Your browser is out of date.

You are currently using Internet Explorer 7/8/9, which is not supported by our site. For the best experience, please use one of the latest browsers.

Request a Consultation

Pen Testing: Lessons Learned Webinar Transcript Get Started

Lisa Remsa [00:00:07] Good morning, everyone, and welcome to today's TRUE Talk Webinar. We want to thank you guys for joining us. My name is Lisa Remsa and I'm the Marketing Manager here at True Digital Security, and I have the distinct pleasure of being today's webinar host. Today we are presenting "Penetration Testing: Lessons Learned" and it's going to be presented by Josh Bozarth, our Security Testing Services Manager and Aaron Moss, TRUE Security Consultant.

Lisa Remsa [00:00:30] Just a little housekeeping before we get started.. If you guys have any questions during the presentation, please feel free to type them into the question box in your Go To Webinar control panel. We'll try to address all the questions at the end of the webinar. Also, there will be a special offer extended to today's attendees at the end of this presentation. So, please stick around to hear more about that. There will also be a recorded version of this webinar available on demand. After the presentation ends, it will be immediately available. You can either use the same registration link used for this live session or you can visit And all on demand recordings are available there as well. So without further ado, I will turn the time over to Josh and Aaron.

Josh Bozarth [00:01:16] Thanks, Lisa. Good morning, everybody.

Josh Bozarth [00:01:20] Thanks for joining us for a another look at the lessons learned that we've picked up over the over the past year with our penetration testing. My name is Josh Bozarth.

Aaron Moss [00:01:32] And I'm Aaron Moss.

Josh Bozarth [00:01:33] And Aaron is my cohort and fellow hacker, I guess I should say.

Aaron Moss [00:01:40] Hacker in crime. No not crime. Actually, we do this legally.

Josh Bozarth [00:01:43] Yeah, he doesn't go to jail yet.

Aaron Moss [00:01:44] Not yet.

Josh Bozarth [00:01:46] So we're going to introduce ourselves and then we'll get into the meat of the presentation.

Josh Bozarth [00:01:58] Like I said, my name's Josh. I am the Security Testing Services Manager for True Digital Security. It's a fairly new role for me. I have managed folks in the past, but it's fun to work with them side by side while also kind of helping steer the direction at the same time. My history is varied and long. Like most security folks can have from a history standpoint, because we're old enough that cybersecurity degrees didn't exist when we were younger.

Josh Bozarth [00:02:31] And so I have a a Bachelors in news editorial journalism. That's a long story that is saved for another time.

Aaron Moss [00:02:40] But cyber security wasn't a thing whenever you were in college, like one hundred years ago.

Josh Bozarth [00:02:44] Yeah. Back in, back in 'Nam.

Josh Bozarth [00:02:49] So, yeah, I have a journalism degree, but never really used it. Switched over to working in the industry with system administration and engineering Windows Unix Linux. I spent a lot of time in data centers building things, architecting things and then transitioned to auditing, which did eventually lead into the security space.

Josh Bozarth [00:03:14] And so where I've been here with TRUE for a little over four years, getting closer to four and a half, and had a great time since I've been here. It's great fun.

Aaron Moss [00:03:27] And again, I'm Aaron Moss @Bl0ckbuster on the Twitters. And that is a zero, not an "O". Got to point that out. People people don't they don't see zero. Hey, I started out in helpdesk whenever I started my career.

Aaron Moss [00:03:41] I actually do have a degree in information systems security, although it's... I'm not sure that it's really worth anything, because of where it came from. But that's another story from the time. I graduated from Help Desk in the system, in network administration and virtualization administration, basically much like Josh, architecting and building out basically small organizations, servers and their entire networks and stuff like that, and eventually became an I.T. director and then worked my way into a security consultant here somehow to Josh's dismay.

Aaron Moss [00:04:16] So now, as he said, we're both professional hackers and this is kind of what we've learned over the last year of doing our penetration testing.

Josh Bozarth [00:04:29] So, you know this. This will give you kind of high points in case you want to check out during the rest of the webinar, so we're gonna talk about some high level lessons that we've learned over over the years.

Josh Bozarth [00:04:41] We specifically mentioned 2018. But now that we're getting ready to hit March in 2019, the points that we're talking about have shifted or changed a whole lot. So I do want to point out that a lot of these are related specifically to network penetration tests.

Aaron Moss [00:04:59] There are some level of web app testing in there, but mostly this is related to network penetration tests because that's a large portion of what we do.

Josh Bozarth [00:05:09] And the wild variances with web app testing can vary. Obviously, we have lost models in the top 10.

Josh Bozarth [00:05:19] You know that when we do our web app tests. So, you know, cross-site scripting and our SQL injection, those types of things, they're still prevalent. They're there, obviously, but we're not going to be talking a lot about that today. But also, those things can manifest themselves in and way different ways than what we see commonly on the networks.

Aaron Moss [00:05:38] Right. And if you guys want us to do a web app pentest talk, then let Lisa know in the comments.

Josh Bozarth [00:05:44] So, Aaron, our pentests can cover a lot of different industries. We have clients that are in the retail, as you can see, technology, financial, medical. Energy is big here in Tulsa, where we're both...Aaron and I are based out of Tulsa, Oklahoma. But we also have public sector, and there's an increase in governmental type things that we're working in as well.

Josh Bozarth [00:06:09] So let's talk about the first lesson that we're going to talk about today.

Aaron Moss [00:06:14] You're matching is not optional people. It's still an issue. So many times we get on a penetration test. There's just computers everywhere that are missing random patches. The worst offender at this point still seems to be in MS17-010, which if you if you're not familiar with MS17-010... It is a remote code execution vulnerability in a Windows server from the effects up to what, 2008 or 2002, I think, if not yes, beyond and 2003, 2008. And it essentially basically allows us to get system on a machine that's not patched in. It's very quick, very easy, and it's very reliable. And from there, we can pretty much go from zero to safety administrator on the known domain. Lot of times we find it on noncritical servers, because a lot of organizations don't feel like that. And if it's a non-critical server, then clearly it's not.

