Your browser is out of date.

You are currently using Internet Explorer 7/8/9, which is not supported by our site. For the best experience, please use one of the latest browsers.

866.430.2595
Request a Consultation
banner

Penetration Testing 2018: Lessons Learned Transcript Watch On-Demand Now

Lisa Remsa [00:00:08] Morning, everyone, and welcome to today's webinar. I want to thank you guys for joining us. My name is Lisa Remsa, I'm the Marketing Manager here at True Digital Security. And I have the distinct pleasure of being today's webinar host. 

Lisa Remsa [00:00:21] Today we are presenting penetration testing. Lessons learned can be presented by Josh Bozarth, both our security testing services manager and our true security can form. 

Lisa Remsa [00:00:30] Just a little housekeeping before we get started, If you guys have any questions during the presentation, please feel free to type them into the question box in your GoToWebinar control panel. 

Lisa Remsa [00:00:39] We'll try to address all the questions at the end of the webinar. 

Lisa Remsa [00:00:42] Also, there will be a special offer extended to today's attendees at the end of this presentation, so please stick around to hear more about that. 

Lisa Remsa [00:00:50] There will also be a recorded version of this webinar, available on-demand. 

Lisa Remsa [00:00:54] After the presentation ends, it will be immediately available. 

Lisa Remsa [00:00:57] You can either use the same registration, link keys for this live session, or you can visit True Digital Security dot com, forward slash webinars, and all on demand recordings are available over there, as well. 

Lisa Remsa [00:01:10] So, without further ado, I will turn the time over to Josh Bozarth. 

Josh Bozarth [00:01:16] Thanks, Lisa. Good morning. 

Josh Bozarth [00:01:19] Hello, everybody. 

Josh Bozarth [00:01:20] Thanks for joining us for another look at the lessons learned that we've picked up over the past year with our penetration testing. 

Josh Bozarth [00:01:30] My name is Josh Bozarth, and I'm hearing loss, and Aaron is my cohort, and fellow hacker, I guess, I should say, Cat Hackery crime. Not crime, actually. We do this legally, Yeah, he doesn't go to jail, yet. Not yet. 

Josh Bozarth [00:01:46] So, we're gonna introduce ourselves, and then we'll get into the meat of the presentation. 

Josh Bozarth [00:01:54] Go ahead. 

Josh Bozarth [00:01:56] So, like I said, my name is Josh. 

Josh Bozarth [00:02:00] I am the security testing services manager for True Digital Security. It's a fairly new role for me. I have managed folks in the past, but it's fun to work with them side-by-side while also kind of helping steer the direction at the same time. 

Josh Bozarth [00:02:18] My history is varied and long, like most security folks can have from a history standpoint. 

Josh Bozarth [00:02:25] Because we're old enough, the cybersecurity degree's didn't exist when we were younger. 

Josh Bozarth [00:02:32] And so I have a Bachelors in News, editorial journalism and that's a long story that save for another time. 

Aaron Moss [00:02:40] But we'll cybersecurity wasn't a thing whenever you were in college, like 100 years ago. 

Josh Bozarth [00:02:49] Yeah, back in the back and back and now. So, so yeah, I have a journalism degree, but it was never really used. It switched. 

Josh Bozarth [00:02:54] Switched over to working in the in the industry with system administration and engineering windows, Unix Linux spent a lot of time in data centers building things, architecting things, and then transitioned to auditing, which did that eventually lead into the security space. 

Josh Bozarth [00:03:15] And so, where I've been here with True for a little over four years, getting closer to 4.5, and had a great time since I've been here and it's a great point. 

Aaron Moss [00:03:28] And, again, I'm Aaron Moss (@bl0ckbuster) on the Twitters and that is a zero. No, no, no. 

Aaron Moss [00:03:34] Gonna point that out, people, people don't, they don't see the zero. Anyway, I started out in Helpdesk whenever I started my career. 

Aaron Moss [00:03:41] I actually do have a degree in information systems security, although it's, I'm not sure that it's really worth anything because of where it came from, but that's another story for another time. 

Aaron Moss [00:03:52] I graduated from Helpdesk at the System and Network Administration and Virtualization Administration, basically, much like, Josh Architecting and building up, uh, basically small organization servers. 

Aaron Moss [00:04:07] And their entire networks and stuff like that, and eventually became an IT director, and then work my way into security consulting here somehow to Josh's dismay. 

Aaron Moss [00:04:17] So now, as he said, we're both professional hackers, and this is kind of what we've learned over the last year of doing our penetration testing. 

Josh Bozarth [00:04:30] So, you know, this will give you kind of the high points, in case you want to check out the rest of the webinar. So we're going to talk about some high level lessons that we've learned over the over the years. Specifically mentioned in 2018. 

Josh Bozarth [00:04:43] But now that we're getting ready to hit March in 2019, the points that we're talking about have shifted or changed a whole lot. 

Aaron Moss [00:04:54] So, FYI, I do want to point out that a lot of these are related specifically to network penetration tests. There are some level of web app testing in there. But mostly, this is related to network penetration tests, because that's a large portion of what we do. 

Josh Bozarth [00:05:09] And, in the wild variances, with web app testing, very, obviously, we have the owasp models, and the o-auth top 10. You know, that we do our web app tests. 

Josh Bozarth [00:05:22] So, cross site scripting, and or SQL injection, those types of things. They're still prevalent there. 

Josh Bozarth [00:05:28] They're, obviously, but we're not going to be talking a lot about that today. But, also, those things can manifest themselves, way different ways. 

Josh Bozarth [00:05:36] Then, what we see commonly on the networks, right, and if you guys want us to do a waiver, tend to talk to them, now let Lisa know in the comments. 

Josh Bozarth [00:05:45] So, our pentests can cover a lot of different industries. 

Josh Bozarth [00:05:49] We have clients that are in the retail, as you can see, technology, Financial, Medical Energy is big here in Tulsa. We're both Aaron and I are based out of Tulsa, Oklahoma. But we also have public sector. 

Josh Bozarth [00:06:02] And there's an increase in governmental type things that we're working in, as well. 

Josh Bozarth [00:06:10] So let's talk about, the first lesson that we're going to talk about today.

Aaron Moss [00:06:18] Patching is not optional people. It's still an issue. So many times we get on a penetration test. 

Aaron Moss [00:06:23] There's just computers everywhere that are missing random patches, the worst offender, at this point. 

Aaron Moss [00:06:30] It still seems to be MS 17010, which if you, if you're not familiar with 710, it is a remote code execution vulnerability in a Windows server from, it affects up to, what, 2008 or 2, I think, if not, yes, been, in 2003, 2008. 

Aaron Moss [00:06:51] And it essentially basically allows us to get system on a machine that's not patched, and it's very quick, very easy, and it's very reliable. 

Aaron Moss [00:07:01] And from there, we can pretty much go from, you know, 0 to 60, get administrator and own the domain. 

Aaron Moss [00:07:09] Lot of times we find it on non-critical servers, because a lot of organizations don't feel like didn't know if it's a non-critical servers. And clearly it's not, 

Aaron Moss [00:07:19] it doesn't need to be patched as often. They don't pay that much attention to it because it's, you know, not critical. A lot of forgotten servers that are out there. 

