02,880 --> 00:11:04,000 principle for a while you might need to 263 00:11:04,000 --> 00:11:06,000 audit a bunch of user roles which 264 00:11:06,000 --> 00:11:09,839 sucks um but it is very important to get 265 00:11:09,839 --> 00:11:11,360 done and actually secure the network and 266 00:11:11,360 --> 00:11:13,040 keep everything 267 00:11:13,040 --> 00:11:15,880 proper um also if you can requiring two 268 00:11:15,880 --> 00:11:17,279 Factor authentication on some of the 269 00:11:17,279 --> 00:11:18,639 more secure stuff can definitely help 270 00:11:18,639 --> 00:11:19,600 with that 271 00:11:19,600 --> 00:11:23,519 too um so yeah I think that's it for 272 00:11:23,519 --> 00:11:25,160 this one I don't think there's another 273 00:11:25,160 --> 00:11:28,440 one yeah so yeah review access controls 274 00:11:28,440 --> 00:11:30,519 um sign privileges based on those roles 275 00:11:30,519 --> 00:11:33,600 all the basic same least privilege stuff 276 00:11:33,600 --> 00:11:35,200 I really should check my notes more but 277 00:11:35,200 --> 00:11:38,279 I just keep going that's fine 278 00:11:38,279 --> 00:11:40,240 okay um 279 00:11:40,240 --> 00:11:45,560 so once I do that I so as you saw 280 00:11:45,560 --> 00:11:48,639 before on this one um great 281 00:11:48,639 --> 00:11:50,399 administrator hash there for the local 282 00:11:50,399 --> 00:11:53,399 admin so I can take that and more often 283 00:11:53,399 --> 00:11:57,000 than not also on this one see this is 284 00:11:57,000 --> 00:11:58,480 why I don't look my notes because I know 285 00:11:58,480 --> 00:12:01,680 more than my not notes um so with the 286 00:12:01,680 --> 00:12:03,480 local admin hash something else I 287 00:12:03,480 --> 00:12:04,560 probably should have included in here 288 00:12:04,560 --> 00:12:05,680 but I didn't include in my screenshots 289 00:12:05,680 --> 00:12:08,639 or anything is do not use the local same 290 00:12:08,639 --> 00:12:11,399 local admin on multiple hosts more often 291 00:12:11,399 --> 00:12:12,880 than not if I get local admin on one 292 00:12:12,880 --> 00:12:14,519 host I take those admin CR test it 293 00:12:14,519 --> 00:12:16,160 against all the other hosts maybe some 294 00:12:16,160 --> 00:12:18,600 that even don't have SMB signing 295 00:12:18,600 --> 00:12:21,079 disabled and maybe do require it it 296 00:12:21,079 --> 00:12:23,160 doesn't matter then I got a pable ad 297 00:12:23,160 --> 00:12:26,480 admin hash I can start popping those 298 00:12:26,480 --> 00:12:28,639 boxes that have the same local admin and 299 00:12:28,639 --> 00:12:30,360 so specifically a test that's coming to 300 00:12:30,360 --> 00:12:32,760 mind right now um they only had like 301 00:12:32,760 --> 00:12:34,720 eight hosts that did not require SMB 302 00:12:34,720 --> 00:12:37,959 signing I got forwarded one of them was 303 00:12:37,959 --> 00:12:39,680 local admin hash and then I used that 304 00:12:39,680 --> 00:12:42,320 local admin hash to then pop 12 more 305 00:12:42,320 --> 00:12:45,560 boxes pop pone take control of have 306 00:12:45,560 --> 00:12:46,760 abmin rout 307 00:12:46,760 --> 00:12:50,519 AIS um and so I was able to then from 308 00:12:50,519 --> 00:12:52,079 those so sometimes there's a little bit 309 00:12:52,079 --> 00:12:53,600 of steps in between some this is not the 310 00:12:53,600 --> 00:12:55,399 same box you're getting all that stuff 311 00:12:55,399 --> 00:12:59,680 but in those 12 additional ones I dumped 312 00:12:59,680 --> 00:13:02,560 the LSA and I got plain text credentials 313 00:13:02,560 --> 00:13:05,800 for a domain admin and at that point in 314 00:13:05,800 --> 00:13:08,800 time it's game over so LSA local 315 00:13:08,800 --> 00:13:11,880 security Authority uh Secrets um it's in 316 00:13:11,880 --> 00:13:14,199 the Windows registry it's where uh 317 00:13:14,199 --> 00:13:15,519 sensitive security policy and 318 00:13:15,519 --> 00:13:19,440 information is stored um and it does 319 00:13:19,440 --> 00:13:22,639 Store Plain text 320 00:13:22,639 --> 00:13:27,120 passwords so how do you fix that um 321 00:13:27,120 --> 00:13:28,959 there might be a way out there to kind 322 00:13:28,959 --> 00:13:31,639 of resolve the plain Tex LSA honestly 323 00:13:31,639 --> 00:13:35,040 I'm not sure um but again goes back to 324 00:13:35,040 --> 00:13:37,680 leas privilege do you need that type of 325 00:13:37,680 --> 00:13:40,440 account logging in that way um so the 326 00:13:40,440 --> 00:13:42,199 first recommendation is limit local 327 00:13:42,199 --> 00:13:44,399 admin access if they can't access it 328 00:13:44,399 --> 00:13:46,560 then it's not really a problem the other 329 00:13:46,560 --> 00:13:48,360 recommendation is to limit the impact of 330 00:13:48,360 --> 00:13:49,199 the 331 00:13:49,199 --> 00:13:51,800 compromise um Windows does weird stuff 332 00:13:51,800 --> 00:13:53,440 sometimes that you either have to break 333 00:13:53,440 --> 00:13:55,759 it or do other things to make it be more 334 00:13:55,759 --> 00:13:58,279 proper um and so one of the things to do 335 00:13:58,279 --> 00:14:01,240 is to limit that um you can limit domain 336 00:14:01,240 --> 00:14:04,040 accounts in local Services there's 337 00:14:04,040 --> 00:14:05,519 probably not a local Services you need 338 00:14:05,519 --> 00:14:07,880 to use and then when you do need to 339 00:14:07,880 --> 00:14:09,880 connect to those local Services create 340 00:14:09,880 --> 00:14:11,759 specific domain accounts for that local 341 00:14:11,759 --> 00:14:14,560 service and remove all unnecessary pages 342 00:14:14,560 --> 00:14:16,480 so they're only connecting with that 343 00:14:16,480 --> 00:14:18,920 service and so that means that yeah you 344 00:14:18,920 --> 00:14:20,519 can maybe go hit services with it with 345 00:14:20,519 --> 00:14:21,720 other things but you won't actually be 346 00:14:21,720 --> 00:14:23,519 able to get any more access you won't be 347 00:14:23,519 --> 00:14:26,360 able to look up anything else it limits 348 00:14:26,360 --> 00:14:27,880 the ability to actually be able to do 349 00:14:27,880 --> 00:14:30,680 anything with it 350 00:14:32,120 --> 00:14:35,240 okay so um review of this is the attack 351 00:14:35,240 --> 00:14:36,560 path we just went through man in the 352 00:14:36,560 --> 00:14:40,240 middle attack LMR enabled um or 353 00:14:40,240 --> 00:14:43,240 mbns uh with that being poisoned it 354 00:14:43,240 --> 00:14:44,920 gives me the SM SMB relay being able to 355 00:14:44,920 --> 00:14:47,519 relay that then gets me local admin 356 00:14:47,519 --> 00:14:50,800 access and if I have local admin access 357 00:14:50,800 --> 00:14:55,639 and then plain Tex da in the LSA which 