Darknet Diaries - Ep 36: Jeremy from Marketing
Episode Date: April 16, 2019A company hires a penetration tester to pose as a new hire, Jeremy from Marketing, to see how much he can hack into in his first week on the job. It doesn't go as planned.Thanks to @TinkerSec... for telling us this story.This episode was sponsored by Nord VPN. Visit https://nordvpn.com/darknet and use promo code "DARKNET".This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet.For more show notes visit https://darknetdiaries.com/episode/36.
Transcript
Discussion (0)
Hey, my name's Jack, host of the show.
Before making this podcast, my job was looking at my clients' networks to try to find ways
to make them more secure.
In other words, I was on defense, locking things down, hardening systems, securing applications,
and trying to turn off everything that didn't need to be on.
And the defense team is sometimes known as the blue team.
I'm on the blue team.
But one day we paid an attacker to come into our office and see how well
I did at securing the network. He was a professional penetration tester, and I made him sit right next
to me. Attackers like this are said to be on the red team. And this whole red team, blue team thing
is just a term borrowed from the military where they had drills with attackers and defenders.
So here I am, the blue team,
and there he was in the desk right next to me, the red team, the adversary, the enemy, a hacker.
What do I do? Do I sabotage him so he can't do his job? Do I block his IP from getting anywhere?
It wasn't that I didn't trust him because he came from a very trusted company,
but it was that I was extremely curious at how he works.
So I wheeled my chair right over to his desk and I watched over his shoulder for the whole week.
And I was amazed at what he can do.
I learned so much that like forever made a permanent impact on the way I see how attackers work.
And I want to give you that experience.
So in this episode, we're going to get geeky. We're going to get really nerdy and just like crazy technical at times as we watch over the shoulder of a
penetration tester to see exactly how they do their work and how they try to get the crown
jewels of a company. These are true stories from the dark side of the internet.
Presented by Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work. They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight. But I realize I don't need to be fighting this alone anymore. Phone numbers, addresses, family members, where you work, what kind of car you drive. It's endless.
And it's not a fair fight.
But I realized I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites.
And continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found
and then they got busy deleting things. It was great to have someone on my team when it comes
to my privacy. Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for Darknet Diaries listeners. Today get 20% off your Delete.me plan
when you go to join delete.me.com slash darknetdiaries and use promo code darknet at checkout. Thank you. Meetme.com slash Darknet Diaries. Use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call. I'm sure they can help. But the founder of the company,
John Strand, is a teacher and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing, securing the
cloud, breaching the cloud, digital forensics, and so much more. But get this, the whole thing
is pay what you can.
Black Hills believes that great intro security classes
do not need to be expensive,
and they are trying to break down barriers
to get more people into the security field.
And if you decide to pay over $195,
you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills
and showing them off to potential employers.
Head on over to blackhillsinfosec.com to learn more about what services they offer
and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
The penetration tester we're going to watch over the shoulder of goes by the name Tinker.
He has a background in the U.S. Marines and has been doing penetration testing for like a long time, years.
And when you do penetration testing for that long, you end up knowing a lot about computers,
like far, far, far more than the average person and even more than the average IT person.
And Tinker really is top notch at knowing how computers work in general.
So I called him up.
Hello?
Tinker, are you there?
Hello?
The cable just wasn't pushed in all the way.
That's all right.
It's the nature of all.
Most issues are cable-related.
Okay.
Sounds like we're going to be in for a ride here.
All right.
So let's start out with just tell us your name and what do you do?
Sure.
My name is Tinker Sikor.
I am a penetration tester or red teamer, depending on the nature of the engagement.
But generally speaking, I hack into computers and I break into buildings in order to test my client's security.
He's a typical penetration tester. And it's amazing to me that this job even exists.
And there are a lot of people who do this as a career. I mean, imagine if a brick and mortar
type store tested their security like this too. You'd have like paid shoplifters trying to test
how good the LP is. LP is loss prevention for those non-criminals out there. And you'd pay
cat burglars to try to steal paintings from museums.
And you'd have reformed street gangsters trying to quietly rob a casino.
And maybe some of these jobs exist, but in the online world, it's actually very common.
Like, I'm pretty sure that if you want to process credit cards at all,
you need an audit done on your network,
which usually requires a penetration tester to come
act like a criminal to see if they can hack into your credit card machines.
Anyway, Tinker's been doing this for a long time, and he's really successful at getting
into networks. And today we're going to follow along with him on his assignment.
It was a large national client within the United States,
but it kind of stretched within North America and a bit in some other continents.
Now, often what a penetration tester will do is try to find a way into the network from the Internet, the outside, basically posing as just like a rogue hacker online who's trying to find something open or a website that's like exposing data.