Aaron Moss [00:07:19] It doesn't need to be patched as often. They don't pay that much attention to it because it's it's not critical. A lot of forgotten servers that are out there. I've been on numerous penetration tests over the last year that people were like, you found that server. Where did you find that server? And it's 2003 Windows 2000 server because their network is so large and they just forgot that something existed. And it's just sitting there running. Workstations are prevalent with Windows 7 workstations still, because quite frankly, even though you have WSUS setup. WSUS  isn't perfect, especially if your domain group policy is not working correctly on a workstation. It happens less often on the servers, but that's because you have less servers than you have workstations and you got a lot of issues with third party apps, of course, like Adobe, Java, Microsoft Office, et cetera. And I will say that there's a lot of missing patches sometimes on critical servers. Oracle, I'm looking at you, because you can't patch Oracle without taking it down in many places. That's the primary critical point. If you take down Oracle, you're going to lose hundreds, thousands, possibly millions of dollars per minute, per hour, whatever that is down. So patching, please patch. Please patch. So I'm going to interject here, because you were talking about systems that were your clients would be like, oh, how do you find that? We didn't know that was there. And so we'll give the benefit of the doubt to the clients.

Josh Bozarth [00:08:53] OK. They didn't know that. I actually had a pentest where I had a system that was on the network, and it had this MS17-010 patch not applied. It actually didn't have a lot of patches applied. And this is a, you know, we tested this client for years. And I'm like, where did this system come from? Find out that they turn it off right before I do the test.

Aaron Moss [00:09:15] Oh, and they forgot to turn it off this time.

Josh Bozarth [00:09:17] Yeah. They didn't make the window. And I'm like... they told me.  We were laughing about it. And I was like so, yeah, we can appreciate that you're trying to make things better.

Aaron Moss [00:09:27] No, hang on for a second. If you turn it off for the pentest, but you turn it back on after the pentest, clearly it's not a critical server. Why is it on in the first place? What does it need to be there?

Josh Bozarth [00:09:37] It was a very, very specific role and it really only needed to be on for like 15 minutes once a month. It's like a payroll type thing.

Aaron Moss [00:09:45] Really?

Josh Bozarth [00:09:46] Yeah. And I'm like, can you guys figure out a way to at least update it?

Aaron Moss [00:09:49] Seriously? Like, patch the machine. Leave it turned on or whatever?

Josh Bozarth [00:09:53] Well, they had problems where they did patch it and it just broke everything.

Aaron Moss [00:09:56] ...blew up?

Aaron Moss [00:09:57] And that's another thing that we've experienced, too. We've heard from so many of our administrators that we have patched this. I think I had one just a couple of weeks ago, as a matter of fact, said, hey, we've patched this. But every time that we patch it, it blows something up. And so I want to say it was like an unbiased system. They patched an unbiased system and it blew up the call center. And it was a major problem for them. And so they had to get in touch with the vendor to say, hey, every time we try to patch this, it blows up our application. What can you do? And so sometimes that's something that needs to happen. You know, as administrators, we have to get in contact with the vendors and say, hey, I'm having an issue and I need you to fix this as the vendor or, you know, we need to figure out some other solution.

Josh Bozarth [00:10:45] It really comes down to... We want the client to at least appropriately assess the risk that's involved with this. And, you know, sometimes you just can't do it. But there are ways... there are controls you can put around around these unpatched systems if you absolutely have to do it. You know, I think about SCADA and all that jazz, but.

Aaron Moss [00:11:03] Right.

Josh Bozarth [00:11:05] Yeah. We want. We want. When we come in, we want our clients to be able to assess the environment and approach it with care, but also with the realistic expectation. Like you're not going to be 100 percent secure. We all know that. And if you think that you can be, that's crazy. But we also want to be able to move forward with making things better for everybody. And that sometimes requires some heartache and pain. But that's what we're here to help guide you through that.

Aaron Moss [00:11:39] Right. And we're here to help guide you through that as well. Not just pentest, but we have other other pieces of TRUE that can help you maintain your networks as well. And we'll get to that later.

Aaron Moss [00:11:54] OK. So we talked about 17-010, but this is kind of an idea of what happens when we get access to to one of your systems using this particular vulnerability. Whenever we use 17-010, we have NT authority system access. And I'm sure many of you understand that that's like beyond the administrator level. You are literally running as, I mean, for lack of lack of a better term, you're kind of running as the Colonel. And so we don't only gain access to your server, we get access to all your data. We've got access to your credit cards, your personal identifiable information, such as Social Security numbers, email addresses, home addresses, names, etc. And PHI, which is, as you see there, HIPAA Protected Health Information. So medical records, shot records, other information that we probably can't mention here because of NDAs. But all it really takes is just that one missing to that patch on one server.

Josh Bozarth [00:12:57] And let's not you know, people are you. Well, if it's that one server like my example, the one server that was on for 15 minutes a month.

Aaron Moss [00:13:05] Right.

Josh Bozarth [00:13:05] Ah. You know, they kept it on accident. But the people are like, well, that's not that's not that doesn't have sensitive data on it. All it's doing is sending out emails. Doesn't matter. Yeah, it doesn't matter because it's the foothold that we get when we have that level of access. That's where we start getting those credentials. Oh yeah. That's where we can see your your domain administrators. But most the time they're logged into these systems and we can capture that. We use a contractor password or use their password hashes and roll through the network. And it's we've got everything we need at that point ready to get things like credit cards, API.

Aaron Moss [00:13:38] And the thing is, is sometimes it's not just one missing patch. I will say that sometimes that one missing patch will get a low level of access to something and it may take us a little bit of work. But generally speaking, if we can change several low level vulnerabilities together, it turns into a major critical more ability overall.

Josh Bozarth [00:13:59] This is a screenshot of kind of showing that we're using metasploit basically to pop these boxes with the MS17-010.

Aaron Moss [00:14:07] This is yeah. This is what metasploit actually looks like. Whenever we whenever we run the exploit itself against a server and then as you can see, if you look towards the bottom, you can see that we have a shell and it says, Who am I? NT system or NT authority system. So this is the kind of access that we have once it's exploited.

Josh Bozarth [00:14:27] And this is something that anybody can play around with and try because it's metasploit that's freely available. So you know, you can set up your labs with unpatched systems and have a field day. They metasploit's great about for training purposes, they provide virtual machines to do all this.

Aaron Moss [00:14:43] Also, I want to point out that one of the ways that we do a lot of the scanning for 17-010 is using metasploit because metasploit has a built in 17 note in a scanner that literally you you handed a subnet and it goes through and checks every computer in that subnet and says whether or not it's possibly vulnerable or if it's not warm below a 17-010 and outside of normal patch management using WSUS, using the Nexpose. No, that's a bone scanner, but also using your regular patch management. Use other tools to check to make sure that your patch management is working.