Aaron Moss [00:07:29] I've been on numerous penetration tests over the last year that people were like, you found that server. Where did you find that server? And it's a 2003, or a Windows 2000 server, because their network is so large and they just forgot that something existed and it's just sitting there running. Workstations are prevalent with Windows seven workstations still, because quite frankly even though you have WSUS setup, WSUS isn't perfect. 

Aaron Moss [00:07:54] Especially if your domain group policy is not working correctly on a workstation. It happens less often on the servers, but that's because you have less servers and then you have workstations and you got a lot of issues with third-party apps of course like Adobe, Java, Microsoft Office, et cetera. 

Aaron Moss [00:08:11] And I will say that there's a lot of missing patches sometimes on critical servers. Oracle, I'm looking at you, because you can't patch Oracle without taking it down in many places. 

Aaron Moss [00:08:23] That's the primary critical point. 

Aaron Moss [00:08:26] If you take down Oracle, you're gonna lose hundreds, thousands, possibly millions of dollars, you know, per minute, per hour, or whatever that is down. 

Aaron Moss [00:08:36] So, patching, please, patch. 

Josh Bozarth [00:08:39] So I'm going to, I'm going to interject here, because you were talking about systems that were, you know, clients would be like, Oh, how did you find that? We didn't know that was there, and so, we'll give the benefit of the doubt to the clients. Like, OK, they didn't know. 

Josh Bozarth [ [00:08:55] I actually had a pen test where I had a system that was on the network, and I had this MS 710 patch not apply to actually how not, didn't have a lot of patches applied. 

Josh Bozarth [ [00:09:07] And this is a, you know, we've tested this client for years, and I'm like, Whoa, where did this system come from? 

Josh Bozarth [ [00:09:12] Find out that they turn it off right before I turn it off, that's done. 

Josh Bozarth [ [00:09:17] Yeah, I didn't know that they told me they were laughing about it, and I was like, so yeah, we can appreciate that. Yeah, if you turn it off for the pen test, but you turn it back on after the pen test. 

Aaron Moss [00:09:33] Clearly, it's not a critical server. Why does it on in the first place? What does it need to be there? 

Josh Bozarth [00:09:38] It was a very, very specific role, and it really only needed to be on for like 15 minutes, once a month. It's like a payroll type thing.

Aaron Moss [00:09:45] Really? And I'm like, can you guys figure out a way to seriously, like patch the machine, leave it turned on or whatever? 

Josh Bozarth [00:09:53] Well they had problems where they did pagination, brilliant, blewup. That's, and that's another thing that we've experienced, too. 

Aaron Moss [00:09:59] We've heard from so many of our administrators, that with patch this, I think I had one just a couple of weeks ago, as a matter of fact. Said, ‘hey, we've patched this, but every time we patch it, it blows something up.’ 

Aaron Moss [00:10:12] And so, I want to say, it was like a bias system. They passionate bias system, and it blew up a call center. And it was a major problem for them. And so they had to get in touch with the vendor to say, ‘hey, every time we try to patch this, it blows up. Our application. What can you do?’ And, so sometimes that's something that needs to happen in the US and administrators. 

Aaron Moss [00:10:34] We have to get in contact with the vendors and say, hey, I'm having an issue, and I need you to fix this as the vendor, or, you know, we need to figure out some other solution. 

Josh Bozarth [00:10:44] So, it really comes down to the, we want the client to, at least, appropriately assess the risk that's involved with this, and, you know, sometimes you just can't do it. But there are ways there are controls you can put around these unpatched systems, if you absolutely have to do it, you know, I think about SCADA and all that jazz. But right. 

Josh Bozarth [00:11:06] Yeah, we want when we come in, we want our clients to be able to assess the environment and approach it with, you know, care, but also with the realistic expectation. Like, you're not going to be 100% secure. We all know that and that if you think that you can't be that's crazy. 

Josh Bozarth [00:11:24] But we also want to be able to move forward with the making things better for everybody and that sometimes requires some heartache and pain, but that's what we're here to help you guide you through that.

Aaron Moss [00:11:33] Right? And we're here to help guide you through that, as well. 

Aaron Moss [00:11:42] Not just pen test, but we have other pieces at TRUE that can help you maintain your networks as well, and we'll get to that later. OK. So, we talked about 1710, but this is kind of an idea of what happened when we get access to one of your systems using this particular vulnerability. Whenever we use 1710, we have ... system access. And, I'm sure many of you understand, you know, what that's like. 

Aaron Moss [00:12:13] Beyond the administrative level, you are literally running as, mean, for lack of a better term kind of running as the kernel. 

Aaron Moss [00:12:23] So, when only gave access to your server, we get access to all your data. 

Aaron Moss [00:12:27] We've got access to your credit cards, your personally identifiable information, such as social security numbers, even an e-mail addresses, home addresses, names, etcetera. And PHII, which is, as you see there, HIPAA protected health information. So, medical records, shot records. 

Aaron Moss [00:12:47] Other information that we probably can't mention here, because of NDAs, but, all it really takes is just that one missing to that patch on one server. 

Josh Bozarth [00:12:58] And let's not, people are going to go, well, if it's that one server, like my example, the one server that was on for 15 minutes a month, right? 

Josh Bozarth [00:13:06] Or, you know, they kind of kept it on accident, but people are like, well, that's not, that doesn't have sensitive data on it. All it's doing is sending out e-mails doesn't matter. Yeah, it doesn't matter, because it's the foothold that we get when we have that level of access. That's where we start getting those credentials. Oh yeah, that's where we can see your domain administrators, because most of the time they're logged in these systems and we can capture that. We use a crack their password or use their password hashes and enroll through the network. 

Josh Bozarth [00:13:35] We've got everything we need at that point to get things like credit cards and PI. 

Aaron Moss [00:13:38] And the thing is, is sometimes it's not just one missing badge. 

Aaron Moss [00:13:42] I will say that sometimes that one missing patch will get us a low-level access to something. And it may take us a little bit of work, but generally speaking, if we can chain several low-level vulnerabilities together, it turns into a major, critical vulnerability overall. 

Josh Bozarth [00:13:59] This is a screenshot of kind of showing that we're using ... basically to pop these boxes with the MS 710. This is, yeah. This is what matters what, actually, it looks like whenever we run the exploit itself against a server. 

Aaron Moss [00:14:15] And then, as you can see, if you look towards the bottom, you can see that we have a shell, and it says, Who Am I Empty System or anti authority system. 

Aaron Moss [00:14:23] So this is the kind of access that we have. 

Josh Bozarth [00:14:26] once it's exploitive, and this is something that anybody can play around with and try it because it's mattos flight that's freely available. 

Josh Bozarth [00:14:33] So you can set up your own labs with unpatched systems, and have a field day They met us. What's great about for training purposes, they provide virtual machines to do this. 

Aaron Moss [00:14:45] Also, I want to point out the one of the ways that we do a lot of the scanning for 710 is using ... because ... has a built-in 710 scanner. 

Aaron Moss [00:14:55] That literally you handed a subnet and it goes through and checks every computer in that subnet and says whether or not it's possibly vulnerable or if it's not vulnerable to 1710 and outside of normal patch management, using WSUS, using. 

Aaron Moss [00:15:11] nexpo next poses a phone scanner. But also using irregular patch management, use other tools to check, to make sure that your patch management is working. 