358 00:14:55,639 --> 00:14:57,560 again limiting Services there should not 359 00:14:57,560 --> 00:15:00,720 be a domain admin account in the LSA 360 00:15:00,720 --> 00:15:04,279 connecting through that um but through 361 00:15:04,279 --> 00:15:07,240 that we've been compromising we as in 362 00:15:07,240 --> 00:15:10,519 company Rapid 7 multiple companies by 363 00:15:10,519 --> 00:15:12,639 doing the same exact attack path which 364 00:15:12,639 --> 00:15:14,199 very quickly sometimes there's little 365 00:15:14,199 --> 00:15:15,839 steps in between trying to figure out 366 00:15:15,839 --> 00:15:17,279 how to work make it work for their 367 00:15:17,279 --> 00:15:19,480 Network and different things but more 368 00:15:19,480 --> 00:15:22,360 often than not using this attack Vector 369 00:15:22,360 --> 00:15:23,959 we can get da within the first day of 370 00:15:23,959 --> 00:15:25,360 the 371 00:15:25,360 --> 00:15:27,120 engagement 372 00:15:27,120 --> 00:15:29,959 um okay 373 00:15:29,959 --> 00:15:32,160 second attack 374 00:15:32,160 --> 00:15:36,639 path um so uh Windows n sessions you 375 00:15:36,639 --> 00:15:38,440 numerate users so you get a bunch of 376 00:15:38,440 --> 00:15:41,680 users um n sessions is when you're 377 00:15:41,680 --> 00:15:43,880 logging in with a blank username and a 378 00:15:43,880 --> 00:15:47,839 blank password so by using both of those 379 00:15:47,839 --> 00:15:50,079 um and you're going through and doing a 380 00:15:50,079 --> 00:15:51,199 old session with Windows you can 381 00:15:51,199 --> 00:15:54,758 enumerate a lot of information including 382 00:15:56,240 --> 00:15:58,399 users the nice thing is normally you can 383 00:15:58,399 --> 00:16:00,600 also got the password policy which makes 384 00:16:00,600 --> 00:16:02,519 it a lot easier to password spray and do 385 00:16:02,519 --> 00:16:05,720 things with that too um which then you 386 00:16:05,720 --> 00:16:07,680 password spray with all those usernames 387 00:16:07,680 --> 00:16:10,560 and if the user has a weak password then 388 00:16:10,560 --> 00:16:12,680 you then all of a sudden gain access to 389 00:16:12,680 --> 00:16:15,399 the domain and once you have access to 390 00:16:15,399 --> 00:16:17,480 the domain one of the popular attack 391 00:16:17,480 --> 00:16:19,759 vectors we've been using lately is actor 392 00:16:19,759 --> 00:16:22,959 directory certificate Services adcs 393 00:16:22,959 --> 00:16:24,920 attack um which I'll be going into more 394 00:16:24,920 --> 00:16:27,120 detail later down but basically by doing 395 00:16:27,120 --> 00:16:31,839 an adcs attack um you get back uh domain 396 00:16:31,839 --> 00:16:33,839 hash that is a passible hash and then 397 00:16:33,839 --> 00:16:36,279 you have sorry domain admin hash which 398 00:16:36,279 --> 00:16:38,000 is a passible hash and then you have 399 00:16:38,000 --> 00:16:40,120 access to the whole entire domain 400 00:16:40,120 --> 00:16:41,920 again 401 00:16:41,920 --> 00:16:44,920 so Windows n session enumerating what I 402 00:16:44,920 --> 00:16:48,199 normally use for this is en for Linux um 403 00:16:48,199 --> 00:16:50,720 great tool makes it easy and you can 404 00:16:50,720 --> 00:16:52,120 enumerate a bunch of users there are 405 00:16:52,120 --> 00:16:54,079 other ways numerate users I will talk 406 00:16:54,079 --> 00:16:55,839 more on that in the when I'm talking 407 00:16:55,839 --> 00:16:58,600 about variations of things um I used 408 00:16:58,600 --> 00:17:01,000 this example because again going through 409 00:17:01,000 --> 00:17:05,439 the most of common at least a handful um 410 00:17:05,439 --> 00:17:08,679 of internals I did this year had at 411 00:17:08,679 --> 00:17:11,039 least one system that allowed null 412 00:17:11,039 --> 00:17:13,280 sessions and gave me even if it's not 413 00:17:13,280 --> 00:17:15,520 all the usernames enough usernames that 414 00:17:15,520 --> 00:17:17,199 I could start doing things with it and 415 00:17:17,199 --> 00:17:19,799 get further 416 00:17:20,799 --> 00:17:23,839 access and password policy very nice 417 00:17:23,839 --> 00:17:26,240 very clear um shows a lot of the 418 00:17:26,240 --> 00:17:28,079 information and everything in there it's 419 00:17:28,079 --> 00:17:30,399 fantastic 420 00:17:32,360 --> 00:17:34,880 so n sessions you can disable Anonymous 421 00:17:34,880 --> 00:17:37,200 and N sessions in your window servers 422 00:17:37,200 --> 00:17:39,160 especially your domain controllers who 423 00:17:39,160 --> 00:17:40,960 has all the information in the domain 424 00:17:40,960 --> 00:17:42,440 which means that someone won't be able 425 00:17:42,440 --> 00:17:44,360 to enumerate all the users in the domain 426 00:17:44,360 --> 00:17:45,480 and then be able to start passwords 427 00:17:45,480 --> 00:17:47,120 bringing against them and get further 428 00:17:47,120 --> 00:17:49,919 access um again for those of you who 429 00:17:49,919 --> 00:17:52,280 want to screenshot there or talk to me 430 00:17:52,280 --> 00:17:54,559 after and I can send these to 431 00:17:54,559 --> 00:17:57,400 you um but you can do that in group 432 00:17:57,400 --> 00:18:00,039 policy as well to disable there's 433 00:18:00,039 --> 00:18:01,640 multiple different settings you have to 434 00:18:01,640 --> 00:18:03,159 do it's not just a simple one to make 435 00:18:03,159 --> 00:18:04,440 sure you're disabling all the different 436 00:18:04,440 --> 00:18:06,840 features and everything um because 437 00:18:06,840 --> 00:18:08,280 sometimes I've gone in and there's been 438 00:18:08,280 --> 00:18:09,799 more than once that I go in and they've 439 00:18:09,799 --> 00:18:11,600 disabled some stuff with null sessions 440 00:18:11,600 --> 00:18:13,120 but they haven't disabled everything and 441 00:18:13,120 --> 00:18:15,480 so it's 442 00:18:15,480 --> 00:18:18,200 um limits some of the information I can 443 00:18:18,200 --> 00:18:19,600 get but it's still enough that I can 444 00:18:19,600 --> 00:18:21,080 start proceeding going forward and 445 00:18:21,080 --> 00:18:22,360 continue getting more and more 446 00:18:22,360 --> 00:18:26,120 information and enumerating more in the 447 00:18:27,320 --> 00:18:30,640 network password spraying so one of the 448 00:18:30,640 --> 00:18:32,039 things that we do in our kickoff 449 00:18:32,039 --> 00:18:33,080 engagements when we're talking to 450 00:18:33,080 --> 00:18:36,880 clients is I ask them what their uh 451 00:18:36,880 --> 00:18:41,600 lockout policy is the reason for this is 452 00:18:41,600 --> 00:18:43,720 not just so I can be malicious and 453 00:18:43,720 --> 00:18:46,280 password spray and you know not causing 454 00:18:46,280 --> 00:18:48,400 and