Josh Bozarth [00:15:22] So you'll have everyone has probably their patch management systems like WSUS. Or maybe a third party patch management tool. We recommend Guaranteed Networks. We have what we've got. TRUE has their own set of patch management utilities on the TRUE IT side as well. But regardless of what you're using, what Aaron said is is important too. Can you validate that these patches are done? And that's where things like vulnerability scanning can help you because those things are designed to look for whether or not something is actually applied. Sometimes these patch management tools, they're just designed to push the binaries and install the patch, reboot the machines and it's done and kind keep track of it that way, but maybe not necessarily validate that it's still exploitable or it's still vulnerable to an issue.

Aaron Moss [00:16:10] Correct. And as it says, you know, one of the things that we noticed is that a lot of time will run up against something that administrator and administrator doesn't notice systems there. So asset management, to go back to the last slide or asset management is a super important part of patching, because if you don't know what's on your network and you don't shut down what you did, you don't need, then you're gonna be vulnerable. The system, your hand, vulnerable systems on your network.

Aaron Moss [00:16:40] Yep, so asset management, Guaranteed Networks. Call us for a quote.

Josh Bozarth [00:16:49] All right.

Aaron Moss [00:16:50]  I've been told I have a face for radio. So this is perfect. Lesson number two, passwords. You are the weakest link.

Josh Bozarth [00:17:01]  Yeah, I'll talk about it. So it's not. You would think that in this in 2019, that people have changed their passwords from the defaults. No, no, unfortunately, we still still go come across this. We still come across here. You know, you've got a Tomcat manager that stood at the default credentials. You've got a lot of common things that we see are like, well, we have a bullet point in here. All these different accounts we have...

Aaron Moss [00:17:33] These are just a few random default credentials.

Josh Bozarth [00:17:39] IPMI back ends, you know, like your out of band management systems are usually setup with default credits. Most of the time.

Aaron Moss [00:17:47] Even though they're on as if for it, they're still vulnerable.

Josh Bozarth [00:17:52] We can find issues with I mean, printers are a huge.

Aaron Moss [00:17:57] Oh, printers are great. We'll discuss that here in a second.

Josh Bozarth [00:18:00] And yeah, so it's SNMP, community strings. We get a lot of information with that. We can also modify information, but we don't tend to have to do that as much. But these generic public and private as your community strings. We're trying to get folks to either, you know, use complex strings because people don't need to use those strings that these are designed for tools to pull the data to to to monitor and pull devices. And that's just not something that a human really needs to worry about. And so generate the stronger strings that can be, you know, that are a can't guess them by just guessing.

Aaron Moss [00:18:36] And we understand that a lot of Iot devices that there may have limitations on your string. So if you can do something like a password manager, that'll help mold cabinet later. This is an IPMI  module for a Lenovo server that had default credentials on. Essentially what you'll see is that if you look very carefully, you can see system information, power actions and remote control power actions and remote control. Two things I really want to point out, because power actions means that if we drop that down, we could shut down that server completely and then anything that's running on it. And this is a virtualized server. So it probably had I don't know exactly how many servers I have on it, but I'm guessing for this environment, upwards of 20. If any of those servers were critical and I shut down this hardware, your entire environment goes down and you're still trying to figure out what happened. You've just lost a ton of money outside of that remote control. Now I have access to the actual hardware itself through a Java console. And yeah. I want to do something to your VMware server really bad, I just do it through that. All because of default credentials.

Josh Bozarth [00:19:45] Or it could be. It may not be a virtual virtual host. It might be just a standard Windows machine. If so, then we've got, you know, kind of a keeping them into the to that system.

Aaron Moss [00:19:56] And then we've just gone from having zero to whatever is logged in there again.

Josh Bozarth [00:20:02] Yeah.

Aaron Moss [00:20:05] This is a printer. This is actually a copier, but the same principle applies. This has default credentials on it. It was admin admin, if I'm not mistaken. What I want to point out is if you look towards the bottom, you'll see the remote one says "allow the following network folder to be used as a destination SMB". So it is connected to a windows share. The network path, which is the exact location on the server where it was pointed to, but the log in, username and password were incredibly informational here because they were set up as a domain admin and it was in plain text.

Josh Bozarth [00:20:42] So you got two factors that are its problem there. One, you're using a domain admin to connect this printer to the network. A: don't do that. And then B: you get the printer, the printer manufacturer that doesn't know how to code passwords into their their back end. So we can see them plain as day. So you go to two different entities are kind of causing a even worse problem going forward, because when we log into it with default creds, you got default crowds, you're using a domain admin and then we've got the printer that can't mask passwords appropriately.

Aaron Moss [00:21:18] Well, and it masked them but it was just that we could unmask him because da da da da da da star is just something set up by the browser.

Josh Bozarth [00:21:27] So, yeah, there's no protection to it.

Aaron Moss [00:21:29] None.

Aaron Moss [00:21:33] Oh this is fun. OK. Yeah.

Josh Bozarth [00:21:34] This is continuation, so we're moved on from default credentials. Let's say you've changed your password. OK, great. Well, tell us about password cracking.

Aaron Moss [00:21:44] I'm not even talking about password cracking.

Josh Bozarth [00:21:45] We haven't got that far yet.

Aaron Moss [00:21:47] Yeah, we're not that far yet. We're going to get that in a second. This is more related to his Skype for Business. So Skype for Business has a wonderful fly on it. That's what we'll call it, a feature because at last, what Microsoft, that's what they call it.  As it has a race condition that once it attaches to an active directory server infrastructure, you can basically password spray, which means you can use one password with multiple user names to basically try to identify legitimate user names on your active directory network externally. So if you have a Skype for Business server this sit on your external network that's publicly available to the Internet and I can access the there's a specific, specific link, the URL that you go to with it. But basically it popped back with a credential box where you can put in username and password. There is an attack called Link Smash that you basically go out, hand in one password and throw a whole bunch of usernames at it. And depending on the time that comes back, the quickest times that comeback show basically that this is a legitimate user name. And then the the slower times say this is not a legitimate user name. Granted, this takes a lot of time, but once you have a legitimate user needs free network externally, then we start going after it with stuff like password one, summer 2018 one, summer 2018 bang, then winter 2019, any season, year, whatever. And adding a special character or two at the end of it doesn't make a whole lot of difference because we could probably guess it.