Josh Bozarth [00:15:25] So you'll have everyone has probably their patch management systems like WSUS, or you know, maybe a third-party patch management tool? 

Josh Bozarth [00:15:31] We recommend Guaranteed Network, we have, TRUE has their own set of patch management utilities on the IT side as well. But regardless of what you're using, what Aaron said, it was important to, can you validate that these patches are done, and that's where things like vulnerability scanning can help you. 

Josh Bozarth [00:15:49] Because those things are designed to look for whether or not something is actually applied, because sometimes these patch management tools, they're just designed to push the binaries and install the patch reboot the machines. And it's done. And kind of keep track of it that way, but maybe not necessarily validate that it's still exploitable or it's still vulnerable to an issue. 

Aaron Moss [00:16:11] Correct! And as it says, you know, one of the things that we noticed is that a lot of times, we'll run up against something that administrator, an administrator, doesn't notice systems there. So, asset management, to go back to the last slide. Asset 

Aaron Moss [00:16:24] management is super important part of patching, because if you don't know what's on your network, and you don't shut down what you, that you don't need, then you're going to be vulnerable the system. You're having vulnerable systems on your network. 

Aaron Moss [00:16:41] Yeah, so, asset management, guaranteed networks, call us for a quote. 

Aaron Moss [00:16:47] Cause: Yeah. 

Aaron Moss [00:16:50] All right, So, I've been told I have a face for radio, so this is perfect. Lesson number two, passwords, you are the weakest link. 

Aaron Moss [00:17:00] You want to take this one. You know,

Josh Bozarth [00:17:01] I'm sure I'll Yeah. I'll talk about it. 

Josh Bozarth [00:17:03] So, It's not. You would think that, in this in 20 19, that people have changed their passwords from the defaults. 

Josh Bozarth [00:17:14] No. No. 

Josh Bozarth [00:17:16] Unfortunately, we still go come across this. We still come across here. 

Josh Bozarth [00:17:22] Know, you've got a Tomcat manager. That's so that the default credentials you've got a lot of common things that we see are like, Well, we have a bullet point here at all. These different accounts. 

Aaron Moss [00:17:34] We have, these are just a few random default credentials. 

Josh Bozarth [00:17:39] I PMI back ends, you know, like you're out of band management systems, are usually setup with default creds. 

Aaron Moss [00:17:47] Most of the time, even though they're on his infor subnet, they're still vulnerable. 

Josh Bozarth [00:17:53] We can, we'll find issues with printers are a huge. Oh, there's a great We'll discuss that here in a second. But, yeah. So, SNMP community strings. We can get a lot of information with. 

Josh Bozarth [00:18:06] We can also modify information, but we don't tend to have to do that as much. 

Josh Bozarth [00:18:09] But these generic, you know, public and private, as your community strings, we're trying to get folks to either, you know, use complex strings, because people don't need to use those streams that these are designed for tools, to pull the data, to monitor and poll devices. 

Josh Bozarth [00:18:28] And that's just not something that a human really needs to worry about. And generate the stronger strings that can be. You know that or you can guess them by just guessing. 

Aaron Moss [00:18:35] And we understand that a lot of IOT devices that there may have limitations on your strings, so if you can do something like a password manager, that will help and we'll cover that later. 

Aaron Moss [00:18:46] This is an IP EMI module for a Lenovo Server that had default credentials on essentially what you'll see is that if you look very carefully you can see system information power actions and remote control. 

Aaron Moss [00:19:00] Power actions and remote control are two things. I really want to point out, because power actions means that if we drop that down we could shut down that server completely. 

Aaron Moss [00:19:09] Then anything is running on it and this is a virtualized servers, so it probably had, I don't know exactly how many servers that have on it, but I'm guessing, for this environment, upwards of 20, if any of those servers were critical, and I shut down this hardware, your entire environment goes down and you're still trying to figure out what happened. You've just lost a ton of money outside of that remote control. 

Aaron Moss [00:19:31] Now, I have access to the actual hardware itself through a Java console, and yeah, if I wanted to do something to your v.m-ware server, really bad, I just do it through that. All because of default credentials. 

Josh Bozarth [00:19:45] Or it could be, it may not be a virtual host. It may be just a standard Windows machine. 

Josh Bozarth [00:19:50] If so, then we've got, you know, kinda keeping him into the, to that system

Aaron Moss [00:19:56] then we just gone from having zero to whatever's logged in there Again. 

Aaron Moss [00:20:05] This is a printer, this is actually a copier. But the same principle applies this has default credentials on it. It was admin admin, if I'm not mistaken. What I want to point out, is if you look towards the bottom, you'll see that the remote one says Allow the following network folder will be used as a destination, SMB. 

Aaron Moss [00:20:24] So it was connected to a window share. The network path, which is the exact location on the server where it was pointed to put the login username and password, were incredibly informational here, because they were set up as a domain admin and it was in plain text. 

Josh Bozarth [00:20:44] So we got, you got 2 factors that are the problem there. One, you're using a domain admin to connect this printer to the network. A, don't do that. 

Josh Bozarth [00:20:51] Then B, you get the printer, the printer manufacturer, that doesn't know how to code passwords into their, their backend. So we can see them plan as day. 

Josh Bozarth [00:21:00] So, know, to two different entities are kind of causing a even worse problem going forward because when we log into it with default creds, you got default crowds, you're using a domain admin and then we got the printer that can't mask passwords appropriately.

Aaron Moss [00:21:18] It masked them. It's just that we could unmask, because star, star, star, star, star, star, star is just something set up by the browser. 

Josh Bozarth [00:21:27] So Yeah, There's no protection to none. 

Aaron Moss [00:21:32] Weak password. This is fun, OK, yeah. 

Josh Bozarth [00:21:38] This is continuation. So we moved on from default credentials Let's say you've changed your password, OK. Great. Well, tell us about password cracking.

Aaron Moss [00:21:41] I'm not even talking about password cracking. Yeah, we're gonna get to that in a second. This is more related to Skype for Business. 

Aaron Moss [00:21:52] So Skype for Business has a wonderful fly on it. 

Aaron Moss [00:21:55] That's we'll call it a feature, because that's what Microsoft that's all in that. It has a race condition that once it attaches to an active directory server infrastructure it you can basically, password spray, which means you can use one password with multiple usernames to, 

Aaron Moss [00:22:17] basically, try to identify legitimate usernames on your Active Directory Network externally. 

Aaron Moss [00:22:24] So if you have a Skype for Business Server that sit on your external network, that's publicly available to the Internet, and I can access the, there's a specific gear. 

Aaron Moss [00:22:35] This is a specific link, the URL that you go to with it. 

Aaron Moss [00:22:37] But basically, it popped back with a credential box, where you can put an username and password. 

Aaron Moss [00:22:44] There's an attack called LINC smash that you basically go hand in one password and throw a whole bunch of usernames at it. 

Aaron Moss [00:22:51] And depending on the time that comes back, the quickest times that come back showed, basically this is a legitimate username and then the slower time say this is not illegitimate username. Granted this takes a lot of time. But once you have legitimate usernames, free network externally, then we start going after it with stuff like password one, summer, 2018, summer 2018 bang. Winter 2019. 