be able to get more information the 455 00:18:48,400 --> 00:18:51,360 main reason is if I don't know I will 456 00:18:51,360 --> 00:18:53,320 attempt and potentially lock out lots of 457 00:18:53,320 --> 00:18:55,679 people on your network we don't want to 458 00:18:55,679 --> 00:18:57,520 do that we are red team we are your 459 00:18:57,520 --> 00:18:59,360 friends we want to work with you and 460 00:18:59,360 --> 00:19:00,799 help you find these things that help you 461 00:19:00,799 --> 00:19:03,520 secure you more down the line um so we 462 00:19:03,520 --> 00:19:05,400 always ask what the lockout policy is so 463 00:19:05,400 --> 00:19:07,200 we can stay below that and not cause A 464 00:19:07,200 --> 00:19:11,080 disruption of services um we're human if 465 00:19:11,080 --> 00:19:13,520 we do like accidentally forget to remove 466 00:19:13,520 --> 00:19:15,760 duplicates in a name don't get too upset 467 00:19:15,760 --> 00:19:19,640 cough cough never happened to me um so 468 00:19:19,640 --> 00:19:22,280 yeah and if they have a weak password 469 00:19:22,280 --> 00:19:23,840 policy or even if they have a good 470 00:19:23,840 --> 00:19:25,799 password policy but their users aren't 471 00:19:25,799 --> 00:19:27,840 taught how to do good passwords and so 472 00:19:27,840 --> 00:19:30,679 they kill still can sleep slip in Weak 473 00:19:30,679 --> 00:19:33,240 passwords then we can spray and we can 474 00:19:33,240 --> 00:19:35,720 easily get a password especially if we 475 00:19:35,720 --> 00:19:37,919 if you have a large organization with 476 00:19:37,919 --> 00:19:40,679 over 2,000 people and let's say your 477 00:19:40,679 --> 00:19:42,679 lockout policy is pretty good and you 478 00:19:42,679 --> 00:19:45,679 only allow three uh incorrect attempts 479 00:19:45,679 --> 00:19:47,720 until it's locked out if I got 2,000 480 00:19:47,720 --> 00:19:49,960 people I can run one password against or 481 00:19:49,960 --> 00:19:54,159 two if I'm feeling gutsy um that's 2,000 482 00:19:54,159 --> 00:19:55,520 guesses on people's accounts whether 483 00:19:55,520 --> 00:19:57,360 there the password or not that's still a 484 00:19:57,360 --> 00:19:59,080 lot and that's the difference between a 485 00:19:59,080 --> 00:20:01,159 spray versus a brute force a brute force 486 00:20:01,159 --> 00:20:02,480 is one account and I'm hitting it all 487 00:20:02,480 --> 00:20:03,400 the time with all these different 488 00:20:03,400 --> 00:20:06,520 passwords spray one 2 three attempts 489 00:20:06,520 --> 00:20:08,400 depending on the password policy and I 490 00:20:08,400 --> 00:20:12,360 can hit those 2,000 200 whatever it is 491 00:20:12,360 --> 00:20:14,760 employees and then that's still multiple 492 00:20:14,760 --> 00:20:16,679 guesses that I'm making giving me closer 493 00:20:16,679 --> 00:20:18,640 and closer to getting a potential right 494 00:20:18,640 --> 00:20:21,600 one so while I mention the lockout 495 00:20:21,600 --> 00:20:23,280 policy and I say under it lockup policy 496 00:20:23,280 --> 00:20:26,960 does help um whether it's five three 497 00:20:26,960 --> 00:20:29,320 obviously the smaller the better 498 00:20:29,320 --> 00:20:31,480 um but you want to stay usability too 499 00:20:31,480 --> 00:20:33,280 you don't want someone to one incorrect 500 00:20:33,280 --> 00:20:35,240 attempt it locks you out people are 501 00:20:35,240 --> 00:20:36,640 going to get frustrated you need to make 502 00:20:36,640 --> 00:20:39,120 sure you're pairing usability with your 503 00:20:39,120 --> 00:20:41,720 security um three I'd say is a pretty 504 00:20:41,720 --> 00:20:43,640 reasonable amount I've seen five five 505 00:20:43,640 --> 00:20:45,360 just makes it easier for me to do more 506 00:20:45,360 --> 00:20:48,240 guesses um but have a good lockout 507 00:20:48,240 --> 00:20:50,120 policy it does limit it otherwise I just 508 00:20:50,120 --> 00:20:51,600 be spraying all day long and give me 509 00:20:51,600 --> 00:20:53,039 more and more chance of being able to 510 00:20:53,039 --> 00:20:54,960 get proper 511 00:20:54,960 --> 00:20:58,000 credits but alerting is the most proper 512 00:20:58,000 --> 00:20:59,679 way way to go for catching these types 513 00:20:59,679 --> 00:21:02,600 of attacks if you see a single IP 514 00:21:02,600 --> 00:21:04,440 attempting multiple login attempts 515 00:21:04,440 --> 00:21:06,080 across multiple different accounts in a 516 00:21:06,080 --> 00:21:07,440 short period of time that's something 517 00:21:07,440 --> 00:21:09,320 you need to start setting up alerts 518 00:21:09,320 --> 00:21:13,039 around um and so that's the best way to 519 00:21:13,039 --> 00:21:14,760 catch this and then you can know and 520 00:21:14,760 --> 00:21:18,039 then respond rather than locking people 521 00:21:18,039 --> 00:21:20,320 out too much too potentially and causing 522 00:21:20,320 --> 00:21:23,600 issues that way um so alerting really is 523 00:21:23,600 --> 00:21:25,120 the best way to go for this type of ATT 524 00:21:25,120 --> 00:21:27,039 Vector with password 525 00:21:27,039 --> 00:21:30,400 sprays so password spray this kind of 526 00:21:30,400 --> 00:21:34,200 ties into the last one L 527 00:21:36,000 --> 00:21:38,520 momento I feel like in both yeah in both 528 00:21:38,520 --> 00:21:39,880 common attack 529 00:21:39,880 --> 00:21:42,000 factors part of it boils down to the 530 00:21:42,000 --> 00:21:43,760 basics like the other one was um 531 00:21:43,760 --> 00:21:48,000 principal Le privilege this one is weak 532 00:21:48,000 --> 00:21:50,400 password um I'm not going to harp on 533 00:21:50,400 --> 00:21:52,400 this too much we're all I feel like I'm 534 00:21:52,400 --> 00:21:55,880 preaching the choir on this one um 535 00:21:55,880 --> 00:21:58,279 password strength is if depends on how 536 00:21:58,279 --> 00:22:02,320 easy it is to guess um season and the 537 00:22:02,320 --> 00:22:05,760 date is still very very common 538 00:22:05,760 --> 00:22:09,320 um but a good 12 character length 539 00:22:09,320 --> 00:22:11,960 password including uppercase lowercase 540 00:22:11,960 --> 00:22:14,440 digits special characters it's all the 541 00:22:14,440 --> 00:22:18,080 same stuff admins at least 16 creds just 542 00:22:18,080 --> 00:22:20,559 to be a little more secure not 16 creds 543 00:22:20,559 --> 00:22:23,640 sorry 16 characters um the other thing 544 00:22:23,640 --> 00:22:25,880 with this too which I don't know which 545 00:22:25,880 --> 00:22:27,039 one's the best one to bring this up with 546 00:22:27,039 --> 00:22:29,559 but I'll just say it now separating your 547 00:22:29,559 --> 00:22:31,400 regular account from your domain admin 548 00:22:31,400 --> 00:22:33,640 