Aaron Moss [00:23:25] Yeah. So the reasoning behind this is we are humans and we can't remember anything. And so in order to make a password that's somewhat functional for somebody who has to change it every 90 days, this is what ends up happening. So though, you know, they'll have their favorite sports team and then whatever the month is or whatever the year is or they'll do like this with the season. These are this is really bad, but we'll see variations of this. Right. And and and everyone's trying to be creative with it. And that's that's fine. But in the end, we need to get things that are a little more complex, that aren't real guest dictionary type words and especially don't put the company that you work for in the password, because that's going to be another option that we're going to check for.

Aaron Moss [00:24:08] And this is we're looking specifically at I.T. administrators or the helpdesk who are setting up passwords for the new users or resetting passwords and then not saying, hey, you need changes, password immediately or don't use any of these passwords or anything like it, come up with something different or come up with something random and then somehow get that information to the user in a secure fashion.

Aaron Moss [00:24:32] So this we want to talk about the tools of the trade. This is password cracking. This is basically once we've gained access to your network, we've actually got all of the we've gained access to domain admin. We've pulled down your entire active directory.

Josh Bozarth [00:24:47] Or we may have one hash.

Aaron Moss [00:24:49] Or we could just have one hash. Right. It just depends on how far we've progressed in the pin test. But with hash that we have about a five thousand dollar cracking rate here that cracks passwords anywhere from I mean it's ridiculously fast too. They've gone to plat so. And if you got that reference, congratulations, you are baseball's man. Mimikatz is fun because instead of having to crack a password. Basically we use Mimikatz once we get on a system to grab the plaintext password directly out of memory. Windows Store is a lot of these passwords in memory. They've actually fixed a lot of this to a degree in Windows 10. It's got a whole lot better. I think Windows 2012 server is a lot better. But on older machines, Windows 7 boxes, Windows 2008, 2008 R2, it's trivial. Once you have an administrator level of privilege to run Mimikatz, of course you have to disable antivirus because AV does catch this stuff, but once you disable antivirus, anything's fair game practically. And so we can pull the plain text passwords out. Once we have a plain text password, we can pretty much use that on the entire network to to either escalate our privileges up to administrator or we have the administrative password and then links mesh, of course. That's something that I discussed a while ago. And if you want to find out more about that, just Google for linksmash.

Josh Bozarth [00:26:30] So we will tend to get the local admin account, and this is what Aaron was referring to the previous slide. Where we'll use Ben Katz if this is an easy target for the most part, because it's not controlled. A lot of times clients will just use the same local admin account across the board, across the network.

Aaron Moss [00:26:48] And I'm guilty of this, too, on my previous networks until I found out about yes, I can think back to my admin days.

Josh Bozarth [00:26:55] Yeah, we did that, too.

Aaron Moss [00:26:56] Yeah. I mean, it's just something that you throw into a config file or into an unintended .xml amount and voila, you've got the entire thing built up because you're more concerned about speed and efficiency of things out here. And one of the things that that may be fine for building out initially, but eventually you're going to come across issues like past the hashtag attacks.

Aaron Moss [00:27:16] Even with a ridiculously strong local administrator account, if I can get some kind of administrative access to it and I can pull that that hash out, we can use a past the hash tag to do lateral movement across the network. As long as that password is the same across several different workstations or servers, whatever.

Josh Bozarth [00:27:39] So let's let's break that down a little bit here, because sometimes that can go over people's heads and they don't understand what's really going on. So we've got let's say we've got a local admin, but we we don't have local admin. We have the what it's called the password hash. So it's not the actual password, but it's how windows, you know, masks it and hashes it. So it's protected or not. It's encrypted effectively. Yes. So you take that, you take the the hash, you don't have to have the actual password and we can send that to other windows machines. So if we have the hash of a local admin and you as the client use the same local admin password across the network, this is where one plus one equals two because now we can use that hash that we got from this system and send it to all the other ones on the network and they're going to respond by. Yeah. That's that's the local idea and password. We have two and now that's when we start poking and prodding and looking for things that will escalate us over to the domain level.

Aaron Moss [00:28:33] Right. Essentially, we have tools that well may be cast as a great example once we get a shell on a system. If we can run many cats, you know, using that local administrator hash to log into a different system until we find a domain name and an admin that's logged in. Then we use Mimikatz, of course, to find that information and then log into the domain, into the the domain controller. And voila, we've got complete access to... We've got the keys to the kingdom essentially.

Josh Bozarth [00:29:02] So. What we're saying is it doesn't matter how strong that local admin password is. If we can see if we can somehow get the hash.

Aaron Moss [00:29:12] If it's the same password everywhere. And that's what we're fixing to get to right now.

Josh Bozarth [00:29:17] No, no, we're actually pictures are password cracker.

Aaron Moss [00:29:21] This is my baby. I built this. Like I said, I can I can crack it. Tell em about one hundred and twenty two giga hashes per second. Like Spaceball One, it went the plaid. It's the LMv2 about five point. Yeah. It gets hot in there.

Josh Bozarth [00:29:36] It really does.

Aaron Moss [00:29:37] We've actually got an extra fan just sitting on top of the sucker and make sure that the cards don't overheat. But with this being said, we built this machine in our as it says, our cracking time went from weeks or sometimes even up to years to hours or minutes and until and with LM hashes, which still do exist out there on some little older machines seconds.

Josh Bozarth [00:30:02] Yeah. And a lot of that is with using a lot of...We use a lot of dictionaries. We compile those over the years based off data that we get as we do our tests. We like to roll that back into our dictionaries. Oh yes, beat that up. But I mean frankly some of these passwords we crack are complex. There's no lie about it.

Aaron Moss [00:30:21] Absolutely. There's been a lot of passwords that I could probably throw a crack in for years and years as it sits right now, and it may never be cracked. With that being said, though, I probably cracked a good 60 to 70 percent of the hashes that we've come across so far.

Aaron Moss [00:30:39] So what do we do about bad passwords? Change them and change them. Find your default passwords. Don't have a default password for your your your local users and change them. Get rid of admin. Change me. Default, Cisco, whatever.

Josh Bozarth [00:31:00] And take a look at your assets. Think about what you have. Do you have a bunch of printers? Do you have a bunch of web cams, things that can easily be set up for default credentials and left? That way. Maybe it was set up by somebody else, set up by a vendor. You have to you have to look at it holistically. And and even if you let's say you have a security firm, you know, doing physical security in there. They have their own Web camera system. If it's on your network, you should be concerned. Yes. And that there is a conversation that needs to be had with those folks about their systems and the security around them.