And Tinker had already done some of that for this client, and they were happy with the results, and they wanted to take this to the next level. They said, look, we want to assume that a threat actor has
breached the perimeter. We want to assume that a threat actor has either broken into the facilities,
implanted a rogue device, or maybe an insider threat kind of thing. Generally speaking,
this test will cover all of it. There's a term in information security called defense in depth. And this chief information security officer,
their CISO, felt like their defense in depth was so good that they wanted to put it to the test.
Basically, this concept means you create many layers of security, which makes it like redundant
even. So I started inside. It's what we call an internal pen test. The idea is, okay, if you plan to fail
and fail gracefully, you want to see, okay, what happens once somebody gets in? A lot of people
say it's game over, but there are so many different ways to breach. Now, again, I want to give a
warning here that we're going to get nerdy and technical in this episode because this story he
has paints a perfect picture of what a penetration tester does. And I want to get technical because I think it'll be a fun opportunity to see exactly
how all this works. Oh, and there's also a few cuss words in this one too. So this company wants
Tinker to do a security assessment from the inside of the company. And to do that, they need to set
them up with a temporary job in marketing. So they set me up basically to do content. And so I went in within
the marketing department. And so I assumed the name Jeremy and it was Jeremy from marketing.
You get it, right? This Jeremy from marketing is actually a very good hacker. And his goal is to
see how much he can hack into in his first week on the job in the marketing department.
And the IT team and security team and even the marketing team have absolutely no idea that this new guy, Jeremy from marketing, is an extremely trained hacker who's highly motivated to just
hack into the network and get everything. And this isn't a far-fetched scenario. Sometimes you have
temps or interns or new hires that get turned into spies to work for another government to see what's in that network while they're working there.
And can you really trust Jeremy for marketing?
Yeah, suppose he did all the interviews.
But still, I mean, he really just did walk right off the street and sit down in your office.
So are you going to give him all the passwords to file servers and logins and to the company's Facebook account?
Ideally, your hiring process
should vet him. But it's really hard to know if that person is actually trustworthy. There's
really only two people in the entire company who knew who I was. And that was a CISO and one of
his assistants. The CISO is the chief information security officer, and he reports directly to the
CEO. He basically got everything sorted out with HR to hire this Jeremy from marketing.
And they said, look, I could bring in anything I wanted. You know, I could bring in
all my hacking gear if I wanted to, but I needed to make sure that I didn't get caught.
Without being caught is the tricky part. If he had like a bunch of antennas sticking out of his desk
or even extra laptops all around, it would surely look suspicious. All right, so he's all set for his new job.
It's Monday morning and he's off to work.
On the drive into the office,
he starts to go over his methodology and plan of attack.
Get into passive reconnaissance, active reconnaissance,
vulnerability and misconfiguration, et cetera, enumeration,
initial breach, lateral movement, pivot,
escalation of privileges, actions on target,
exfiltration,
and persistence may be in there if you need to, right? That's kind of the standard approach.
And so that's his plan of attack. So he drives into the office, parks the car.
It's a typical looking office building, multiple floors. His office is just one of the floors.
I showed up, you know, dressed in a button up with a tie.
Shows his badge to get in and asks where the marketing department is.
And they introduced him to his new team.
They said, look, here's your cubicle. Here's your team.
The team was told that I was a contractor.
This company used a decent amount of contractors.
So my being there, my role was fairly normal.
I think there might have been another person who'd started a week earlier as an actual content creator within marketing.
He takes a look at the computer that was given to him. I came in as an employee, as a contractor, but it was the same thing.
So they gave me a laptop that had a very standard, their standard workstation image, right?
And I could use that.
It was fairly locked down and they did that on purpose because they wanted to say, hey, what's available to someone else?
Or what happens if one of their employees clicks on a phish, right?
And they have that user level starting point.
So they gave me that.
That's another good point.
When a phish or phishing email is successful, often the hacker will then have access to that person's computer who opened the phishing email.
So if somebody in marketing did get phished, this is a great scenario to test whether or not they could get further into the network.
I think it's a good idea to test this.
The very first day I came in
with just the laptop that they gave me
and maybe a Kali image burnt on a USB
that I can maybe mount.
And I had in my backpack my own hack box,
just a little Dell laptop loaded with
Ubuntu as a base image with some Kali VMs, et cetera. And that's kind of the rogue device.
So I had kind of a standard set of equipment starting off. Not a lot was expected of me
within, you know, the first couple of weeks is what my team told me, but it was very much,
you know, watch the security videos.
I'm not supposed to click on a fish, that sort of thing.
Right.