account is also a recommendation that we 549 00:22:33,640 --> 00:22:34,919 have too I don't think I included that 550 00:22:34,919 --> 00:22:38,039 one in the slides um if you are a domain 551 00:22:38,039 --> 00:22:40,320 user not everything you need to I mean 552 00:22:40,320 --> 00:22:42,440 sorry if you are a domain admin not 553 00:22:42,440 --> 00:22:44,840 everything you need to do is as a domain 554 00:22:44,840 --> 00:22:47,360 admin when I was a system admin I had 555 00:22:47,360 --> 00:22:48,919 two different accounts one when I would 556 00:22:48,919 --> 00:22:50,520 need to do admin work one that I needed 557 00:22:50,520 --> 00:22:52,159 to do more regular work maybe with a 558 00:22:52,159 --> 00:22:53,520 little bit more privileges because you 559 00:22:53,520 --> 00:22:55,679 know you are doing working things but I 560 00:22:55,679 --> 00:22:57,559 kept those accounts separate with 561 00:22:57,559 --> 00:22:59,880 different passwords to help avoid 562 00:22:59,880 --> 00:23:01,840 because if you're using the one that 563 00:23:01,840 --> 00:23:03,720 isn't domain admin for most your work 564 00:23:03,720 --> 00:23:05,120 even if they get it yes they will have 565 00:23:05,120 --> 00:23:06,480 access to more stuff and you want them 566 00:23:06,480 --> 00:23:08,159 to have access to but they won't have 567 00:23:08,159 --> 00:23:10,000 access to the full domain yet 568 00:23:10,000 --> 00:23:11,679 separations like that can really help 569 00:23:11,679 --> 00:23:12,760 secure your 570 00:23:12,760 --> 00:23:15,120 network um but yeah forgot to include 571 00:23:15,120 --> 00:23:17,159 that one in the 572 00:23:17,159 --> 00:23:19,480 slides the other one is use an 573 00:23:19,480 --> 00:23:23,000 Enterprise password database um users 574 00:23:23,000 --> 00:23:25,120 are lazy and honestly I can't blame them 575 00:23:25,120 --> 00:23:26,360 how many of us have written a short 576 00:23:26,360 --> 00:23:27,520 little script or something to make our 577 00:23:27,520 --> 00:23:31,320 job easier because we are 578 00:23:31,320 --> 00:23:34,000 lazy um I call it efficient but you know 579 00:23:34,000 --> 00:23:34,880 different 580 00:23:34,880 --> 00:23:38,320 people um so Enterprise password 581 00:23:38,320 --> 00:23:40,559 database if you make that they can have 582 00:23:40,559 --> 00:23:42,400 one really good strong password with 583 00:23:42,400 --> 00:23:44,200 really strong requirements and then you 584 00:23:44,200 --> 00:23:46,720 can have them autogenerate all the their 585 00:23:46,720 --> 00:23:48,520 other passwords and random secure I mean 586 00:23:48,520 --> 00:23:49,960 you can have good technical controls 587 00:23:49,960 --> 00:23:51,120 over that to make sure that they're 588 00:23:51,120 --> 00:23:52,360 having good passwords and everything 589 00:23:52,360 --> 00:23:55,480 like that and so by doing that it goes 590 00:23:55,480 --> 00:23:57,480 beyond just the training it's like make 591 00:23:57,480 --> 00:23:58,840 sure you have a good password you can 592 00:23:58,840 --> 00:24:00,760 type in on this and then you can have a 593 00:24:00,760 --> 00:24:03,520 password database so they don't have to 594 00:24:03,520 --> 00:24:05,679 remember 20 million passwords because if 595 00:24:05,679 --> 00:24:08,440 I had to remember 20 passwords I would 596 00:24:08,440 --> 00:24:10,679 be trying to find easy ways to remember 597 00:24:10,679 --> 00:24:12,360 them which is going to decrease the 598 00:24:12,360 --> 00:24:14,480 security we need to pair usability with 599 00:24:14,480 --> 00:24:16,320 security when we're doing these things 600 00:24:16,320 --> 00:24:17,960 and the password database is a good way 601 00:24:17,960 --> 00:24:20,200 to do 602 00:24:20,200 --> 00:24:23,760 that and so at this point we've 603 00:24:23,760 --> 00:24:27,000 enumerated users we've password sprayed 604 00:24:27,000 --> 00:24:28,960 and because there was we passwords we 605 00:24:28,960 --> 00:24:30,840 are able to guess a user's password so 606 00:24:30,840 --> 00:24:34,799 now comes the adcs attack um so the nice 607 00:24:34,799 --> 00:24:38,600 thing about adcs tech from my side is 608 00:24:38,600 --> 00:24:41,200 that it's a non-privileged domain user 609 00:24:41,200 --> 00:24:42,720 um they don't really need any extra 610 00:24:42,720 --> 00:24:45,600 privileg or anything um and then I can 611 00:24:45,600 --> 00:24:49,080 run a petite poome that's another great 612 00:24:49,080 --> 00:24:52,640 attack vector and um great tool to use 613 00:24:52,640 --> 00:24:55,000 and you can send that attack to the main 614 00:24:55,000 --> 00:24:57,279 controller and it will return an inlm 615 00:24:57,279 --> 00:24:59,760 hash 616 00:25:02,840 --> 00:25:05,039 moment sticking introverts up here and 617 00:25:05,039 --> 00:25:07,760 talking is way too 618 00:25:08,240 --> 00:25:12,039 much um so uh active directory 619 00:25:12,039 --> 00:25:14,080 certificate services for those you who 620 00:25:14,080 --> 00:25:17,679 don't know what it is it provides um pki 621 00:25:17,679 --> 00:25:21,120 or a public key infrastructure uh for 622 00:25:21,120 --> 00:25:24,080 private networks and um it can be issued 623 00:25:24,080 --> 00:25:26,320 to trusted certificates and managed 624 00:25:26,320 --> 00:25:28,399 devices and things like that 625 00:25:28,399 --> 00:25:31,640 um and then uh it gets can get tied into 626 00:25:31,640 --> 00:25:33,799 to active directory domain 627 00:25:33,799 --> 00:25:36,279 Services um which is where comes active 628 00:25:36,279 --> 00:25:37,799 directory certificate of services it's 629 00:25:37,799 --> 00:25:39,320 the combination of those 630 00:25:39,320 --> 00:25:43,039 two um and so when it does that uh these 631 00:25:43,039 --> 00:25:46,200 on um authentication method it can be 632 00:25:46,200 --> 00:25:49,640 enter Enterprise ca ca certificate 633 00:25:49,640 --> 00:25:52,559 Authority um but the misconfiguration of 634 00:25:52,559 --> 00:25:55,159 that which lots and lots of 635 00:25:55,159 --> 00:25:57,080 misconfigured adcs out there in the 636 00:25:57,080 --> 00:25:59,760 world um can allow a malicious actor to 637 00:25:59,760 --> 00:26:02,840 gain uh domain wide privilege 638 00:26:02,840 --> 00:26:06,959 escalation so 639 00:26:08,760 --> 00:26:12,720 um the next step of the attack after I 640 00:26:12,720 --> 00:26:15,440 do the whole peti Pome and this is me 641 00:26:15,440 --> 00:26:17,440 confirming that the ntml hash is 642 00:26:17,440 --> 00:26:19,240 actually properly coming back that's 643 00:26:19,240 --> 00:26:21,600 responder that I showed you guys 644 00:26:21,600 --> 00:26:25,960 before um we then send that and 645 00:26:25,960 --> 00:26:28,360 enumerate the ATT 646 00:26:28,360 --> 00:26:30,799 directories um the certificate Authority 647 00:26:30,799 --> 00:26:33,240 certificates and I'm looking for 648 00:26:33,240 --> 00:26:36,120 information the main one that I've used 649 00:26:36,120 --> 00:26:38,000 again there's lots of different ones but 650 00:26:38,000 --> 00:26:40,000 the main one that's being exploited most 651 00:26:40,000 --> 00:26:43,440 that I've seen today is 652 00:26:43,440 --> 00:26:46,720 esc8 um it's web enrollments enabled and 653 00:26:46,720 --> 00:26:48,399 it requests a certain dispositions so 654 00:26:48,399 --> 00:26:50,880 I'm looking for one running esc8 the 655 00:26:50,880 --> 00:26:53,399 nice thing is with these tools um 656 00:26:53,399 --> 00:26:54,919 certifi is the one that I'm forwarding 657 00:26:54,919 --> 00:26:58,000 the intermach with um to get the 658 00:26:58,000 --> 00:26:59,559 information 659 00:26:59,559 --> 00:27:03,080 um you can it will print out which ones 660 00:27:03,080 --> 00:27:04,880 are vulnerable like there at the bottom 661 00:27:04,880 --> 00:27:06,520 but also if you have to do it a more 662 00:27:06,520 --> 00:27:08,240 manual way as well you could just check 663 00:27:08,240 --> 00:27:10,440 for web enrollment being enabled and 664 00:27:10,440 --> 00:27:13,760 request disposition is issue and so 665 00:27:13,760 --> 00:27:15,559 looking through and finding all the 666 00:27:15,559 --> 00:27:18,120 information 667 00:27:18,120 --> 00:27:20,600 um is basically what you're looking 668 00:27:20,600 --> 00:27:23,679 for trying to make 669 00:27:23,679 --> 00:27:25,240 sure 670 00:27:25,240 --> 00:27:28,279 yeah um and so at this point now we know 671 00:27:28,279 --> 00:27:30,240 the petite panum command works we got 672 00:27:30,240 --> 00:27:32,600 the ca configuration and we found one 673 00:27:32,600 --> 00:27:35,039 that should be vulnerable and so next we 674 00:27:35,039 --> 00:27:38,120 need to actually exploit 675 00:27:39,200 --> 00:27:43,880 it um oh yeah one more step actually so 676 00:27:43,880 --> 00:27:46,200 once you know that it is exploitable I'm 677 00:27:46,200 --> 00:27:47,640 going to look through all the ones that 678 00:27:47,640 --> 00:27:49,960 are exploitable and I'm looking for it 679 00:27:49,960 --> 00:27:52,840 to be enabled but also for the 680 00:27:52,840 --> 00:27:55,039 enrollment rights there at the bottom 681 00:27:55,039 --> 00:27:57,120 because I want one that is enrolled on 682 00:27:57,120 --> 00:27:58,279 domain 683 00:27:58,279 --> 00:28:01,240 controllers the reason for that is is 684 00:28:01,240 --> 00:28:03,640 because the certificate Authority and 685 00:28:03,640 --> 00:28:04,799 the thing that we're trying to get from 686 00:28:04,799 --> 00:28:06,559 that is going to be a private key which 687 00:28:06,559 --> 00:28:10,080 when it's set up with adcs can be used 688 00:28:10,080 --> 00:28:13,600 to actually log into things um as an 689 00:28:13,600 --> 00:28:16,000 alternative way to actually using like 690 00:28:16,000 --> 00:28:18,559 an nml hash or you know passing the hash 691 00:28:18,559 --> 00:28:20,960 or credentials or anything like that and 692 00:28:20,960 --> 00:28:22,720 so that's what we're trying to 693 00:28:22,720 --> 00:28:25,240 do um so as long as I find one that's 694 00:28:25,240 --> 00:28:26,559 enabled and one that's tied to domain 695 00:28:26,559 --> 00:28:29,440 controllers 696 00:28:29,760 --> 00:28:33,519 um using a certifi command I can go and 697 00:28:33,519 --> 00:28:34,760 get a 698 00:28:34,760 --> 00:28:38,720 certificate um which then I again re 699 00:28:38,720 --> 00:28:40,519 with the PT to and responder I'm 700 00:28:40,519 --> 00:28:43,960 relaying that nml hash 701 00:28:46,000 --> 00:28:47,880 again 702 00:28:47,880 --> 00:28:50,679 um and I am getting that certificate 703 00:28:50,679 --> 00:28:52,600 information and once I have the 704 00:28:52,600 --> 00:28:55,640 certificate then I can use that and the 705 00:28:55,640 --> 00:28:58,120 private key because it is is integrated 706 00:28:58,120 --> 00:29:00,880 in an act active directory um domain 707 00:29:00,880 --> 00:29:02,760 Services as an alternative 708 00:29:02,760 --> 00:29:05,399 authentication 709 00:29:06,640 --> 00:29:10,200 method so once I actually have that then 710 00:29:10,200 --> 00:29:13,320 I can just take that key and forward it 711 00:29:13,320 --> 00:29:16,840 over and now I have all the pieces the r 712 00:29:16,840 --> 00:29:21,080 a certify the pfx key and I can get the 713 00:29:21,080 --> 00:29:24,480 inh um which instead of having to relay 714 00:29:24,480 --> 00:29:26,760 I can just pass the hash and as you can 715 00:29:26,760 --> 00:29:28,960 see here I'm getting the Nash for the 716 00:29:28,960 --> 00:29:32,880 administrator on the domain corp. loc 717 00:29:32,880 --> 00:29:34,440 and so at this point in time I actually 718 00:29:34,440 --> 00:29:36,760 was the domain admin hash and so I had 719 00:29:36,760 --> 00:29:40,120 domain access to 720 00:29:41,159 --> 00:29:44,080 everything so this is the remediation 721 00:29:44,080 --> 00:29:45,960 stuff that attack is much more involved 722 00:29:45,960 --> 00:29:48,799 so I went a little bit more into it with 723 00:29:48,799 --> 00:29:50,880 everything 724 00:29:50,880 --> 00:29:54,159 um yeah so certificate Authority web 725 00:29:54,159 --> 00:29:55,960 enrollment and certificate enrollment 726 00:29:55,960 --> 00:29:58,320 web services 727 00:29:58,320 --> 00:30:01,200 um if they aren't needed in your 728 00:30:01,200 --> 00:30:04,000 organization you can uninstall them they 729 00:30:04,000 --> 00:30:06,480 aren't needed in a lot of 730 00:30:06,480 --> 00:30:09,440 situations um if you can't uninstall 731 00:30:09,440 --> 00:30:11,039 them and maybe it's needed but it's only 732 00:30:11,039 --> 00:30:13,399 needed for limited things use an allow 733 00:30:13,399 --> 00:30:15,360 list and a deny list and limit the 734 00:30:15,360 --> 00:30:16,799 access to those 735 00:30:16,799 --> 00:30:21,039 Services um there's also an Extended 736 00:30:21,039 --> 00:30:23,279 protection of authentication for 737 00:30:23,279 --> 00:30:25,679 adcs and there's different ways to do 738 00:30:25,679 --> 00:30:27,799 that so the steps to actually do these 739 00:30:27,799 --> 00:30:30,320 things are much more involved if you 740 00:30:30,320 --> 00:30:32,399 want to screenshot or picture of that 741 00:30:32,399 --> 00:30:33,919 this searching this type of information 742 00:30:33,919 --> 00:30:35,399 we'll get you closer to finding the full 743 00:30:35,399 --> 00:30:36,960 list I was not going to put full list of 744 00:30:36,960 --> 