Aaron Moss [00:31:32] And it goes back to the patch management thing. This is this is just another relative piece to patch management because you're essentially doing the same thing. If you know what's on your network, then you can go through and manage it. If you don't know what's there, then you have no idea until we come along and we find it for you.

Aaron Moss [00:31:51] Enable complex passwords, but don't rely on them. A lot of times whenever you get a complex, "password", it's a characters long and as random characters upper lower, upper letter, uppercase letters, lowercase letters, a number, a symbol. And I hate to tell you guys this, but with the crack and if it's eight characters, I can have it cracked in about 12 hours or less. Especially for NTLM. disable into NTLM v1 and LM on every system in the network. This is possible with group policy. And if you can disable NTLM v2 and B2 by switching to Kerberos. There's a lot of networks that may not support that yet because of older systems being on there. But if there's something you can do, try it, avoid using the passwords where possible and that may not be possible, but definitely investigate it again. Smart cards are good for this. I'm trying to think of other things off the top of my head. Smart cards are first thing that came to mind.

Josh Bozarth [00:32:59]  I think we're getting into a day and age where that technology is going to be more prevalent, where password use is going to be reduced. So we talked about things like multi factor authentication and using things that you know and things that you have to help authenticate yourself. That's not real commonplace on on like Windows environment, but it's going to happen. I expect that it's going to happen if it hasn't happened on some clients already. So it's really we can't tell you what to do. We can just show you that there are options and don't feel like your hands are tied with like, oh, I can only rely on Microsoft's complexity factors in an active directory. No, you can get creative, right? Just don't. Yeah, you gotta balance that without making your your employees wanna stab you when it's all over with.

Aaron Moss [00:33:48] That's an important part too.

Josh Bozarth [00:33:49] I don't want to get stabbed.

Aaron Moss [00:33:50] No.

Aaron Moss [00:33:51] Use a password manager. This is a big one because a lot of your your system accounts can use password managers. They have long streams that you can use with with super complexity. And if you have a central repository, that's an encrypted location for all of your passwords. We use it. Actually, I've used personally, I've used keypass for years because it's not cloud based, it's just a little file that I keep with me at all times. And then I have a pretty complex password that I have to remember, but it's just one password I have to remember versus hundreds. And so that's one of the things that I highly recommend for anybody to do. I've told my my my mom and my grandma for that matter, hey, use a password manager for all your passwords because it's going to at least keep them a little bit safer.

Josh Bozarth [00:34:41] Yeah. I mean, I even if I got my parents to use it. Yeah. I mean, that's from a personal standpoint. But these these solutions like even in the club based ones are available ad and I.T. groups and and and just administrators in general, they need to use these things because we have so many different accounts and we don't want to use the same password because again, if I have that password and I got it from, you know, this breach, lets say it's your health and I can use it on the on an internal network on the company, because that's the password I use then. Yeah. You basically put a risk on the company that doesn't need to exist.

Aaron Moss [00:35:24] Right. Configure complex passwords for all. Use your accounts. This one's a little bit harder because sometimes you don't have the political capital. I totally get that to go through and say, hey, I'm going to make these passwords, 10 character passwords and we're gonna make them super complex. And then you have everybody from, you know, Joe Schmo down in the mailroom to the CEO beating on your door saying, why is my password to ratio show where I'm rubber? And so it's it's really difficult to try to enforce that. Sometimes you put your CEOs in Turkey, sometimes rather mark no matter. Yeah. Hey, you know the little Tyson chicken, I'm sure that's CEO of Chick fil A. I'm sure you know their cows. That's right. Chick flick probably has a cows CEO anyway. Pass prices are great for this use. Use a song lyric, use a Bible verse. Use a sentence that means something to you, but it wouldn't have any significance to anybody else because basically what you're doing is you're creating in one password string that is still somewhat complex, especially if you do it grammatically correct. And you're going to have a really difficult time trying to crack that so long because it because it's long in the first place. The longer your passwords are, it's so much harder to crack. Just I mean, by virtue of the key. That you're trying to crack alone. It acts exponentially for every character that you add. And so which is one of the reasons I'm sure I still have probably a good 30 to 40 percent of the passwords that I've tried to crack with the crack and uncorrected to this point, jump and pass that. This is a local administrator account, which sometimes can be done, sometimes can't be done, or what we highly recommend is that you use Microsoft LAPS, which chance for local administrator password solution or an other similar solution.

Aaron Moss [00:37:24] And what LAPS does essentially is it will give each individual machine a random password that you set an interval in group policy to say, hey, I'm gonna have these machines changed their password every 12 hours, every two days, whatever. And each individual one has its own password that is completely unique to the machine, which then changes. And the only way to have access to those passwords, if we ever do need access to the local administrator account on those machines, is to go into the active directory infrastructure. Of course, there are certain levels of of administrator access you need to get into the active directory infrastructure. So at that point, the whole purpose is, is if you have access to the active directory infrastructure to gain access to the local administrator password, then you don't need the local administrator password to log into those machines.

Josh Bozarth [00:38:23] We need to keep moving here. We're going to run out of time.

Aaron Moss [00:38:26] OK. Shameless self promotion. Go check out my blog posts on pass the hash and installing last for fun and profit.

Josh Bozarth [00:38:32] So yeah, Aaron's written a few things about that and you can find these on our blog if you actually just go to the blog and kind of browse around and see these as well. You can't capture these. We need to keep moving. We've got. OK. We're still on two. All right.

Aaron Moss [00:38:46] Oh, no. Now this. This is important. We want. This super important lesson 2A, again, local administration... Stop giving .... Calm down for a second. Stop giving your users.

Josh Bozarth [00:39:01] He's twitching, guys.  He's twitching.

Aaron Moss [00:39:01] Stop giving your users local administrator accounts. Stop giving your users local administrator access. This is bad. It's great for us. Don't get me wrong.  I love I love whenever I come across this because it really does. It makes our job super easy. This is bad for the network. People can install things in. It's just bad. So can we stop doing this now? Please and thank you.

Josh Bozarth [00:39:32] All right. Now we're going talk about poisoning. This is probably the...this is the first thing that we do when we're on the inside, on the network.

Aaron Moss [00:39:41] This is how we get access to a lot of those password hashes.

Josh Bozarth [00:39:44] So what we're calling what we're talking about here is it's a function of windows trying to be helpful. LLMNR and try to say that three times. I can't type can't. It's basically an L L M NMNMNNM.