Aaron Moss [00:23:14] Any season, year, whatever, and adding a special character or two at the end of it doesn't make a whole lot of difference. 

Aaron Moss [00:23:22] Because we could probably guess it. 

Josh Bozarth [00:23:25] Yeah, and so the reasoning behind this is. We are humans, and we can't remember anything. And so, in order to make a password, that's somewhat functional for somebody who has to change it every 90 days, this is what ends up happening. So, though, you know, they'll have their favorite sports team, and then whatever the month is, or whatever the year is, or they'll do like this with the season. The, these are, this is really bad. 

Josh Bozarth [00:23:49] But, we'll see variations of this, right. And then, everyone's trying to be creative with it, and that's, that's fine. But in the end, we need to get things that are little more complex, that aren't real guessable dictionary type words. 

Josh Bozarth [00:24:03] And especially, don't put the company that you work for in the password. Because that's going to be another option that we're going to check for.

Aaron Moss [00:24:15] And then, this is, we're looking specifically at IT administrators of the helpdesk who are setting a password for the new users or resetting passwords and then not saying, Hey, you need to change the password immediately. Don't use any of these passwords or anything like it. 

Aaron Moss [00:24:22] Come up with something different, or come up with something random, and then somehow get that information to the user in a secure fashion. 

Aaron Moss [00:24:32] So we want to talk about the tools of the trade, this is password cracking. This is basically, once we've gained access to your network, we've actually got all of the we've gained access to domain and then we pulled down your entire Active Directory. 

Aaron Moss [00:24:47] or maybe I just have one hash or we could just have one hash, right? It just depends on how far we've progressed in the pen test. 

Aaron Moss [00:24:56] But with Hashcat, we have about a $5000 cracking rate here that cracks passwords anywhere from. 

Aaron Moss [00:25:05] I mean the ridiculously fast to they've gone to Plaid. 

Aaron Moss [00:25:11] So, uh, if you got that reference, congratulations, You're a baseball fan. Mimikatz is fun, because instead of having to crack a password, basically, we use Mimikatz. 

Aaron Moss [00:25:25] Once we get on the system, to grab the plain text password directly out of memory, Windows stores, a lot of these passwords and memory, They've actually fixed a lot of this to a degree in Windows 10. It's gotten a whole lot better. 

Aaron Moss [00:25:39] I think Windows 2012 server is a lot better, But on older machines, Windows seven boxes, Windows 2 in 2008, two thousand and eight, R two. 

Aaron Moss [00:25:51] It's, it's trivial once you have an administrator level privileged to run Mimikatz. Of course, you have to disable antivirus, because AV does catch this stuff, but you disable antivirus, anything is fair game practically. And so we can pull the plain text passwords out. 

Aaron Moss [00:26:10] Once we have a plain text password, we can pretty much use that on the entire network, too, to either escalate our privileges, up to administrator, or we have the administrative password. And LyncSmash, of course, is something that I discussed a while ago. And if you want to find out more about that, just Google for LyncSmash. 

Josh Bozarth [00:26:30] So we will tend to get the local admin account. And this is what Aaron was referring to. 

Josh Bozarth [00:26:36] On the previous slide, we will use Mimikatz if this is an easy target, for the most part, because it's not controlled. 

Josh Bozarth [00:26:44] A lot of times, clients will just use the same local admin account across the board, across the network. And I'm guilty of this, too, on my previous networks, until I found out about, yeah. I can think back to my admin days. 

Aaron Moss [00:26:56] Yeah, we did that. Yeah, I mean, it's just something that you throw into a config file, or Intuit unattained dot XML, and voila. You've got an entire thing built up because you're more concerned about speed and efficiency here. 

Aaron Moss [00:27:08] And one of the things that that may be fine for building out initially, but eventually you're going to come across issues like pass the hash tag attacks even with a ridiculously strong local administrator account. 

Aaron Moss [00:27:22] If I can get some kind of administrative access to it, and I can pull that, the hash out, we can use a pass the hash attack to do lateral movement across the network as long as that password is the same across several different workstations or servers, whatever. 

Josh Bozarth [00:27:45] Yeah, so, let's, let's break that down a little bit here, because sometimes that can go over people's heads and they don't understand what's really going on. 

Josh Bozarth [00:27:45] So, we've got, let's say we got local admin, and, but we are, we don't have local admin. We have the what's called the password hash, so it's not the actual password. 

Josh Bozarth [00:27:54] But it's how Windows, you know, masks and hashes it, so it's protected or not, it's encrypted effectively, yes. So, you take the, you take the hash, you don't have to have the actual password, and we can send that to other Windows machines. 

Josh Bozarth [00:28:08] So, if we have the hash of a local admin, and you as the client, use the same local admin password across the network. 

Josh Bozarth [00:28:16] This is where 1 plus 1 equals 2, because now, we can use that hash that we got from this system, and send it to all the other ones on the network, and they're going to respond back, yeah. That's the local admin password. We have two. And now, that's when we start poking and prodding and looking for things that will escalate us over to the domain level, right? 

Aaron Moss [00:28:45] Essentially, we have tools that Mimikatz is a great example. Once we get a shell on a system, if we can run Mimi cats, know, using that local administrator hash to log into a different system until we find a domain admin who's logged in, we use Mimi Kits, of course, to find that information. 

Aaron Moss [00:28:53] Then log into the domain and into the domain controller and voila, we've got complete access to. 

Aaron Moss [00:29:01] We've got the keys to the kingdom, essentially. Yeah. 

Josh Bozarth [00:29:03] So, what we're saying is it doesn't matter how strong that local admin password is, if we can see, if we can somehow get the hash.

Aaron Moss [00:29:09] if it's the same password everywhere. And that's what we're fixing to get to right now. 

Josh Bozarth [00:29:18] No, no. We're gonna show you pictures are password cracker? 

Aaron Moss [00:29:22] This is my baby. I built this, like I said, I can crack it. Tell him about 122 Giga Hashes per second. 

Aaron Moss [00:29:29] Like I said, baseball one, it went the Plaid, it's the LMB to about five point. 

Josh Bozarth [00:29:33] Yeah, does it, gets hot? 

Aaron Moss [0029:35] It really does. We've actually got an extra fan just sitting on top of the sucker and make sure that the cards don't overheat. 

Aaron Moss [00:29:43] But with this being said, we built this machine. 

Aaron Moss [00:29:46] And as I said, are cracking time went from weeks or sometimes even up to years to hours or minutes and NCL. And with LM hashes which still do exist out there on some of those older machines, seconds. And a lot of that is with using a lot of we use a lot of dictionaries. 

Josh Bozarth [00:30:07] We compile those over the years based off data that we get as we do our test suite. We'd like to roll that back into our dictionaries, speed that up but, I mean, frankly, some of these passwords we crack are complex that there's no live editor complex. 

Aaron Moss [00:30:25] Absolutely. There's been a lot of passwords that I could probably throw the crack and for years and years as it sits right now, and we met in it and may never get cracked. 

Aaron Moss [00:30:30] With that being said, though, I probably correct a good 60 to 70% of the hashes that we've come across so far. 

Aaron Moss [00:30:40] So, what do we do about bad passwords? 

Aaron Moss [00:30:45] Change them, change them. Find your default passwords. 

Aaron Moss [00:30:49] Don't have a default password for your local users and change them, get rid of admin, change me, default Cisco. Whatever.