00:30:41,039 information in the slides for these ones 745 00:30:41,039 --> 00:30:45,279 um Additionally you can disable ntml 746 00:30:45,279 --> 00:30:47,279 authentication on window domain 747 00:30:47,279 --> 00:30:50,880 controllers and adcs services so if you 748 00:30:50,880 --> 00:30:52,799 remember everything we started with was 749 00:30:52,799 --> 00:30:54,559 just getting an inl hash and then be 750 00:30:54,559 --> 00:30:57,559 able to relay it so as an alternative 751 00:30:57,559 --> 00:30:59,480 method the other steps would be good to 752 00:30:59,480 --> 00:31:01,519 take care of too but this would make it 753 00:31:01,519 --> 00:31:02,760 harder because I'd have to find a 754 00:31:02,760 --> 00:31:04,760 different way to get that ntml hash to 755 00:31:04,760 --> 00:31:07,720 do these things and so the whole thing 756 00:31:07,720 --> 00:31:09,679 is trying to make my job harder we're 757 00:31:09,679 --> 00:31:11,840 hackers we're inventive as we talked 758 00:31:11,840 --> 00:31:13,200 about this morning and everything we 759 00:31:13,200 --> 00:31:14,679 will try to find a different solution to 760 00:31:14,679 --> 00:31:15,720 the 761 00:31:15,720 --> 00:31:18,600 problem but the more ways you make it 762 00:31:18,600 --> 00:31:19,799 harder and the more ways you make it 763 00:31:19,799 --> 00:31:23,000 secure the better it is for you guys and 764 00:31:23,000 --> 00:31:24,399 hopefully it'll reach the point where 765 00:31:24,399 --> 00:31:25,559 it's hard enough that the hacker is just 766 00:31:25,559 --> 00:31:29,000 like this isn't worth my time and leave 767 00:31:29,000 --> 00:31:31,639 um but yeah so that is 768 00:31:31,639 --> 00:31:36,279 adcs so um common attack path this is 769 00:31:36,279 --> 00:31:39,120 the review of the second one um Windows 770 00:31:39,120 --> 00:31:40,679 n sessions we were able to enumerate 771 00:31:40,679 --> 00:31:43,799 users with that and then we performed a 772 00:31:43,799 --> 00:31:46,120 password spray with the password spray 773 00:31:46,120 --> 00:31:49,159 we were able to find some user with weak 774 00:31:49,159 --> 00:31:51,399 passwords and then because the user had 775 00:31:51,399 --> 00:31:53,559 weak passwords we were able to perform 776 00:31:53,559 --> 00:31:55,880 an adcs attack which was the whole 777 00:31:55,880 --> 00:31:57,600 attack factor that we talked about using 778 00:31:57,600 --> 00:32:00,679 the getting the administrator into hash 779 00:32:00,679 --> 00:32:02,639 for into to the certificate Authority 780 00:32:02,639 --> 00:32:05,120 and then back and then we are able to 781 00:32:05,120 --> 00:32:06,679 actually get domain access to the whole 782 00:32:06,679 --> 00:32:08,519 entire 783 00:32:08,519 --> 00:32:12,039 domain so that is the two most common 784 00:32:12,039 --> 00:32:14,399 attack vectors that I've seen a lot used 785 00:32:14,399 --> 00:32:15,919 by me and 786 00:32:15,919 --> 00:32:18,600 my co-workers colleagues colleagues 787 00:32:18,600 --> 00:32:21,959 right because it's not just in Rapid 788 00:32:22,840 --> 00:32:24,960 7 789 00:32:24,960 --> 00:32:28,760 um and one of them adcs I feel like has 790 00:32:28,760 --> 00:32:31,039 become a lot more popular over the last 791 00:32:31,039 --> 00:32:34,600 year and so um the other one has been 792 00:32:34,600 --> 00:32:38,320 popular since I was in college so that's 793 00:32:38,320 --> 00:32:41,039 one that's still existing out there that 794 00:32:41,039 --> 00:32:42,639 um if we could do better at that'd be 795 00:32:42,639 --> 00:32:45,399 great so next thing we're talk about is 796 00:32:45,399 --> 00:32:48,399 a little bit of security and depth so 797 00:32:48,399 --> 00:32:49,720 everyone should be pretty used to this 798 00:32:49,720 --> 00:32:50,840 security and depth you need to have 799 00:32:50,840 --> 00:32:52,720 layers of security blah blah blah you're 800 00:32:52,720 --> 00:32:53,760 used to this I'm not going to do the 801 00:32:53,760 --> 00:32:56,559 whole Spiel for you guys there but we 802 00:32:56,559 --> 00:32:57,840 will talk about a little bit of 803 00:32:57,840 --> 00:32:59,559 variations and why security depth is 804 00:32:59,559 --> 00:33:01,840 important so let's say that you get 805 00:33:01,840 --> 00:33:05,120 approval and you get to turn LMR in mbns 806 00:33:05,120 --> 00:33:07,519 off and then you also make sure you have 807 00:33:07,519 --> 00:33:09,960 SMB signing turned on for all your 808 00:33:09,960 --> 00:33:13,799 machines great that is fantastic if I 809 00:33:13,799 --> 00:33:16,000 can still enumerate users and then 810 00:33:16,000 --> 00:33:18,919 password spray and your users have weak 811 00:33:18,919 --> 00:33:21,200 passwords and then one of those users 812 00:33:21,200 --> 00:33:24,000 have local admin access you haven't 813 00:33:24,000 --> 00:33:27,720 really stopped anything yet um or let's 814 00:33:27,720 --> 00:33:30,039 say that you made sure all your users 815 00:33:30,039 --> 00:33:31,880 have very limited access and everything 816 00:33:31,880 --> 00:33:33,559 you can go vice versa if I can man in 817 00:33:33,559 --> 00:33:35,279 the middle because you didn't fix that 818 00:33:35,279 --> 00:33:39,399 cach LMR and then do an SMB relay and 819 00:33:39,399 --> 00:33:41,559 then I can potentially connect that 820 00:33:41,559 --> 00:33:43,960 through and use that users hash and 821 00:33:43,960 --> 00:33:45,679 credentials or anything to be able to 822 00:33:45,679 --> 00:33:48,360 start connecting and doing an adcs 823 00:33:48,360 --> 00:33:52,080 attack um and other option two is if you 824 00:33:52,080 --> 00:33:54,519 get S SMB relay fixed because you made 825 00:33:54,519 --> 00:33:56,799 sure all the signing was required if you 826 00:33:56,799 --> 00:33:59,080 but you have LMR there and weak 827 00:33:59,080 --> 00:34:01,919 passwords if I have LMR and I'm 828 00:34:01,919 --> 00:34:03,639 poisoning I'm getting hashes I can take 829 00:34:03,639 --> 00:34:06,679 those offline crack them and then start 830 00:34:06,679 --> 00:34:07,960 using them in all the different ways as 831 00:34:07,960 --> 00:34:10,800 well too security and depth is important 832 00:34:10,800 --> 00:34:12,399 you need those layers to be able to help 833 00:34:12,399 --> 00:34:13,760 against these variety of different 834 00:34:13,760 --> 00:34:15,879 scenarios these were the two most common 835 00:34:15,879 --> 00:34:18,239 scenarios that I used but there's 836 00:34:18,239 --> 00:34:21,560 multiple variations of them too um 837 00:34:21,560 --> 00:34:23,440 Windows n session is the one I use for 838 00:34:23,440 --> 00:34:26,960 this but OS in people find people's 839 00:34:26,960 --> 00:34:30,159 