And there was a couple of things that they wanted me to start working on, like, you know, an internal SharePoint.
Again, nothing major.
The culture was, hey, we'll get you spun up over the next two weeks.
And then starting on week three and four, you know, you'll start shadowing people and getting into it.
So this gave him a lot of time to himself to see what was in the network.
And so the very, very first thing I did was plugged in their standard laptop
and just get a feel for it.
I wanted to know what's kind of the username schema.
Is it first initial, last name?
Does it match the email?
It doesn't always match the email.
One thing that companies do is give certain IT
admins a second username, something like dash ADM at the end or dash admin. A username like this
gives you a clue that that person probably has extra access than others. So the very first thing
I can do is run pullup command.exe on the workstation. I'm not using any, I'm using their
tools. I'm not using any malware and just type in net space users forward slash domain.
And it will dump out the entire list of all users within that domain.
I can do net groups, domain admins and dump all the domain admins.
I can do a net groups, domain controllers forward slash domain and dump out the host
names of all the domain controllers, right?
These commands spit out a ton of data, giving a list of all usernames, all admins, all domains,
and he's compiling this data to have it handy later in case he needs it.
And these commands he's typing aren't even hacker tools.
They're just standard Windows commands there to help IT administrators do their job.
This is all part of the reconnaissance phase.
Me running these commands as a user against the domain controller,
that's how a
lot of default Active Directory environments are set up. I did this raw just so I could have it
offline at night. Active Directory is the mechanism that Windows computers authenticate to each other.
And hackers love attacking this because it has so much data, has information on all the users and
all the passwords. And it has tons of stuff that a hacker can use to escalate their privileges or move on to other systems. It's a great place to
start looking. And there's a lot of standard things to look for, which are like low-hanging
fruit, known vulnerabilities, best practices that the IT team didn't follow. And one such bad
practice is to set the admin password for Jeremy's laptop through the group policy, because this
means that the hashed password would be in the group policy.
And since Jeremy can see the policy, he could grab that hash and try to crack it.
This place didn't have it.
So I tried a lot of the very standard things.
I went through and checked some shares, just using my own credentials,
using guest credentials, so no credentials, and did a lot of that stuff.
Just basic enumeration.
Got a feel for internal SharePoint, internal intranet, that sort of thing.
Just what is available to the user.
During this time, he's also learning what kind of tools this company may be running internally.
This is helpful because if you know, for instance, that they're running SAP,
then you can start looking up vulnerabilities in SAP.
And so he starts building a map of the network.
The very first day, the idea is just
sit very still, find out what's going on in the environment, and kind of learn what's going around.
Something a good penetration tester will do is try to be quiet as they can and not do anything
to raise suspicion, just so that they aren't detected early and they know what normal looks
like. So he was careful at what commands he was typing into the computers so that he wouldn't
raise any sort of alarms.
The workstation had a bit of antivirus and endpoint protection.
It wasn't as robust as it could have been, but it was definitely there.
And, you know, endpoint protection is one of two things or both.
It either prevents what it deems as malicious software, but it can also do a lot of logging.
Next, he took a look at what tasks and services were running on his laptop.
You're just doing control, delete, and looking at task manager. Notice a specific software solution
that did a lot of heavy logging. This means the computer he was on was sending all kinds of
messages to the log collector telling it what was going on on that system. So if he was doing bad
things on that computer, chances are that was going to be logged and someone else could see that and catch him. And he didn't want to raise any suspicions, so he stopped pulling
data from Active Directory, thinking someone might catch him doing it. Another thing he liked to do
on his first day is be very visible around the office. He wanted people to know he belonged
there and he was part of the marketing team. So he'd take walks around frequently, get some water,
go to the bathroom, chat with people, and this also let him look around the office a little and scope the place out, see what normal office behavior looks like.
And he comes back to his desk and sits down and starts to pull out his rogue laptop, which is full of all kinds of hacker tools.
And after the break, we'll see what kind of fun he can have with this, what kind of trouble he can get into.
This episode is sponsored by SpyCloud. With major
breaches and cyber attacks making the news daily, taking action on your company's exposure is more
important than ever. I recently visited spycloud.com to check my darknet exposure and was surprised by
just how much stolen identity data criminals have at their disposal, from credentials to cookies to
PII. Knowing what's putting you and
your organization at risk and what to remediate is critical for protecting you and your users
from account takeover, session hijacking, and ransomware. SpyCloud exists to disrupt cybercrime
with a mission to end criminals' ability to profit from stolen data. With SpyCloud, a leader in
identity threat protection,
you're never in the dark about your company's exposure from third-party breaches, successful phishes,
or info-stealer infections.