Josh Bozarth [00:30:53] Take a look at your assets. Think about what you have. Do you have a bunch of printers? 

Josh Bozarth [00:31:05] Do you have a bunch of webcams things that can easily be set up for default credentials? On the left that way? Maybe it was set up by somebody else set up by a vendor, you have to, you have to look at it holistically and even if you, let's say you have a security firm, you know, doing physical security. in there, they have their own web camera system. If it's on your network, you should be concerned, yes. And that there is a conversation that needs to be had with those folks about their systems and the security around them.

Aaron Moss [00:31:30] It goes back to the patch management thing. This is, this is just another relative piece to patch management, because you're essentially doing the same thing. 

Aaron Moss [00:31:41] If you know what's on your network, then you can go through and manage it. If you don't know what's there, then you have no idea until we come along and we find it for you. 

Aaron Moss [00:31:51] Enable the complex passwords. But don't rely on them. 

Aaron Moss [00:31:54] You know, a lot of times, whenever you get a complex, quote, unquote, password, it's eight characters long, and it's random characters, upper lower, lower  letter, Uppercase Letters, Lowercase Letters, a number assemble. 

Aaron Moss [00:32:07] And I hate to tell you guys this, but with the crack. 

Aaron Moss [00:32:09] And if it's eight characters, I can have it cracked in about 12 hours or less, especially for DLM. Disable NTL, M V one, and L M, on every system in the network. This is possible with group policy, And if you can disable ... V two by switching to straight kerberos, There's a lot of networks that may not support that yet because of older systems beyond there. 

Aaron Moss [00:32:36] But if that's something you can do, try it, avoid using the passwords where possible. 

Aaron Moss [00:32:44] That may not be possible. But definitely investigate it again. 

Aaron Moss [00:32:49] Smart cards are good for this. 

Aaron Moss [00:32:53] Trying to think of other things off the top of my head smart person first thing. You may have other experiences. 

Josh Bozarth [00:32:58] And those that's the ones that I think we're getting into a day and age, where that technology is going to be more prevalent, where password use is going to be reduced. 

Josh Bozarth [00:33:06] So we talk about things like multi factor authentication and using things that you know and things that you have to help authenticate yourself, that's not real commonplace on, on, like a Windows environment, but it's going to happen. I expect that it's going to happen if it hasn't happened on some clients already. 

Josh Bozarth [00:33:24] So it's really, we can't tell you what to do. 

Josh Bozarth [00:33:28] We can just show you that there are options and don't feel like your hands are tied with like, oh, I can only rely on Microsoft's complexity factors in an Active Directory. You can get creative, right? Just, don't, yeah. You've got to balance out without making your employees stab you. 

Aaron Moss [00:33:47] And it's all with, that's an important part to I don't want to get started now, is password manager, this is a big one because a lot of yours, your system accounts, can use password manager. 

Aaron Moss [00:33:59] They have long strings that you can use with, was super complexity, and if you have a central repository that's an encrypted location for all of your passwords, we use it. Actually, I've used, personally, I've used keypass for years. Because it's not cloud based. It's just a little file that I keep with me at all times. 

Aaron Moss [00:34:19] and then I have a pretty complex password that I have to remember. But it's just one password, I have to remember versus hundreds. 

Aaron Moss [00:34:27] And so that's one of the things that I highly recommend for anybody to do. I've told my mom and my grandma for that matter, hey, use the password manager for all your passwords, because it's getting at least keep them a little bit safer. 

Josh Bozarth [00:34:42] Yeah, I mean, I even guff, I got my parents to use it. Yeah, and, I mean, that's from a personal standpoint. 

Josh Bozarth [00:34:49] But, that these, these solutions are, like, even in the cloud-based ones are available, and, and IT groups, and just administrators in general. They need to use these things, because we have so many different accounts and we don't want to use the same password over them. 

Josh Bozarth [00:35:06] Because, again, I have that password, and I got it from, you know, this breach, let's say it's your Gmail, and I can use it on the, on an internal network, on the company, because that's the password I use, then yeah. You basically put a risk on the company that doesn't need to exist. 

Aaron Moss [00:35:33] Right? Configure complex passwords for all use your accounts. This one's a little bit harder because there's sometimes you don't have the political capital. 

Aaron Moss [00:35:32] I totally get that to go through and say, hey, I'm gonna make these passwords, 10 character passwords and we're going to make them super complex. 

Aaron Moss [00:35:41] And then you have everybody from you know, Joe Schmo down in the mail room to the CEO beating on your door saying: why is my password have to be so big? 

Aaron Moss [00:35:52] And so, it's, it's really difficult to try to enforce that sometimes you, But your CEOs at Turkey sometimes. Hey, you know, Tyson Chicken, I'm sure. 

Aaron Moss [00:36:05] Probably CEO, chick fil a, I'm sure, you know, their their cows. That's right Cheerfully probably has a cows are CEO, anyway. Pass phrases are great for this. 

Aaron Moss [00:36:16] Um, use a song lyric is a bible verse. Use a sentence. It means something to you. 

Aaron Moss [00:36:22] But wouldn't have any significance to anybody else because basically, what you're doing is you're creating in the long password string that is still somewhat complex, especially if you do it grammatically correct, um, and you're going to have a really difficult time trying to crack that. 

Aaron Moss [00:36:41] So long, because it's long in the first place, the longer your passwords are, it's so much harder to crack, just, I mean, by virtue of the key space that you're trying to crack it alone, it adds exponentially for every character that you add. 

Aaron Moss [00:36:56] And so, which is one of the reasons I'm sure I still have probably a good 30 to 40% of the passwords that I've tried to crack with the crack and uncorrected says Point. Jumping past that, Disable Local Administrator Account. 

Aaron Moss [00:37:09] Which, sometimes, can be done, sometimes can't be done, or what we highly recommend is that you use Microsoft LAPS, which stands for Local Administrator, Password, Solution, or in other, similar solution. 

Aaron Moss [00:37:25] And what LAPS does essentially is, it will give each individual machine a random password that you set an interval in group policy to say, hey, I'm going to have these machines changed their password every 12 hours, every two days, whatever. 

Aaron Moss [00:37:41] And each individual, one, has its own password that is completely unique to the machine, which it then changes. 

[00:37:52] And the only way to have access to those passwords, if you ever do need access to the local administrator, the account on those machines is to go into the Active Directory infrastructure. 

Aaron Moss [00:38:03] Of course, there are certain levels of administrator access. You need to get into the Active Directory infrastructure. 

Aaron Moss [00:38:08] So that point the whole purpose is if you have access to the Active Directory infrastructure to gain access to the local administrator password, then you don't need the local administrator password to log into those machines. 

Josh Bozarth [00:38:24] We need to keep moving here. We're going to run out of time.

Aaron Moss [00:38:30] OK, shameless self promotion go check out my blog posts on pass the hash uninstalling, last, for fun, and profit, has written a few things about that. 

Josh Bozarth [00:38:36] And you can find these on our blog if you actually just go to the kind of browse around. You'll see these as well, in case you can't capture these, we need to keep moving. We've got Oh, OK, we're still on. two All right. Now, this this is important. 

Aaron Moss [00:38:48] We want this super important lesson to a again, local minister. You stop giving. 

