./kedeshur

Mike Saunders is a principle consultant for Red Siege Information Security who will be sharing his thoughts with us on how to approach assumed breach scenarios in a way that’s intended to resolve current issues with today’s pen testing. A large part of this con talk focuses on tools that get used during these assumed breach scenarios.

Honeypots are dead easy, and, if used appropriately, honeypots can be implemented on existing infrastructure (overlay honeypots). Attackers will trip over honeypots, which will slow attackers down, make for easier detection, and make for quicker detection. This five minute conference talk discusses some clever methods of implementing honeypots on existing infrastructure, which will give readers multiple response options to confuse, frustrate, and drive the attackers to tears!

Dave Kennedy is closing the talks out at WWHF 2019 by sharing knowledge related to how he’s been approaching the last 10 security assessments that he’s been on. He shares ideas in this talk about how one can include social engineering considerations when performing security assessments by tailoring the way in which the system is being controlled so that the contents of security alerts (if the attack behavior is detected) have a higher likelihood of leading a Security Operations Center to a conclusion that is beneficial to the attacker (e.g. the detected behavior is benign).

Deviant Ollam owns multiple security consulting companies and put together a great presentation for the 2019 Wild West Hackin’ Fest. He’ll be walking us through the dos and don’ts that he’s discovered. While I usually feel like I’m capturing the essence of technical talks, talks like this one by an engaging speaker like Deviant are best viewed in their entirety. Nonetheless, the ideas he shared are worth attempting to summarize. To start, there’s multiple thoughts discussed by other people that influenced this talk.

Dave Mayer specializes in red teaming and pen testing. This talk came out of only having a limited number of ports (135, 139, and 445) available on a domain controller during a pen test. Null sessions were identified, domain users were dumped, and the only account recovered was the Backup Operators account in the Backup Operators security group. Typically these accounts have been around for years, haven’t had their password changed since creation, are used to back up a large number of systems across the domain, and may have been migrated from one backup solution to another. Let’s look at how to abuse these permissions to obtain unauthorized access.

SleepZ3R0 and HA12TL3Y step forward to share some knowledge regarding what to do after an initial compromise. Initial access is typically obtained through phishing or physical attacks, such as a USB Rubber Ducky, which masquerades as a keyboard with payloads that are auto-typed on device connection. Initial recon once on a compromised system, lateral movement, port forwarding, tradecraft evasion, and tools in use at the time of the talk are discussed.

As companies deploy and use Microsoft’s Azure cloud services more, the cloud platform becomes more of a target for threat actors. By default, all domain user credentials have access at Azure Portal, which contains information that is useful during a pen test. The ways this information can be accessed is through the web interface, a REST API, or PowerShell cmdlets. PowerShell cmdlets use integrated auth, return pipeline-able objects, produce malleable output, and handles large data sets at scale, so it is preferred.

For the first 5 Minute Conference Talk (5MCT) series, Tim MalcomVetter — Director of Red Team Operations — shares ideas on how an internal red team can best provide value, how that value can be measured, and characteristics of common security postures found at companies. While originally presented in the context of an internal red team, the ideas are equally useful for how a penetration tester interacts with their clients.

Evil Mog bringing us some thoughtful password cracking techniques from DerbyCon 2018. These attacks take a candidate list of passwords, mangles the passwords in creative ways, and then passes the more robust results to hashcat. One should have a good understanding of the hashcat-utils functions for cutb and expander, PRobability INfinite Chained Elements (PRINCE) Processor (pp64.bin), hashcat, and the bash scripting language.