Get your free Darknet exposure report
at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
Jeremy from marketing pulls out a rogue laptop and boots it up. When I did plug in my actual laptop, my hack laptop, the very first thing I did is run Wireshark.
Wireshark captures all packets coming to that computer.
It's sort of like sitting on the front porch of your house and watching all the traffic going up and down the street.
But you really only get to see what's on your street, not like the whole neighborhood.
And in fact, you really only get to see what's coming in and out of your own driveway.
But still, it gives you a good sense of what kind of traffic is going around.
And so I spun up Wireshark and started trapping a lot of, sniffing a lot of the packets.
Primarily, he was looking for what sort of hardware is on the system, laptop-wise, right,
or even server-wise, what's the host name schema.
Because while Wireshark generally only picks up traffic to that computer, it also picks up broadcast traffic, too.
And these are packets that are intended for everyone on that subnet.
And computers make a lot of broadcast traffic.
And by capturing these MAC addresses, it will also tell you what kind of systems are on the network.
Because a MAC address contains information on what manufacturer made that device.
So again, knowing this lets him blend in better.
Now he's starting to know what kind of exploits he might be able to use.
Again, the very first day, especially right at the beginning,
all I'm really trying to do is just sit very, very still
and listen to what's going on around me, get a feel for the environment.
This reminds me of the quote from the spiritual teacher Ram Dass, which goes like this, and listen to what's going on around me, get a feel for the environment.
This reminds me of the quote from the spiritual teacher Ram Dass,
which goes like this, The quieter you become, the more you can hear.
One thing struck me is that they didn't have a very good NAC solution.
NAC is Network Access Control,
and it's a technology that gives each individual computer network access.
So with proper NAC, only computers
that the company has authorized are allowed on the network and everything else gets no access at all.
It's to prevent this very specific type of attack where you plug in rogue devices.
You know, you should only plug in devices that you know are yours. The problem is having to
manage all those assets. And especially when you come from kind of an open environment where
bring your own device and that kind of thing can get into the internal network.
Implementing a NAC solution is a simple concept, but it's very, very difficult and typically takes
several months to roll out. So they did not have a network access control. So I could plug in
my rogue device. But as soon as I got done with the passive sniffing, you know, I want to know
what MAC addresses are associated with, you know, with servers, with laptops and whatever else I could find.
There's sometimes even phones, right?
And what were the host names for each?
I changed my host name to kind of match their schema.
And I changed the first three octets of my MAC address to match their hardware.
And then I randomized the last three, right?
So I did do that in order to blend in.
He's like Rambo now,
painting himself with mud to avoid being detected.
The long and short is I tried a couple different things
and ended up in a position where I was confident
that I could start doing more active reconnaissance
without being kind of found out.
Day one is over.
Jemmy from marketing quietly loads up his laptops and heads home for the day.
He's feeling confident at this point.
He's collected a lot of data and starts to, you know, get to feel for the environment
and starting to think about what kind of attacks he can use.
So the next day he comes in, fires up Responder.
In my opinion, Responder is an amazing tool.
It's like cheating almost for hackers.
Here's how I think it works.
Okay, so like if you have an office job and you use a computer,
do you have shared drives on that computer?
Like if you're on a Windows machine, you might have the M drive or the I drive or the Z drive.
And this is like some shared network folder that other people in the office can access too.
Okay, so suppose your Windows computer needs to connect to this
shared network drive. There's a number of things it has to do. Usually the shared drive is like a
host name. It's not always an IP address. So the first thing your computer needs to do to connect
to that drive is to resolve the host name. That's what DNS is for. Now, there's a DNS order of
operation here. Your computer will first check the internal host file to see if it has a hard-coded
IP address for that server, and if not, it'll then go to the DNS server to see if it knows what the
IP address is. Now, normally the DNS server knows the IP, but sometimes it fails. It fails because
maybe you're on the wrong network, you're not VPNed in, the shared server might be offline.
So if you ask the DNS servers, what's the IP address for this host name?
And the DNS server doesn't know, then what does your computer do next?
It asks everyone on the subnet,
Hey, does anyone here know what IP address is for this shared drive?
And that's when Responder kicks in.
Responder is a lying, cheating, sneaky, ugly-looking guy
who says, yeah, I know exactly what IP address is for that server.
And your computer says, oh, great, what is it?
And Responder says, it's me.
I'm that shared drive, even though it's not.
And your computer says, oh, okay, great, let me in then.
And then Responder says, okay, sure, no problem,
but first I want to make sure you're allowed,
so tell me your password.
And your computer then gives Responder the password.
You're not going to send your raw password, you know, in the clear.
You're going to send your authentication hash.
In this sense, it's typically net NTLM V2 or V1, and that's a salted hash.