usernames then use Cur root um to test 840 00:34:30,159 --> 00:34:32,159 the usernames against ceros and confirm 841 00:34:32,159 --> 00:34:34,079 which ones are valid I mean I have a 842 00:34:34,079 --> 00:34:35,960 file that I use that 843 00:34:35,960 --> 00:34:40,199 has I think it's like 49,000 usernames 844 00:34:40,199 --> 00:34:42,199 which are literally just generated from 845 00:34:42,199 --> 00:34:44,760 first letter and they think it's like 846 00:34:44,760 --> 00:34:47,359 the 100 most common first names and 100 847 00:34:47,359 --> 00:34:50,320 most common last names because using 848 00:34:50,320 --> 00:34:53,560 that and using Kos I get at least a 849 00:34:53,560 --> 00:34:55,359 handful of accounts every single time 850 00:34:55,359 --> 00:34:57,520 I've Ed that because 851 00:34:57,520 --> 00:34:58,960 because maybe the company does have 852 00:34:58,960 --> 00:35:00,599 pretty good OSN protection and various 853 00:35:00,599 --> 00:35:04,400 other things um and then if they do that 854 00:35:04,400 --> 00:35:06,200 but they and they have bad passwords 855 00:35:06,200 --> 00:35:09,440 then I spray I get some creds and again 856 00:35:09,440 --> 00:35:11,000 it escalates and starts spiraling and 857 00:35:11,000 --> 00:35:14,560 going down there so Security in depth we 858 00:35:14,560 --> 00:35:17,000 honestly have an easier job than you 859 00:35:17,000 --> 00:35:21,560 guys um we don't have to I mean we try 860 00:35:21,560 --> 00:35:22,960 to think of all these scenarios to try 861 00:35:22,960 --> 00:35:26,200 to help you guys as much as we can but 862 00:35:26,200 --> 00:35:28,240 you guys have the multiple layers to put 863 00:35:28,240 --> 00:35:30,800 in protection I mean I did blue hat 864 00:35:30,800 --> 00:35:33,839 security and instant response for years 865 00:35:33,839 --> 00:35:36,720 and so that job is a lot harder because 866 00:35:36,720 --> 00:35:38,200 we can find a different way to wiggle 867 00:35:38,200 --> 00:35:39,760 here and wiggle there and that's why 868 00:35:39,760 --> 00:35:41,480 we're trying to help with being able to 869 00:35:41,480 --> 00:35:43,079 find these ways and let you know where 870 00:35:43,079 --> 00:35:46,520 some of those key points are um so 871 00:35:46,520 --> 00:35:48,359 that's why I'm trying to relay the two 872 00:35:48,359 --> 00:35:50,440 most common attack 873 00:35:50,440 --> 00:35:55,119 vectors um so blue team red team while 874 00:35:55,119 --> 00:35:58,839 we are pentest in we are quote unquote 875 00:35:58,839 --> 00:36:00,440 opposite sides but really we're all on 876 00:36:00,440 --> 00:36:03,119 the same side here um more often than 877 00:36:03,119 --> 00:36:05,000 not if I'm pentesting a company that has 878 00:36:05,000 --> 00:36:07,359 really good security um I'll let them 879 00:36:07,359 --> 00:36:09,319 know like yeah when I have red team hat 880 00:36:09,319 --> 00:36:11,599 on I am frustrated as hell because you 881 00:36:11,599 --> 00:36:13,680 did all this security here security here 882 00:36:13,680 --> 00:36:15,960 or like there's you block this step here 883 00:36:15,960 --> 00:36:17,480 so I had to like figure out a way to go 884 00:36:17,480 --> 00:36:19,680 around here and like it is so 885 00:36:19,680 --> 00:36:21,560 frustrating but the moment I'm done it's 886 00:36:21,560 --> 00:36:23,119 just like put on my blue team house just 887 00:36:23,119 --> 00:36:24,400 like you guys did a really good job here 888 00:36:24,400 --> 00:36:25,640 you guys did a really good job there and 889 00:36:25,640 --> 00:36:27,160 it's great to see when those things are 890 00:36:27,160 --> 00:36:28,880 happening with my red team hat on it 891 00:36:28,880 --> 00:36:30,119 could be frustrating as heck but we're 892 00:36:30,119 --> 00:36:32,520 all really on the same team here as long 893 00:36:32,520 --> 00:36:34,359 as you're not black hat if you are go 894 00:36:34,359 --> 00:36:37,920 away um but we're all really on the same 895 00:36:37,920 --> 00:36:39,160 team here and we're all trying to help 896 00:36:39,160 --> 00:36:40,880 each other out so during the engagement 897 00:36:40,880 --> 00:36:42,359 yeah we maybe are on other sides and 898 00:36:42,359 --> 00:36:43,359 everything but we're really just 899 00:36:43,359 --> 00:36:45,079 Partners trying to help each other out 900 00:36:45,079 --> 00:36:48,839 here um okay so if I remember right I 901 00:36:48,839 --> 00:36:50,480 got like 10 minutes left 902 00:36:50,480 --> 00:36:52,880 right yeah okay perfect that's where I 903 00:36:52,880 --> 00:36:55,400 tried to hit it cool um so I don't know 904 00:36:55,400 --> 00:36:57,040 if I'll be able to answer him but if 905 00:36:57,040 --> 00:36:58,880 anyone has questions red teaming 906 00:36:58,880 --> 00:37:01,200 engagements various variations or 907 00:37:01,200 --> 00:37:02,440 anything like that I did try to leave 908 00:37:02,440 --> 00:37:03,760 around 10 minutes of questions so people 909 00:37:03,760 --> 00:37:05,119 could 910 00:37:05,119 --> 00:37:09,000 ask yes and I'll repeat the 911 00:37:09,079 --> 00:37:11,440 question and if not we can also get out 912 00:37:11,440 --> 00:37:15,680 here early and change so it's up to you 913 00:37:18,359 --> 00:37:23,200 guys yep you a test for you come back 914 00:37:23,200 --> 00:37:28,598 and find out you're not 915 00:37:44,200 --> 00:37:46,480 um it depends on lot on upper 916 00:37:46,480 --> 00:37:48,920 Management's view which you try to do 917 00:37:48,920 --> 00:37:49,960 your best to 918 00:37:49,960 --> 00:37:53,079 change um so like in our reports or like 919 00:37:53,079 --> 00:37:57,240 in our um debrief calls sometimes like 920 00:37:57,240 --> 00:37:59,760 if I see ELR mbns and the whole entire 921 00:37:59,760 --> 00:38:02,040 time I'm there I don't catch any hashes 922 00:38:02,040 --> 00:38:04,720 right um because I'm just I while I see 923 00:38:04,720 --> 00:38:06,160 the traffic none of the traffic's 924 00:38:06,160 --> 00:38:07,800 running creds or anything like that so I 925 00:38:07,800 --> 00:38:09,720 can't really poison and catch that 926 00:38:09,720 --> 00:38:10,720 because there's not those type of 927 00:38:10,720 --> 00:38:13,960 connections being made um I will 928 00:38:13,960 --> 00:38:15,640 highlight in the debrief College like 929 00:38:15,640 --> 00:38:17,960 while I did put this in as low risk 930 00:38:17,960 --> 00:38:20,680 because no credentials were found if 931 00:38:20,680 --> 00:38:23,760 creds were found this is what could have 932 00:38:23,760 --> 00:38:25,960 happened and to let them know because 933 00:38:25,960 --> 00:38:28,040 the other thing is while we are in a 934 00:38:28,040 --> 00:38:30,200 time box test