Aaron Moss [00:38:57] Me calm down for a second, stop giving Your is to a user's twitching local administrator accounts. 

Aaron Moss [00:39:04] Stop giving your users, local administrator access. 

Aaron Moss [00:39:10] This is bad. 

Aaron Moss [00:39:11] It's great for us. Yeah, don't get me wrong. I love, I love them whenever I come across this, because it really does. It makes our job super easy. This is bad for the network. 

Aaron Moss [00:39:22] People can install things, and it's just bad, so can we stop doing this now, please, and thank you thing. 

Aaron Moss [00:39:33] All right. 

Josh Bozarth [00:39:34] Now we're going to talk about poisoning. This is probably, the This is the first thing that we do when we're on the inside on the network. 

Josh Bozarth [00:39:41] This is how we get access to a lot of those password hashes, so, what we're calling, what we're talking about here is, it's a function of windows. 

Josh Bozarth [00:39:49] Trying to be helpful, L, L, L, M N, M N R. And just say that three times, I can type Canada. It's basically an LLM in our LLM in Adobe element. So, what we've got is, we are sit on the network, because we're on the network at this point. This is an internal contest maybe, or maybe we've already gotten inside via external? 

Josh Bozarth [00:40:12] And we pretend to be other systems that we pretend to be responding to, anything that comes across broadcast. And so, these messages, these net bios messages, these L M L, LLM messages are coming across. 

Josh Bozarth [00:40:26] And, you know, they're asking questions, and we're like, Yeah, I can answer that. So, we basically have software that we kick off rather quickly, resolves tries to get these challenges. 

Josh Bozarth [00:40:36] So, basically, what we get is systems sending their credentials to us, hashes affectively. 

Josh Bozarth [00:40:41] And that's nice. And, you know, sometimes as regular users, sometimes it's domain admins. 

Josh Bozarth [00:40:49] What other things have you seen? 

Josh Bozarth [00:40:50] We've seen, like, we've had database passwords come across, this was actually.

Aaron Moss [00:40:57] I've had the essay passwords come across, because essay, the older versions, like to the SQL server 2005 had it was an encoded algorithm encoding algorithm for the password instead of an encrypted it, so it's easy to decode if you know the algorithm, which responder has a built-in. But, essentially, as Josh was saying, What happens is, whenever a workstation goes out and talks to a DNS server, it says, Hey! I'm trying to find this particular server, and the DNS server says, I have no idea what that is. And so, the worst sends out a broadcast. It says, Hey, does anybody else know what this is? 

Aaron Moss [00:41:27] And then responder, which is the tool that we use, says, Yeah, that's me, send me your information. And so, from there, of course, we get password hashes and everything, and that's how we can crack those hashes, no, know who's on the network, et cetera. 

Josh Bozarth [00:41:42] Yep, that's kind of just pretty much puts us at a position that we're pretty much almost done at that point, right? 

Aaron Moss [00:41:48] That's broadcasting on your network. 

Josh Bozarth [00:41:53] So, this is, we see this everywhere. This is very common. 

Josh Bozarth [00:41:56] So, part of what we like to do is educate clients on what they can do to turn, you know, disable this stuff. So this is kinda the output of the tool that we use. You can see where we're emulating lots of different things here. When we execute this, we're only letting your pad, your proxy stuff. Coffee and you're off the authentication proxies are pretending to be an SMB server. We're trying to be Kerberos Server and SQL Server, and you can see that the latter half years, the output. So this is what we're seeing. 

Josh Bozarth [00:42:25] We're seeing the answers sent, we're sending poisons answers back. 

Josh Bozarth [00:42:28] And then there at the end, we have change things around, but you effectively get is not a legitimate ahead. I have, you can zero out. Some of you can try to hack crocodiles. Please do. And if they come across something, let me know, because that means that I did something weird, yeah. 

Josh Bozarth [00:42:42] So, we'll get this hash and we can throw this hash in. our password cracker? 

Josh Bozarth [00:42:46] I run against dictionaries. 

Josh Bozarth [00:42:48] Maybe we'll get that password. 

Josh Bozarth [00:42:50] Most of the time, we do. Because it's usually some kind of service account with some kind of boring password that's easy to write. 

Josh Bozarth [00:42:57] We've got to keep moving here for lunch there. All right. Let's do this. 

Aaron Moss [00:43:05] We get L M We can get into the L and V 1 V 2 hashes, which is net ..., V one and V two. Not the actual in DLM hashes, but, again, it can capture HTTP, SQL. 

Aaron Moss [00:43:14] And also, in plain text, like, we could just get straight up, plain text passwords, And, again, we can crack them, usually within hours, if not minutes. 

Aaron Moss [00:43:25] And so to get to the recommendations, because I think we've already discussed a lot of this, just disable this stuff, disable LLMNR and in net bios over TCP,

Josh Bozarth [00:43:40] I think it's been determined that if you're what's the version of? what if you've got like Windows 2000 or something on your system? I think that's something that you can't turn. Well, it's a bios over. I don't think ... was around yet, but net by us over TCP was definitely there, and it was something that was used solely. We're showing you here. 

Josh Bozarth [00:43:56] There's a way to do it via group policy for L L R really, L L N in our LLM in our say it with me. I don't I just read it all the time. I know that I know. So, here's where you turn it off ... amine or amine or amine eliminate, Limor. Limor, Linear, her group policy. 

Aaron Moss [00:44:16] Well, meaning, minor. We're still showing you how to turn it off. 

Aaron Moss [00:44:21] Turn that off from it. 

Josh Bozarth [00:44:23] Way you change it to enable, this is where it's a double negatives. So notice it says multicast name resolution. 

Aaron Moss [00:44:28] So this doesn't give you the link layer, but excuse me, local, link and local link, not link layer, this layer, what, layer, two. 

Aaron Moss [00:44:39] Here's, you can disable net bias, you kinda have to do that. This is a little more funky. Yeah, there's no GPO setting. You can control this. But you could probably do it and your DHCP server options. 

Aaron Moss [00:44:50] And so if you run through the slides, notice we're in the local area connection, hit properties, hit advanced, then disable net bios over TCP slash IP, hit, OK, hit, OK, hit OK, And that will turn that off. 

Aaron Moss [00:45:05] And again, there's the HTTP server options. I don't know if I had them on the next slide or not. 

Aaron Moss [00:45:09] But now, you can basically, Google how to turn off net bios over TCP the HTTP options. 

Aaron Moss [00:45:17] And there's at least 10 different sites did explain how to do that. 

Aaron Moss [00:45:21] Lesson number four, AV is still important. 

Aaron Moss [00:45:26] So this is so many people have said antivirus is dead. 

Aaron Moss [00:45:32] Long live Antivurus enlarge is not dead. It is effective. 

Aaron Moss [00:45:36] Effective at finding like low level, low hanging fruit, right? 

Aaron Moss [00:45:42] I mean, your viruses, if you get some kind of you, just like somebody sends you an e-mail and has got something that's already been seen out in the wild, your AV, is probably going to catch that, Yeah. 

Aaron Moss [00:45:53] Now AV is not good for, of course, for days and for targeted malware and stuff like that, possibly. 

Aaron Moss [00:45:59] But it's still catches attacks. It serves the function. It's still, it still needs to be there. 