Do you see what happened here?
Responder is a hacker tool that just lies and tricks a computer on the local subnet
into giving computers the hashed password to that computer.
It's unbelievably good at this too, and it's almost impossible to detect
since you have to have sensors on that local subnet to spot it.
Generally speaking, I will run Responder twice a day
for maybe 15 to 20 minutes and even intermittently at that. I run it right in the
morning and right at noon. When people are logging in through the computer, they're logging in in
the morning, they're logging in from lunch. That's when a lot of that traffic comes that you can
trap. Generally speaking, depending on how big the environment is, I'll pull down 10, 20 hashes
quite easily. So he fires up Responder in the morning and waits for hashes to come in.
I pull down maybe 5 to 15 hashes total.
Nice. With this, if he can crack a few of these,
he can then work his way into the network and get some more privileges from someone else.
And so I pulled down those hashes.
Again, they're net NTLMv2 hashes.
He loads these up into his GPU password cracking rig,
which is off-site at his own office. It was eight NVIDIA GTX 1080 TIs mounted in a 4U RAC server.
Whoa, what a monster. That's like an $8,000 computer. And basically what he'll do is take
those hashes he picked up from Responder and load them up into this computer. And then he runs a tool called Hashcat to cycle through
billions of passwords a second to try to find a matching password. A computer like that can try
every word in the dictionary in like under a second. Then it will go and try adding numbers
to the ends of words or special symbols like a dollar sign instead of an S, and it will keep trying passwords
more random and more complex over time until it finds a match.
This is brute force password cracking.
The lowest I've ever gotten is like a 20% crack rate, you know, one in five.
Well, somebody is statistically I'm going to get that much.
Usually on those immediate just kind of standard stuff, I'll get anywhere from 50 to 75%
crack rate. In TLM, I think at that time we could do something like 300 billion guesses per second.
And I want to say with net NTLM v2, it was only, and I say only, it was only somewhere between,
I don't know, 6 to 12 billion guesses per second, right? So not too many, right?
I ran it against our standard dictionaries
and our rule sets, and I didn't crack any.
His monster of a cracking station
tried billions and billions of passwords
and found absolutely no matches on any of the hashes.
This was a big surprise.
Like, this never happens.
Usually when that happens,
it means my tools are broken,
you know, like an update broken or something.
So I went and checked all my tools,
put in known hashes.
You know, I have test hashes
to make sure my tools work
and those cracked just fine.
So I did, you know,
troubleshooting on my own stuff
and it was working.
So that's when I kind of stopped and went back
into the internet and looked up a security policy. The security policy is going to tell
you the minimum length of what a password must be and how many special characters and digits
that have to be in it. And sure enough, I believe they had a minimum of 12 character passwords.
And at that point, it started to become passphrases. You know, I'm a big advocate of passphrases.
You know, a password you can crack fairly easily, but a passphrase, ideally four or five different words, completely random.
That's much more robust than what we have today.
But I said, okay, all right, that's fine.
It's still upper, lower number and symbol, three out of four, and it still changes every 90 days.
So that means that people aren't
going to create a really hard to figure out passphrase. They're going to create something
that they can remember and then iterate on it. Right. And so I changed a little bit of my,
of my attack settings to account for minimum 12 character and basically just picked longer words
in longer numbers at the end. You know, I did four, four digit numbers. So you usually get
the last four, four digits of somebody's social security number, the current, the current year,
something along those lines. And I just picked longer words. I also did a full, I went onto the
website and did a full word scrape from, from all their stuff, including a lot of stuff from the
internal internet to, to get kind of the cultural kind of thing. So you get local sports teams, you get local schools, you get local street addresses and
any kind of mascots or what have you that they really identify with.
You also get cultural phrases or what have you.
And so I finally did that and I finally got, I want to say, a good tiny handful.
I finally got a couple clear text passwords but let me tell you
my equipment was sweating after that
okay now jeremy from marketing has a few other employees passwords and really getting this was
not that difficult running responder is really simple to do and he's using off-the-shelf parts
to build a computer to crack these hashes it It sounds amazing, but if you know what you're doing, it's really not that hard.
So now that he has a few usernames and passwords, he cracks a small smile
because it feels like a big win,
but he doesn't want to let the other people in marketing know that he's doing something.
And he begins to try to figure out what he can do with these accounts.
So there's a couple things that you can do, right?
You can immediately try to log into a workstation.
So I know their laptop is on this subnet.
And I do a very targeted spray with their username and their password against all of it.
What targeted spray means is that he's subtly trying to remotely log into a computer using these passwords he found.
But none of the logins worked.
The error message amounted to good password, but not authorized to log in,
not within the group that can do remote logins, which is fascinating, right?