Josh Bozarth [00:40:02] So what we've got is we are sitting on the network because we're on the network at this point this is an internal contest. Maybe or maybe we've already gotten inside the external and we pretend to be other systems that we pretend to be responding to anything that comes across broadcast. And so these these messages, these net bios messages are these LLM messages are coming across and they're asking questions like, yeah, I can answer that. So we basically have software that we can kick off rather quickly, resolves, tries to get these challenges. So basically what we get is systems sending their credentials to us hashes effectively. And that's nice. And you know, sometimes just regular users, sometimes it's domain admins. Don't what other things you see. We seem like we've had database passwords come across this way.

Aaron Moss [00:40:52] Yeah, I actually have had SA passwords come across because SA, the older versions like to those SQL Server 2005 had it was encoded algorithm... encoding algorithm for the password instead of an encrypted. So it's easy to decode if you know the algorithm which a responder has a built in. But essentially, as Josh was saying, what happens is when it works, if it goes out and talks to a DNS server, it says, hey, I'm trying to find this particular server in the data services. I have no idea what that is. And so the workstation sends out a broadcast, says, hey, does anybody else know what this is? And then responder, which is the tool that we use, says, yep, that's me. Send me your information. And so from there, of course, we get password hashes and everything. And that's how we can crack those hashes. Know who is on the network, etc..

Josh Bozarth [00:41:42] Yeah, that's kind of just pretty much puts us at a position that we're pretty much almost done at that point.

Aaron Moss [00:41:49] Right? That's what It's all about broadcasting on your network.

Josh Bozarth [00:41:52] So this is we see this everywhere. This is very common. And so part of what we like to do is educate clients on what they can do to turn disable this stuff. So this this is kind of the output of the tool that we use. You can see where we're emulating lots of different things here. When we execute this, we're emulating your your iPad, your proxy stuff, and your authentication proxies. Oh, we're pretending to be an SMB server. We're trying to be Kerberos a server and a SQL server. And see that the latter half, here's the output. So this is what we're seeing. We're seeing the answers sent. We're sending poisons answers back and then they're at the end. We have to change things around.

Josh Bozarth [00:42:31] But you effectively get...

Aaron Moss [00:42:32] This is not a legitimate hash.  I have zeroed out some stuff.

Josh Bozarth [00:42:36] You can try to crack it all you want.

Aaron Moss [00:42:37] Please do and if come across with something, let me know, because that means that I did something weird.

Josh Bozarth [00:42:41] Yeah.

Josh Bozarth [00:42:42] So we'll get this hash and we can throw this hash in our password cracker and run against dictionaries. Maybe we'll get that password most the time we do because it's usually some kind of service account with some kind of boring password. That's easy. Right. We're gonna have to keep moving here.

Aaron Moss [00:43:01] Let's do this. We LM, we can get NTLMv1 and v2 hashes, which is net NTLMv1 and v2, not the actual NTLM hashes, but again, it can capture HTTP, SQL. ..also in plaintext like we could just get straight up plaintext passwords. And again, we can crack them usually within hours, if not minutes. And so to get to the recommendations because I think we've already discussed a lot of this. Yeah. Just disable LMNR and NetBIOS over TCP.

Josh Bozarth [00:43:34] I think it's been determined that if you're what's the version of what if you've got like Windows 2000 or something on your system?

Josh Bozarth [00:43:41] Now, I think that's something that you can't turn. Well, it's like their bios over. I don't think LMNR  was around yet, but NetBIOS over TCP was was definitely there and it was something that was used. So really, we're showing you here there's a way to do it. Be a good policy for LLMNR.

Aaron Moss [00:44:03] LLMNR.  LLMNR.  Say it with me.

Josh Bozarth [00:44:05]  I just read it all the time. I don't have to say it.

Aaron Moss [00:44:06] I know. I know.

Josh Bozarth [00:44:08] So here's where you can turn it off.

Aaron Moss [00:44:09] Le meaner.

Josh Bozarth [00:44:09] Le meaner? I like it.

Aaron Moss [00:44:10] Le meaner. Le meaner.

Josh Bozarth [00:44:11] Le-le-le-lemur.

Aaron Moss [00:44:14] Lemur?

Josh Bozarth [00:44:19] Yeah, it's a lemur.  Lemur group policy.

Aaron Moss [00:44:19] So we're still showing you how to turn it off. Turn that off from...oh wait. Changed to enable. This is where that's the double negatives.

Aaron Moss [00:44:25] Notice this says multicast name resolution. So this doesn't give you the link layer, but give me local link. It's local link, not link layer, that's layer.. what..Layer 2?

Josh Bozarth [00:44:39] And then here's...You can disable NetBIOS. You kind of have to do that.

Aaron Moss [00:44:42] This is a little more funky. Yeah. There is no GPO setting to control this, but you could probably do it in DHCP server options. And so if you run through the slides. Notice that we're in the local area. Connection hit Properties. Hit Advance. And then disable NetBIOS over TCP/IP.  Hit OK. Hit OK. Hit OK. And that will turn that off. And again, there's DHCP server options.

Aaron Moss [00:45:07] I don't know if I had them on the next slide or not, but nah. You can basically Google how to turn off NetBIOS over TCP DHCP options. And there's at least ten different sites that explain how to do that.

Aaron Moss [00:45:20] Lesson number 4: AV is still important. Yeah, so just so many people have said antivirus is dead, long live enterprise. Antivirus is not dead, people.

Josh Bozarth [00:45:34] It is effective.

Aaron Moss [00:45:35] It's very effective at finding like low level,.

Josh Bozarth [00:45:41] Low hanging fruit, basically.

Aaron Moss [00:45:42] Right, I mean your viruses. If you get some kind of just like somebody send you an email and it's got something that's already been seen out in the wild or a bee is probably going to catch that. Yeah. Now is not good. Of course, for days and for targeted malware and stuff like that, possibly. But it still catches attacks.

Josh Bozarth [00:46:02] It serves a function.

Aaron Moss [00:46:03] It's stil,l it still needs to be there. And yeah, it can be bypassed or completely turned off. But that takes a lot of effort and is generally after we've already gained administrator access to the system. And so but again, it stops a lot of the common attack because that even that we use no malware, viruses, Trojans, worms, etc.. But it also stops stuff like netcat, Mimikatz and interpreter shell.

Josh Bozarth [00:46:25] Yeah, a lot of the tools that we're using. They figure out ways to detect that and rightly so, because that's gonna be the tools a lot of other folks are using.