Aaron Moss [00:46:06] And yeah, it can be bypassed or completely turned off, but that takes a lot of effort, and it's generally after we've already gained administrator access to the system. 

Aaron Moss [00:46:14] And so, but again, it starts a lot of the common attack vectors. That, even that we use, known malware viruses, trojans, swarms, et cetera, but it also stuff like the netcat, Mimikatz and ... or shelf for a lot of the tools that we're using. 

Josh Bozarth [00:46:27] They figure out ways to detect that rightly so, because that's going to be the tools a lot of other folks. Exactly, the tools we use are just public domain tools. 

Aaron Moss [00:46:37] We don't have a whole lot of custom stuff unless we develop it ourselves internally and then it's not really tool necessarily that we use to gain access to somebody who's just first standing and recon. 

Josh Bozarth [00:46:49] Servers need AV. Oh, man. If you've got external facing servers, get AV on them. 

Josh Bozarth [00:46:55] It. But it also needs to be tuned, because you don't want this thing crater in your system, because it's sitting there scanning it. 

Aaron Moss [00:47:01] 100% of the time you've put it on a database server and all of a sudden, your database server craters crashes, whatever. It's because the AVs probably trying to scan that database file. 

Aaron Moss [00:47:11] And as you know, databases are constantly being written to read to you and everything else, and so the AV is gonna be completely level that server,

Josh Bozarth [00:47:20] but we're, we're pen testers not admins. You can tune that stuff to your own needs, right? Exactly. 

Josh Bozarth [00:47:24] What we're, what we're wanting to point out mainly here is, you're a viz can be a point of vulnerability with your console's. 

Josh Bozarth [00:47:32] We found it where we can disable your AV, because your server console's art protected appropriately. 

Aaron Moss [00:47:43] Well, actually, what we're finding is that we can disable the AV directly on the machine because the server console doesn't have the AV itself doesn't have a password or turned off. So you can disable it was using something like for Symantec, for instance, SIMD, SMC dot X, Z, dash stop. 

Aaron Moss [00:47:58] We'll turn off Symantec Antivirus for the Symantec Enterprise Protection. 

Aaron Moss [00:48:02] It's, I mean it's incredibly simple and then well now I have Access to run Mimikatz on your server and I have your password.

Josh Bozarth [00:48:10] The number five, we have, seven, I don't know, 6 or 7? 

Josh Bozarth [00:48:15] So, maybe people can be the weakest link, and, well, if you talk to any of us for any length of time we would, we would already agree to that state. Yeah. Social engineering texts are going to be with us forever, basically. 

Josh Bozarth [00:48:30] Because they're so they can be so flexible and change with the whims of culture and with how people do things. Social engineering is always going to be there. So if people just want to be help, they want to be helpful. So they like to help people. People are still good for the most part. 

Aaron Moss [00:48:48] And they want to help us to do things. 

Josh Bozarth [00:48:55] So, a lot of our, a lot of our social engineering activity that we do is strictly phishing. That's really the most successful thing for us. 

Josh Bozarth [00:49:00] What we get is passwords. So, we'll, we'll create things. We do, we do phishing with phone calls, you know, otherwise known as phishing. 

Josh Bozarth [00:49:09] It is time intensive and laborious, because you have to kind of create these pretexts, pretend who these people when I create an e-mail, I only have to do it once and I can send it to a bunch of people. 

Josh Bozarth [00:49:20] I kind of have to, you know, when we're doing it by phone, it tends to need to get a little more nuanced. 

Josh Bozarth [00:49:26] We also have physical attacks that are technically called social engineering. And Aaron is a big fan. 

Aaron Moss [00:49:35] I love doing physical or physical, what? He is. A very physical person and I'm hugging Josh right now, keep away. So here's kind of what we can generate. 

Josh Bozarth [00:49:42] This is kind of one of our go to phish. 

Josh Bozarth [00:49:45] Somebody said, Will create what's, what looks like a standard Microsoft Security Alert, You know, It looks like, Hey, you, somebody has access to your account and appropriately, we need you to recover your account, we create the big button for everybody, it's all goes into there, their outlook, and nobody really kind of questions that for the most part, because it looks legitimate, right? 

Aaron Moss [00:50:00] one of the things to look out for is in the e-mail address that it's coming from. 

Aaron Moss [00:50:11] Excuse me, and one of the e-mail addresses is coming from in particular, says portal dash outlook dot com. 

Aaron Moss [00:50:18] There's no such thing as portal dash, outlook dot com, assure there as, Well, there is. now, it's because the us. Yeah. That's right. 

Aaron Moss [00:50:26] So be on the lookout for stuff like that, if there's a dash somewhere in that domain, um, at least be wary of at least question that.

Josh Bozarth [00:50:45] I mean, that this goes into understanding where the reason why these things are successful is, because clients are migrating more to Office 365. And so everyone's got all these third-party external services that they're using the go to, as opposed to everything being internal, like it used to be back in the day. So, everyone's just kinda going with it wrong, OK, yeah, that's my office. That's my e-mail, that's my Outlook e-mail for your Company Z. 

Josh Bozarth [00:50:59] They're not going to think to look like when we click the link. Yeah, so, they go to the link, and this is what they get. 

Josh Bozarth [00:51:04] I kinda looks like what you would expect when you're signing into your Microsoft account. Whether it's, you know, the, the, you know, the Outlook portal, or the Office portal, or just generic. 

Aaron Moss [00:51:15] You know, I want to point out that at the top of the screen, it says not secure enough. That there's no little green lock there, or whatever. 

Aaron Moss [00:51:22] You don't have a cert on this, Yeah, we don't have a server on this thing, but even if we did, it was probably still be legit because we can totally get a SSL certificate for approval dash outlook dot com and make it go to portal dash outlook dot com, and then you click on that. You see the green link, and it's going to say, hey, this is a legitimate site, and we've had to do that before. We have done that as well. Don't trust that. The green link, the green lock means anything right? 

Josh Bozarth [00:51:52] So, the end result with phishing is that training is great, but don't rely on it, 100%. You need to vary this training, and that's where, sometimes when we do our social engineering engagements, we get to do different things that may be your run of the mill. 

Josh Bozarth [00:52:02] Tools that are template based are only going to, you know, basically do the same thing over and over. We try to create real-world examples, things that people are seen. When we work with a client, we actually ask them, Hey, what kind of spam e-mail or you seen that's pretty prevalent these days that you're dealing with? And we will actually either mimic it completely or you do something similar to that, and it's still successful. Which shows that training is still need. You still can I need to keep pushing on that training, communicating what domains that the company uses, whether it's, you know, office dot com, you know, the Microsoft domains, or some other third-party like ADP, we've busted a lot of people with a fake ADP sites. So yeah, it's been, it's a, it's a gold mine, because they're like, oh, it's tax time. Hey, go get your W two. Oh, hey, we got a new paste that we had to fix. It will fix your pay stub and increase your amount. You know, people are going to click on everytime. 

Josh Bozarth [00:52:55] I would click on that, I think I would too, um, this is another thing that you can do. And a lot of clients do this. 

Josh Bozarth [00:53:02] They'll add subject line tags because, you know, e-mail can be modified in transit. 