I mean, that is absolutely something that you can do.
But I very rarely see, I mean, by default, that's not set up,
which to me, that was kind of my first shock to the system.
You know, aside from the fact I'm like, here I am.
They require 12 character passphrases and they don't allow common users to do remote login to their own boxes.
I'm starting to go, OK, something's going on here.
Where, you know, what sort of what sort of place have they put me in, you know?
So, okay, these users cannot log in remotely,
but they have to be able to log in normally,
like when they're at a workstation.
So he logs out of his company-issued workstation and he tries to log in with one of these usernames.
Now, earlier he was pulling stuff from Active Directory,
but because there was so much logging enabled in his laptop,
he had to stop because he didn't want to bring attention to himself.
But now that he has someone else's password and he can act like someone else for a little while,
he can use that to gather more information with. So what I did with these credentials,
because I didn't want to use my own credentials, I didn't want anything to be tied back to me as a
person. So I used these stolen credentials. And at that point, I logged into SysVol on the domain controller, pulled all of
Active Directory. You can mount SysVol, right, and get all the group policy preference. You get
scripts in there that the domain admins will run and other IT will run. You can sometimes pull
hard-coded credentials out of those. I pulled all the users, usernames and host names and a myriad of other things.
And so with the domain controller, I pulled down all the information of all the users, including the groups, and had a lot of recon at that point.
So it's a rather successful at that first go.
And that's just easy.
So even though I wasn't able to log into the user laptop, I was able to at least interact with the domain controller in the way that Windows allows for.
But still at this point,
I don't have much, right?
Right.
So now we're nearing the end of the second day
and Jeremy from marketing
is really struggling to get anywhere in this network.
Sure, he has a few passwords,
but he's very limited at what he can do with them.
Usually by now he's deep in the network
with like starting to get access
to Active Directory server or something something something like bigger than this but he's got like nothing so far so this
point i'm like okay well i still have good user credentials um you know what am i going to do so
the first thing i try to do is just log into their email right using either owa or office 365 or
whatever single sign-on that they're using.
And I was able to get in. They did not have multi-factor authentication set up on email.
As luck would have it though, one of the very first emails that I read just rifling through
someone else's email was an email saying, hey, be advised next week we're implementing
multi-factor authentication in email. So be prepared to set that up. And I'm like, whew, I got in early enough to where I didn't have to do that.
Now he starts looking through the emails to see if he can find anything of importance. Maybe
IT emailed them passwords at one point or something else that might be helpful.
And he found a password. But it was for like a third-party tool, like a tax assessor's website
or something. But really, that's it.
He even looked for like internal notes that Outlook sometimes stores for users
to see if they just wrote their passwords down on that or something.
But there was nothing there.
No help.
So he tried a new approach.
Get into their single sign-on, you know, their internet, right?
What I see companies doing today is they create a single portal for employees to log into,
which then provides them access to all the tools.
And this is called single sign-on
because you log in once and gets you access to many things.
Single sign-on that's not set up properly or securely
is a hacker's dream.
You know, all of the things are in one tidy little group
and you have full access to it.
And I've taken down entire organizations where single sign-on was there,
but like a hub of applications, if you will.
One of them gave me just a whole lot of access.
This place, though, I got in from the outside, which I tried to do
because I didn't want it to originate from the inside.
From the outside, it required multi-factor authentication just to log in, right?
When he says from the outside, he means from outside the company.
Like the single sign-on portal can be accessed from anywhere in the world.
It's right on the internet.
But multi-factor authentication makes it much harder to log in.
This is where you need both a password and like a six-digit token code
generated on your phone or something to get in.
So he tried to get into the portal from his laptop on the inside of the company,
and it didn't require a multi-factor authentication.
Yeah, now he's in.
Now he looks to see what's there.
A bunch of different apps, payroll stuff,
client databases, control panels.
Okay, he's feeling like he's getting somewhere now.
And I clicked on one of the apps,
and each individual app required
its own separate multi-factor authentication login.
I was like, what kind of lockdown prison is this place, right?
You know?
It's the opposite of single sign-on.
Well, exactly.
And so what they've done is, you know, they set it up properly.
They had, you know, one place for everybody to go to.
But, man, you better have your soft token or something set up at this point, you know, I'm, I'm getting kind of getting kind of heated.
I'm like, you know, uh, uh, you're, you're, you know, you're losing time. You better hack into
something. I had gotten a couple of things. I hacked into email, but it didn't give me much.
Right. So I already have, you know, some findings. I've got a report here that's kind of
building of things that can tighten up, but nothing significant, you know? And pen testers,
you know, your dopamine, your adrenaline is going off of those really big hacks, right? And so
I still at this point have not gained access to another workstation beyond my own.