Aaron Moss [00:46:33] Exactly the tools we use are just public domain tools. We don't have a whole lot of custom stuff. And once we develop it ourselves internally and then it's not really a tool necessarily that we use to gain access to something.  It's just for standing and recon.

Josh Bozarth [00:46:49] Servers need AV.

Aaron Moss [00:46:50] Oh man.

Josh Bozarth [00:46:51] If you've got external facing servers, get AV on it. But it also needs to be tuned because you don't want this thing cratering your system because it's sitting there scanning it 100 percent of the time.

Aaron Moss [00:47:02] You've put it on a database server and all of a sudden your database server, craters, crashes, whatever it is, because, you know, the AV is probably trying to scan that database file and it's, you know, databases are constantly being written to read to and everything else. And so the AV is going to completely level that server.

Josh Bozarth [00:47:18] But we're we're we're pen testers, not admins. You can tune that stuff to your own needs.

Aaron Moss [00:47:23] Right. Exactly.

Josh Bozarth [00:47:24] What we're, what we're going to point out mainly here is you're AVs can be a point of vulnerability with your consoles. And we've found it where we can disable your V because your server consoles aren't protected appropriately.

Aaron Moss [00:47:38] Well, actually, what we're finding is that we can disable AV directly on the machine because the server console doesn't have the AV itself doesn't have a password to turn it off. So you can disable it with using something like for Symantec, for instance, SMC.exe-stop. We'll turn off Symantec antivirus for the semantic enterprise protection. It's I mean, it's incredibly simple. And then, voila, now I have access to run Mimikatz on your server and I have your password.

Josh Bozarth [00:48:09] Alright, we've got eleven minutes. And we're up to number five. What do we have?  Seven?

Aaron Moss [00:48:11]  I don't know. I think six or seven...six or seven or something like that. 

Josh Bozarth [00:48:15] Maybe people can be the weakest link and. Well if you talk to any of us for any length of time, we would we would already agree to that statement. Yeah. Social engineering attacks are going to be with us for ever, basically. Because there's so much they can be so flexible and change with the the whims of culture and with how people do things. Social Engineering is always going to be there.

Aaron Moss [00:48:40] So people just want to be helpful.

Josh Bozarth [00:48:43] They want to be helpful. So...

Aaron Moss [00:48:44] They like to help people. People are still good for the most part, and they want to help us to do things.

Josh Bozarth [00:48:51] So a lot of our a lot of our Social Engineering activity that we do is strictly fishing. It's really the most successful thing for us. What we get is passwords. So we'll we'll create things we do. We do phishing with phone calls, you know, otherwise known as phishing. It is time intensive and laborious because you have to kind of, you know, create these pretexts pretending to be these people. When I create an email, I have to do it once. And I consented to a bunch of people. I kind of have to know when we're doing it by phone, it tends to need to get a lot more nuanced. We also have physical attacks that are technically called Social Engineering. Aaron is a big fan.

Aaron Moss [00:49:31] I love doing physical or physical attacks.

Josh Bozarth [00:49:33] He's...he's a very physical person.

Aaron Moss [00:49:35]  I'm hugging Josh right now.

Josh Bozarth [00:49:37] No, keep away.

Josh Bozarth [00:49:39] Here's kind of what we we can generate. This is one of our go tos when we fish somebody. So we'll create what's what looks like a standard Microsoft security alert. You know, it looks like, hey, you. Somebody has access to your account inappropriately. We need you to recover your account. We create the big button for everybody. It all goes into their their outlook. And nobody really kind of questions that for the most part, because it looks legitimate.

Aaron Moss [00:50:04] Right. One of the things to look out for is in the e-mail address that it's coming from. Excuse me. One of the e-mail addresses coming from in particular says There's no such thing as

Josh Bozarth [00:50:20] Sure, there is.

Aaron Moss [00:50:21] Well, there is now.

Josh Bozarth [00:50:23] Yeah, it goes to us.

Aaron Moss [00:50:24] Yeah, that's right. So be on the lookout for stuff like that. If there's a dash somewhere in that domain, at least be wary and at least question that.

Josh Bozarth [00:50:33] But I mean, this goes into understanding where the reason why these things are successful is because clients are migrating more to Office 365. And so everyone's got all these third party external services that they're using that they go to as opposed to everything being internal like it used to be back in the day. So everyone's gone with it. Okay. Yeah, that's my office. That's my email. That's my outlook e-mail for Company Z. They're not going to think to sort of look like when I click the link. Yeah. So they go to the link and this is what they get. Kind of looks like what you would expect when you're signing into your Microsoft account, whether it's, you know, the outlook portal or the office portal or just generic. You know what?

Aaron Moss [00:51:16] I want to point out that at the top of the screen is is not secure enough, that there's no little green lock there or what?

Josh Bozarth [00:51:21] We don't even have a cert on this.


Aaron Moss [00:51:23] Yeah, we don't have a cert on this thing. But even if we did, it was probably still be legit because we could totally get a SSL certificate for And make it go to And then you click on that you see the green link. It's going to say, hey, this is a legitimate site.


Josh Bozarth [00:51:40] And we've had to do that before. We've done that as well.


Aaron Moss [00:51:43] Don't trust that the green link, the green lock means anything.


Josh Bozarth [00:51:47] And so the end result with fishing is that training is great, but don't rely on it. A hundred percent, you need to vary this training. And that's where sometimes when we do our Social Engineering engagements, we get to do different things that maybe your run of the mill tools that are template based are only going to, you know, basically do the same thing over and over. We try to create real world examples, things that people are seeing when we work with a client. We actually ask them, hey, what kind of spam e-mail are you seeing that's pretty prevalent these days that you're dealing with? And we'll actually either mimic it completely or, you know, do something similar to that. And it's still successful, which shows that training is still me. You still kind of need to keep pushing on that training, communicating what domains that the company uses, whether it's, you know, office dot com, you know, the Microsoft domains or some other third party like ADP. We we've busted a lot of people with a fake ADP site. So, yeah, it's been it's a it's a goldmine because they're like, oh, it's tax time here. Go get your W-2. Oh, hey, we've got a new pace that we had to fix it and fix your pay stub and increase your amount.

Josh Bozarth [00:52:52] You know, people are going to click on that every time.

Aaron Moss [00:52:54] Every time. I would click on that.