Josh Bozarth [00:53:07] So before it gets delivered to somebody at your company, if it's from an outside domain, they can, they can prevent it with external, or they can put things in a red font, or you could put it in a Neon yellow with the red avanti, whatever works. 

Josh Bozarth [00:53:21] But the idea is to help people report weird e-mails. 

Josh Bozarth [00:53:27] But the end result is the test your users not just wants. 

Josh Bozarth [00:53:31] But often, yeah. 

Aaron Moss [00:53:32] Like, once every couple of months is probably a really good thing, You can do it with random users. For that matter, don't do the same users over and over. You want to get a good sampling. 

Aaron Moss [00:53:42] The users, if you're doing it with, let's move on to social engineering attacks. The physical side of things. 

Aaron Moss [00:53:48] Whenever the external network is really well secured, the easiest way it might be the front door, or the side doors. 

Aaron Moss [00:53:55] Or the loading docks, the contract, your answers to smoke holes. Wherever that people gather. If I show up with a badge, it looks like there. 

Aaron Moss [00:54:05] I'm pretty much follow them in, guys, once I made something labeled a smoke, hold on, go in it, bad. 

Aaron Moss [00:54:13] I don't know where this term, smoking is bad, and it came from decision one, literally where I learned the term anyway. We gotta keep moving. So, employee tailgating, as it says here, a little bit of misdirection, goes a long way. If I'm feeling a fiscal engagement, is generally me and Anderson, Steven Anderson, who is another security consultant here. He may make up some kind of thing. Be talking to somebody Oh, there is. Yeah. Hey, there's the Anderson now. And we will be talking to people. And we'll just make friends with people like, man, yeah. You heard about this new thing. And we will literally talk to people as we walk in the door, behind them. Are meant, Well, I gotta get back to work. It's good to talk to you. I'll see you soon. 

Aaron Moss [00:54:56] Now, we have access to your building. 

Aaron Moss [00:54:59] It's happen quite often, actually. And we're, we're really love it. 

Josh Bozarth [00:55:02] So, obviously, we can create badges that look like your badges Is not unheard of, they don't have to work. 

Aaron Moss [00:55:10] They just have to look like they're your badges, right? And it makes the beeper your card reader be. Even if it's not working. That's an easy way to music, man, like, I have talked to security about the six time this week, and my stupid, that's still not working. Can somebody give me in touch with them? They'll let me in. 

Josh Bozarth [00:55:30] Obviously, tailgating is a common issue, creating that as part of your security program, making people aware of, that. We have clients that are really good about that, so it's possible. 

Aaron Moss [00:55:40] This is a culture thing, people. The security culture needs to be, Hey, everybody needs to be aware that these attacks can happen like this. 

Aaron Moss [00:55:49] Let's let everybody know. 

Aaron Moss [00:55:52] Everybody needs to badge in, regardless of whether or not you know them or not, if they're following you in. 

Josh Bozarth [00:55:59] There could be consequences, Let's, let's keep this on. Let's keep this on the level. It basically boils down to, if you see something, you need to say something if it's weird. 

Josh Bozarth [00:56:09] Question it, right? 

Josh Bozarth [00:56:10] And, and contact their manager, call security, create an option for folks to be able to escalate that if necessary because you don't really want your employees, you know, manhandling weirdos, right, but you all, you want them to be aware and be able to report things that are better kinda fishie, so to speak. 

Josh Bozarth [00:56:29] OK, so I think we actually got through everything here. We're gonna hurry. Yeah, we're gonna have to really, because it's down for the .... 

Josh Bozarth [00:56:35] If you've attended maybe a talk in the Years Pass, or maybe you did it in December, when we're done, it does seem familiar problem. The problem is, is that these, these issues are still the same that we've seen over easily the past three years. 

Josh Bozarth [00:56:52] It's, we're seeing the same things, default credentials. You know, not things not getting patches, security awareness, training, horrible, things like that. 

Aaron Moss So responder is relatively new over the past couple of years, but it's still something that's been around for forever.

Josh Bozarth [00:57:05] but in general, we also want to help you understand that. It's not as bad as it sounds. 

Aaron Moss [00:57:11] You guys are getting better. This is something I really wanna get the point across. The Blue Teams, the system administrators network, administrators are making it harder for us every year. 

Aaron Moss [00:57:21] Um, there have been tests that we've been on that. 

Aaron Moss [00:57:25] You guys are taking into account the patching, you guys are taking into account the more deep, the more complex passwords getting rid of your default passwords. 

Aaron Moss [00:57:35] Still may have missed one, and we, we can use that to get into your network. 

Aaron Moss [00:57:40] So continue on the path that you're on getting better, because that's super important, and we're really proud of you guys. That's what we're trying to say. 
Josh Bozarth [00:57:56] So, one of the things that we want to offer, everyone who's listening is, we have an option for you guys to be able to, to contact us and work with us on, you know, determining whether or not the scope of your pen tests are appropriate to your, your company's needs. Because sometimes you'll be using the same folks over and over and it's just kinda gets dull week. I mean, even with our own testing, we have to refresh things once in a while. We're glad to sit down and discuss that with you guys, and you'll hear more information about that later on via e-mails and in other contexts. 

Josh Bozarth [00:58:24] But we want to let you know that we're going to be able to provide that as kind of an initial consultation. 

Josh Bozarth [00:58:30] That's not going to be anything that you're going to have to worry about payment wise, but let us have that conversation with you to make sure you're looking at the right thing in your environment. Right? 

Aaron Moss [00:58:40] I personally love to talk to people. So give me a call, and this is just information about us. 

Josh Bozarth [00:58:45] I'm not going to belabor this. A lot of this stuff is, on our website. We have lots of experience. We're crazy, crazy, netball guys, that the crazy. Yeah, yeah, See, Like I said, this is what I have to manage. 

Josh Bozarth [00:59:02] We have a lot of different services, we talked about, the IT managed service side that we have, alongside with our group, which is the Security Testing Services, which is the best group, and although, you know, I've met, I've worked with all those guys, they're great. Yeah. I mean, we are the best, not Whether I like, what? I knew. All right. 

Josh Bozarth [00:59:20] So, I'm gonna, we're gonna pause and let Lisa kind of, do something. We may be wrapping end of. It is 11 o'clock, right, on the dot, or central time. But I'm going to pause and let Lisa run some stuff. And if we need to respond some questions, we will. 

Josh Bozarth [00:59:41] Can you, Lisa? 

Lisa Remsa [00:59:43] Thank you everyone for attending. We appreciate you being here. If you'd like to take us up on the free offer, just give us an e-mail at info at True Digital Security dot com. You'll also get an e-mail tomorrow that kind of goes into a little bit more detail. But thanks for joining us. If you submitted a question, we will respond to you via e-mail, since we ran out of time. But thanks again, and we'll see at the next True talk. 

Josh Bozarth [00:60:05] So, yeah, everybody. Thanks for joining. And thanks for joining us, guys.

Contact Us Today!

Let us know your business needs and we will make sure to get back with you promptly!

Contact Information

  • HEADQUARTERS
    6900 E. Camelback Rd., Suite 900
    Scottsdale, AZ 85251
  • Oklahoma Office
    1350 South Boulder Avenue, Suite 1100
    Tulsa, OK 74119
  • Region Metropolitana
    Chile
  • 480-389-3444