He takes a little break, gets a drink of water, resets himself, and sits back down.
I need a lat move. I need to start getting onto some servers. I need to start going and
at least targeting some crown jewels here, but I've got nothing. And one thing caught my eye,
though, in the single sign-on was Citrix. And as an attacker, I love Citrix because what Citrix is, is it amounts to
remote desktop through the browser, right? And so generally, if there's something from Citrix,
generally it's a server of some sort that's hosting internal applications or, you know,
something else that's serving up. But I see Citrix and I usually go for it
because I can really get a good thing
that maybe dumps some memory.
And I click on Citrix
and it asks me for a multi-factor authentication
and it says it's going to send it via SMS
to this user's cell phone,
but it only gives the last four digits of the cell phone.
Well, yes, it's possible to hijack a cell phone, do like SIM swapping or something.
That's technically illegal.
And he's not allowed to do illegal things as a penetration tester.
And all he knows about this person is their name, their username, their password, and
the last four digits of their cell phone.
But I have their email.
So I type in the last four of their phone number into the search bar within this person's email, and I pull up one of their signatures that has their full phone number.
Okay, I have their full phone number. I have their name. I have who they are. I have everything that amounts to them within this environment.
Let's bypass multi-factor authentication.
Okay, so here's what he's got to do. He's got to click on that login to Citrix,
which will then send a text message to the phone of that user.
And he's got to somehow get that text message,
enter it into this website all within 60 seconds before the code expires.
This isn't going to be easy.
I have this phone number.
I call a person.
I got to make sure none of the people around me are hearing me at this point, right?
But I put on my headset.
I put on my own phone.
And I call this person.
They answer.
And Jane from accounting.
I lie to them.
And I say, hey, I'm somebody else from IT.
And we're going to migrate your Citrix since it's within single sign-on.
This person has no idea what I'm talking about.
They're not IT.
And so they're like, all they hear is computer gobbledygook.
They're like, yeah, that sounds fine.
Why are you calling me?
And I'm like, well, I'm going to send you a PIN number that I need you to read back to me that authenticates that it is your account.
But I need you to know, as your IT, I will never ask for your password.
And again, this kind of gives them a sense of security.
I obviously already had their password,
but it gives them a sense of security and says,
okay, well, they're not going to ask for my password.
That's what matters.
So I'll read off this PIN.
I said, okay, I'm about to send you a text message.
You'll receive it from my server, Citrix, right?
And they go, okay.
And I go ahead and click send MFA and they go, okay,
well, I got the text. You just need me to read this to you? I go, yep, just read it to me.
She read it to me. I typed it in within the minute because you only have about 60 seconds
and it logged me in. And I go, okay, well, just letting you know, and this was right before lunch,
go ahead and take a long lunch or don't interact with Citrix for at least two hours while we do the migration.
And she said, OK, great.
Sounds good.
OK, sounds good.
Bye.
OK, great.
Finally, I've got into Citrix.
And so I log into Citrix and there's no applications.
There's no computers.
It's an empty Citrix instance.
I've hacked my way into a broom closet.
You know, there's nothing here. I just bypassed
multi-factor authentication through a solid social engineering exploit after cracking this person's
password, which was hard to crack to begin with. A day and a half has arrived up to this very point
and I've gotten nothing. Absolutely nothing. At this point, if you were to look
over at Jeremy for marketing, you'd see him sweating and shaking. I found that generally
when I'm doing a sock into social engineering attack or when I'm doing a physical break in
or what have you, when I'm doing it, I'm calm, cool, and collected. I'm usually sweating like
you wouldn't believe, but my demeanor is on point.
Afterwards, though, man, that adrenaline rush, it comes crashing down.
And I will, I shit you not, I will physically shake.
You know, I'm probably one of the most loud, outspoken introverts you've ever met.
I am confident in front of people.
I used to be a sergeant in the Marine Corps.
And so, you know, when you've got a platoon full of trained killers and you're trying to
get them to do what you want to do, you have to develop confidence or at least a projection of
confidence. You'll lie through your teeth. Right. So I, I, I will have confidence. I am socially
adept, but, but it still drains me, especially when I'm doing something like this, that I have
to put on a heavy mask. And so, yeah, I get out of
that. I'm sweating. You know, it took me probably about a full hour to prepare for it as I did an
in-depth research on this person. And I've gotten nothing.
Usually he's a lot further along at this point on his penetration test,
and it's just making him really worried that he's not going to find anything.
