6. The Media listed top nation-state
threats 2016!
Russia, China, Iran and North
Korea!
Source www.cbsnews.com
7. Cyber spying, or cyber espionage, is the act or
practice of obtaining secrets and information
without the permission and knowledge of the
holder of the information.
Source Wikipedia
8. Michael Daniel - Former US Special Assistant to the President and
Cybersecurity Coordinator.
“Your never be able to prevent all of them,
everything is penetrable eventually…”
29. What a good pentester does
• Gets Remote access to internal network.
• Exploits internal misconfigurations.
• Hunt’s out users of interest.
• Exploits to Domain Admin (DA).
30. So if pentestrs are doing this
How Highly sophisticated are the
spies?
32. • Financial Firms take on average 98 days to
detect a breach.
• Retail take on average 197 days to detect a
breach.
• How long does it take to get access?
33. Source - Survey of 70 professional hackers at
DEFCON 2016.
• (88%) of hackers can break through
cybersecurity defences and into the systems
they target within 12 hours.
• Made me laugh - What are they sleeping??
34. “Got me thinking”
• Could a single person accomplished the
SONY hack;
• Was it sophisticated?
• And what would the cost be?
67. Microsoft do not salt local hashes.
• “It is difficult to alter the password processing algorithms
without impacting a lot of subsystems and potentially
breaking the backward compatibility, which is the driving
force of the Windows ecosystem.”
68.
69.
70. Criminals catching up - slowly
• 2016 reports of Ransomware starting to use
PTH.
• Pentest Used to discover more shares.
87. MS14-025: Vulnerability in Group Policy…
1. Any user has rights!
2. DNS Servers . . . : 10.1.20.220
3. 10.1.20.220sysvolNAMEPolicies
4. groups.xml, scheduledtasks.xml, & services.xml
services.xml
5. Microsoft published the AES encryption key on
MSDN
88.
89.
90. KB2962486 - prevents new credentials from
being placed in Group Policy Preferences…
It does not delete any previous added scripts!
91. Kerberoast…
Tim Medin revealed “Kerberoasting“
To the world.
1. Any user has rights!
2. Targets service accounts.
3. Used to be complex to exploit…
92. Kerberos provides secure user
authentication with an industry standard
that permits interoperability.
Kerberos Version 5 added to Win2k – Still
used today.
95. Kerberoast - Using poshc2
1. Email a macro in;
2. Select your implant;
3. Run Invoke-Kerberoast;
4. Get hash;
5. Hashcat + Rocktastic;
6. DA…
96. • I took a look back over a few months tests.
• 14 internal infrastructure tests.
• 7 remote social engineering tests.
• I’m not lazy also did Web app and external inf
tests ;0)
97. • 17 out of 21 tests DA was gained.
• 81% of my tests resulted in DA?
• Why not 100%
• Hardening, not windows (PCI), Maybe offday?
99. • Remote vs Internal SE?
• Why risk it when you can send an email?
• If time was no problem remote will always win.
• But if pressed for time maybe another way?
100. Before we go all internal!
Look at another route…
101. • Internals often include wireless testing.
• Segmentation the common concern.
• Corporate WIFI vs Guest WIFI.
102. • guest networks are common.
• Guest networks if secured often have Weak PSK
or PINS 4 digi (burp).
• If Segmented correctly where's the risk?
103. • Common to find corporate users on Guest WIFI.
• Microsoft does not forget.
• Reasons why they use Its quick and easy.
• We don’t broadcast wifi far ;0)
104. • Parbolic Grid 24 dBi Directional Antenna.
• From £37
• Plugs into an ALFA.
109. • Remote + wireless fails.
• Walk in off the street.
• Tailgating at 8:45am often works great.
• 12:00 – 2:00pm turnstiles “Sorry I nipped out
for lunch and forgot my pass”
110. So on site.
• Find a place to hide, fire up responder…
• mapped drives cause broadcasts!
111.
112. • Responder is not receiving any hashes?
• I quite enjoy this it’s a challenge.
113. • Cold boot attacks.
• People encrypt laptops not PC’s.
• BIOS boot settings often standard.
• Why do people not stop you?