Josh Bozarth [00:52:56] I think I would, too. This is another thing that you can do. And a lot of clients do this. No add subject line tax because, you know, e-mail can be modified in transit. So before it's delivered to somebody at your company, if it's from an outside domain, they can they can prevent it with external or they can put things in a red font or you could put it in a neon yellow with red and read it.

Josh Bozarth [00:53:18] I'll do whatever works. But the idea is to help people report weird e-mails. But in the end result is the tester users, not just lots, but often.

Aaron Moss [00:53:31] Yeah. Like once every couple of months is probably a really good thing. You can do it when random users for that matter don't do the same users over and over. You want to get a good sampling of users if you're doing it with.

Aaron Moss [00:53:44] Let's move on to Social Engineering attacks. The physical side of things, whatever. The external network is really well secured. The easiest way it might be the front door or the side doors or the loading docks, the contract, your instance, the smoke holes, wherever that people gather. If I show up with a badge, it looks like theirs. I'm pretty much follow them in, guys once I'm inside, often labeled a smoke hole. Don't go into the bad. I don't hope for this term. Smokeless smoking is bad and good. It came from decision one. All right. That's literally where I learned the dumb term anyway. We got to keep moving. Yes. So employee tailgating is it says here a little bit of misdirection goes a long way. If if I'm doing a physical engagement, it's generally me. You mean Anderson, Stephen Anderson, who is another security consultant here. He may make up some kind of thing. You'd be talking to somebody.

Josh Bozarth [00:54:38] Oh, there is.

Aaron Moss [00:54:38] Yeah. Hey, there's Anderson now.

Aaron Moss [00:54:40] And we will be talking to people and we'll just make friends with people like me. Yeah, I've heard about this new thing, blah, blah, blah. And we will literally talk to people every walk in the door behind them. "All right, man. Well, I got to get back to work. It's good to talk to you. See you soon." Now we have access to your building. It's happened quite often, actually, and we're. We really love it. So obviously we can create badges that look like your badges.

Josh Bozarth [00:55:07] Yeah. It's not unheard of. They don't have to work. They just have to look like they're badges.

Aaron Moss [00:55:11] Right. And if it makes the beeper, you, your card reader, beep, even if it's not working, that's an easy way for me to say "Man. I have talked to security about this six times this week in my stupid badge. Still not working. Can somebody get me in touch with them?" And they'll let me in.

Josh Bozarth [00:55:30] Obviously, tailgating is a common issue, creating that as part of your security program, making people aware of that. We have clients that are really good about that. So it's possible.

Aaron Moss [00:55:40] This is a culture thing, people. The security culture needs to be, hey, everybody needs to be aware that these attacks can happen like this. Let's let everybody know everybody needs the badge in, regardless of whether or not you know them or not. If they're following you in, there could be consequences. Let's let's keep this on. Let's keep this on the level.

Josh Bozarth [00:56:04] It basically boils down to if you see something, you need to say something. If it's weird, question that right and contact their manager, call security. Create an option for folks to be able to to escalate that if necessary, because you don't really want your employees, you know, manhandling weirdos. Right. But you want them to be aware and be able to report things that are that are kind of fishy, so to speak. OK.

Josh Bozarth [00:56:29] So I think we actually got through everything here. We're going to hurry.

Aaron Moss [00:56:32] Yeah. We're going to have to really cut this down for the BSides talk.

Josh Bozarth [00:56:36] If you've attended, maybe you talk in the years past or maybe you did it in December when you're gone. Does this seem familiar? The problem is, is that these these issues are still the same that we've seen over easily the past three years. It's...we're seeing these same things...s default credentials, you know, things not getting patches. Security awareness training is horrible, things like that.

Aaron Moss [00:57:00]  Responder is relatively new over the past couple of years, but it's still something that's been around for forever.

Josh Bozarth [00:57:05] But in general, we also want to help you understand that it's not as bad as it sounds.

Aaron Moss [00:57:11] And you guys are getting better. This is something I really want to get the point across. You need the blue teams, the system administrators, network administrators are making it harder for us every year. There have been tests that we've been on that you guys are taking into account. The patching you guys are taking into account, the more deeply, the more complex passwords, getting rid of your default passwords, but still may have missed one. And we we can use that to get into your network. So continue on the path that you're on getting better, because that's super important. And we're really proud of you guys. That's what we're trying to say.

Josh Bozarth [00:57:49] So one of the things that we want to offer everyone who's listening is we have an option for you guys to be able to to contact us and work with us on, you know, determining whether or not the scope of your tests are appropriate to your your company's needs. Because sometimes you you'll be using the same folks over and over. And that's just kind of gets dull. I mean, even with our own testing, we we have to refresh things once in a while. We're we're glad to sit down and discuss that with you guys. And you'll you'll hear more information about that later on the emails and and other contacts. But we want to let you know that we're going to be able to provide that as kind of an initial consultation. It's not not going to be anything that you're going to have to worry about payment wise. But let's have that conversation with you to make sure you're you're looking at the right things in your environment.

Aaron Moss [00:58:39] Right? I personally love to talk to people. So give me a call.

Josh Bozarth [00:58:42] Yeah. And this is just information about us. I'm not going to belabor this. A lot of this stuff is on our Web site. We have lots of experience where we're crazy, crazy nutball guys that have to wear the crazy again. Yes. Like I said, this is what I have to manage. We have a lot of different services. We talked about the I.T. managed service side that we have alongside with our group, which is the security testing services, which is the best group and other. You know, I've met I've worked a lot of these guys. They're great.

Aaron Moss [00:59:16] Yeah.

Josh Bozarth [00:59:17] I mean, we are the best but they're great.

Aaron Moss [00:59:18] I like what I do.

Josh Bozarth [00:59:20] All right. So I'm going ..we're going to pause and let Lisa kind of do something. We may be wrapping it up. It is 11:00 o'clock right on the dot or Central Time, but I'm going to pause and let Lisa kind of run  some stuff. And if we need to respond some questions, we will.

Aaron Moss [00:59:40] Thank you, Lisa.

Lisa Remsa [00:59:43] Thank you, everyone, for attending, we appreciate you being here. If you'd like to take us up on the free offer to give, it's an email at You'll also get an e-mail tomorrow that kind of goes into a little bit more detail. But thanks for joining us. If you submitted a question, we will respond to you via e-mail. Since we ran out of time. But thanks again and we'll see you at the next TRUE Talk.

Josh Bozarth [01:00:05] So, yeah, everybody, thanks for joining us.

Aaron Moss [01:00:07] Thanks for joining us, guys.