as pen testers so we're 935 00:38:30,200 --> 00:38:32,040 limited on time resources and things 936 00:38:32,040 --> 00:38:33,720 like that like I've done a 3-day 937 00:38:33,720 --> 00:38:36,119 internal where I was really frustrated 938 00:38:36,119 --> 00:38:38,480 because I got creds no I didn't have 939 00:38:38,480 --> 00:38:40,480 creds I got hashes through 940 00:38:40,480 --> 00:38:44,319 LMR and I was relaying but the relaying 941 00:38:44,319 --> 00:38:46,119 was having some issues and so finally 942 00:38:46,119 --> 00:38:48,960 when I got to relay the creds that I C 943 00:38:48,960 --> 00:38:51,240 kept catching didn't have the access 944 00:38:51,240 --> 00:38:52,960 which could be great and fantastic and 945 00:38:52,960 --> 00:38:54,520 maybe they actually had it set up where 946 00:38:54,520 --> 00:38:56,760 like it was a legacy system so so it 947 00:38:56,760 --> 00:38:59,400 couldn't um have the access at need of 948 00:38:59,400 --> 00:39:01,000 rest andb relay to be able to do a 949 00:39:01,000 --> 00:39:02,400 proper connect and everything like that 950 00:39:02,400 --> 00:39:05,599 if that's proper great if it just 951 00:39:05,599 --> 00:39:07,119 happened to be no one was in the office 952 00:39:07,119 --> 00:39:09,319 this week and then everyone else had 953 00:39:09,319 --> 00:39:12,480 creds then potentially it's a huge 954 00:39:12,480 --> 00:39:14,520 vulnerability for him still so we 955 00:39:14,520 --> 00:39:16,599 include those in the report we also do 956 00:39:16,599 --> 00:39:18,119 an assessment storyboard to try to 957 00:39:18,119 --> 00:39:19,720 highlight like these are the things that 958 00:39:19,720 --> 00:39:22,280 we found and potentially could go and 959 00:39:22,280 --> 00:39:23,760 you discuss that in the debrief call to 960 00:39:23,760 --> 00:39:24,960 let them know like because we're in a 961 00:39:24,960 --> 00:39:26,800 time box test but if I'm a hacker I'll 962 00:39:26,800 --> 00:39:29,440 just let that stuff run the whole time 963 00:39:29,440 --> 00:39:31,680 in the background and see and eventually 964 00:39:31,680 --> 00:39:34,480 like if I get one domain admin on there 965 00:39:34,480 --> 00:39:36,560 that's running at that time oh do I need 966 00:39:36,560 --> 00:39:37,640 to move over here for a camera or 967 00:39:37,640 --> 00:39:38,839 something 968 00:39:38,839 --> 00:39:42,280 sorry um 969 00:39:42,280 --> 00:39:45,319 then yeah if the one domain admin once 970 00:39:45,319 --> 00:39:47,079 is enough to be able to get creds and 971 00:39:47,079 --> 00:39:49,400 everything so I mean there was one 972 00:39:49,400 --> 00:39:52,200 company that I spent the whole entire 973 00:39:52,200 --> 00:39:53,920 time not getting domain user or anything 974 00:39:53,920 --> 00:39:55,400 like that domain admin trying to get 975 00:39:55,400 --> 00:39:57,079 credits which was super frustrating for 976 00:39:57,079 --> 00:40:00,000 me and then I think it was the next year 977 00:40:00,000 --> 00:40:01,880 I had them again expecting slightly the 978 00:40:01,880 --> 00:40:04,119 same results domain admin happened to 979 00:40:04,119 --> 00:40:06,280 get on because they didn't really change 980 00:40:06,280 --> 00:40:07,960 everything even though we recommended it 981 00:40:07,960 --> 00:40:09,400 and domain and admin happened to get on 982 00:40:09,400 --> 00:40:11,839 the first day and I had completely pwned 983 00:40:11,839 --> 00:40:13,440 them at the end of it so it's like just 984 00:40:13,440 --> 00:40:15,079 because Legacy things are there and we 985 00:40:15,079 --> 00:40:17,599 don't catch during the pen test we're 986 00:40:17,599 --> 00:40:19,599 limited on time doesn't mean that the 987 00:40:19,599 --> 00:40:21,720 vulnerability and the way to spiral down 988 00:40:21,720 --> 00:40:24,040 isn't 989 00:40:25,359 --> 00:40:28,359 there 990 00:40:28,800 --> 00:40:31,000 generally speaking if we do catch it and 991 00:40:31,000 --> 00:40:32,359 stuff they at least try to put some 992 00:40:32,359 --> 00:40:33,520 safeguards and everything like that 993 00:40:33,520 --> 00:40:35,200 we'll try to find ways around it or 994 00:40:35,200 --> 00:40:37,520 maybe a different way in but generally 995 00:40:37,520 --> 00:40:40,000 speaking from what I've seen they do do 996 00:40:40,000 --> 00:40:42,640 try to do what they can to fix 997 00:40:42,640 --> 00:40:46,920 it um any other questions I think we got 998 00:40:46,920 --> 00:40:49,160 yeah we still got 999 00:40:49,160 --> 00:40:52,160 time 1000 00:40:55,319 --> 00:40:58,319 yeah 1001 00:41:01,200 --> 00:41:05,920 laps okay how effective is laps laps um 1002 00:41:05,920 --> 00:41:09,280 local admin Protection Service right um 1003 00:41:09,280 --> 00:41:13,160 at mitigating the uh local admin rights 1004 00:41:13,160 --> 00:41:16,440 um honestly I'm not used that very much 1005 00:41:16,440 --> 00:41:17,839 on my blue teaming side so I can't 1006 00:41:17,839 --> 00:41:20,560 really answer on that one 1007 00:41:20,560 --> 00:41:24,400 um my guess would be that if it's there 1008 00:41:24,400 --> 00:41:26,640 and it's a tool hopefully it helps helps 1009 00:41:26,640 --> 00:41:29,240 but people find ways around things so 1010 00:41:29,240 --> 00:41:30,720 it's always got to be careful with that 1011 00:41:30,720 --> 00:41:33,040 and sometimes exceptions are put in and 1012 00:41:33,040 --> 00:41:34,720 if exceptions are put in maybe those 1013 00:41:34,720 --> 00:41:36,000 exceptions don't need to exist down the 1014 00:41:36,000 --> 00:41:37,280 line so that's one of the reasons why 1015 00:41:37,280 --> 00:41:39,480 auditing um user controls fairly 1016 00:41:39,480 --> 00:41:42,359 regularly is important 1017 00:41:42,880 --> 00:41:46,920 too um any other 1018 00:41:48,599 --> 00:41:50,680 questions I keep looking down because 1019 00:41:50,680 --> 00:41:53,200 the lights they have there are so bright 1020 00:41:53,200 --> 00:41:56,119 not trying to avoid looking at you guys 1021 00:41:56,119 --> 00:41:58,560 um um 1022 00:41:58,560 --> 00:42:01,480 okay I'm not seeing any hands so if you 1023 00:42:01,480 --> 00:42:04,480 have a hand Hoot and 1024 00:42:05,839 --> 00:42:08,599 Holler sweet I think we'll get out five 1025 00:42:08,599 --> 00:42:09,720 minutes early because I don't like 1026 00:42:09,720 --> 00:42:10,760 holding people beyond what they're 1027 00:42:10,760 --> 00:42:12,000 needed so if you guys have more 1028 00:42:12,000 --> 00:42:12,920 questions you don't want to raise your 1029 00:42:12,920 --> 00:42:14,760 hand I'll be here so feel free to come 1030 00:42:14,760 --> 00:42:16,190 up 1031 00:42:16,190 --> 00:42:22,400 [Applause] 1032 00:42:22,400 --> 00:42:25,400 thanks