So I go, screw it. I'm going to go all out at this point. And as people start leaving
to head home, I say, hey, I'm going to stay back and finish trying to knock out some more of these
onboarding videos. And nobody seemed to mind. So he sits and waits, sitting in his cubicle,
watching everyone leave the office. And he keeps peering over it, seeing if anyone has left. And he sits back down and
waits some more. I waited until the cleaning crew came. I waited until the cleaning crew left.
I think I was the only one on that floor. I believe there was maybe a couple other people
working on different floors, but I was the only one on that floor. He starts walking by every
cubicle, looking to see if any computers were logged in while that person went home. And no computers were left logged in.
But he does see some people did leave their computers behind. I said, you know what,
I'm just going to steal laptops. I don't even care at this point, you know. And I go start
plugging in to my colleagues' laptops that left their laptop there.
But two things kind of jumped out.
The biggest thing was they had encrypted hard drives. So even if I mount and boot from USB, which I was able to do,
I couldn't mount their hard drive.
It was encrypted, and so I couldn't pull off any kind of local admin hash.
Ah, again, blocked.
All these little safeguards in place are really giving him a hard time to get anywhere. Even when nobody is in the office, he still can't access people's
laptops. He's tired, he's hungry, he's nervous, and his frustration is just building. So I said,
screw it. I'm going to go after the IT shack. Okay, so the IT shack is the room where the IT
help desk keeps all the computers. Like, they probably have 10, 20, 100 computers in there.
If he can get into this room, he'd have access to a lot of workstations.
And he thinks maybe if he gets his hands on these, he can get somewhere.
Going up to the IT shack, I, during the last couple, you know, the previous couple days,
whenever I get up and walk, I try to make people see me so that they know I'm supposed to be there.
And I'm doing kind of reconnaissance on where everything was. And so by that time, you know, I knew where the break room was. I knew where
the guards hung out. I knew where the IT shack was. First thing I'd done previously was check
where all the cameras were. And there was not a camera looking at the door to the IT shack.
So I knew that visually I was fine. But when I went to the IT shack, I wanted to make sure there was no one around the corner.
I wanted to sit there and pause.
So he stands and waits right around the corner from the IT shack door.
And he tries to listen to see if anyone is around.
And in order to kind of really cast your hearing out, to hear as best you can, there's a couple things that you can do.
One is slow down your own breathing to slow your heart down.
Because if your heart's beating, that will actually fill your ears with like a pump, pump, pump of blood.
So you need to calm yourself completely down.
I tilt my head down and I look down because I want to focus.
I'm not necessarily closing my eyes, but I want to focus on my hearing.
So I'm making sure that I'm not looking at anything in particular.
And then I open my mouth slightly.
And the reason why you do that is you have your jaw muscles. When you, when you have a clenched or closed mouth, your jaw muscles
will actually come right up near your ear canal and kind of close it off slightly. And so you can,
you can try this even at home, get to a place where you have your jaw closed and just listen
for a while. You can do this at night and then open your your mouth comfortably wide open you don't want to
strain yourself but comfortably open to move your jaw bone away from your ear canal and you'll find
that that opens your ear canal wide open and you can hear a lot more i say get context you can not
only can you hear further but you can hear more things does that make sense yeah i love pen testers
it's like you're felix the cat you have a bag full of tricks and you never know when you need it, but you just have them ready to go.
That's the thing.
We try to be jacks of all trades and you try to study as many things as possible.
I pulled that trick out of being in the Marine Corps when you have to do night missions.
Little things that you pick up along the way that just, I tell you, they come into play.
So after standing around the corner from the IT shack door for a good 30 seconds,
listening for anything, it seems like the coast is clear.
Time to move in.
So he gets his lock picks ready and is prepared to move to the door and start picking the lock.
He turns the corner and to his surprise, a door stopper is stuck in the door,
which is just barely keeping the door open slightly.
All right, lucky break.
You won't have to pick the lock now.
But this gave him a totally different sensation.
Was someone in there?
If so, is he going to have to wait even longer for them to leave?
He tries to look through the crack, but he can't see much.
Screw it, he's going in.
I walk in real quick, and I see stacks and stacks of laptops.
Nobody was in the room.
Someone accidentally left the door open all night.
Come to find out later on, it was literally a person had forgotten their keys,
and so they left it propped open to go to the restroom
and never came back to shut the door.
So he's standing in the IT shack in front of like 75 laptops or more.
I've got an option here.
I can stay in the shack and do all my things there,
or I can take what I need and move over to my desk or, or, you know, conference room, whatever, uh, and do it elsewhere. And there's a give and
take of both. If I stay in the shack, no one will see me hacking into these computers. And so if I
stay in there, I protect myself against the bulk majority of people that will be walking through
in the middle of the night. If came in after hours for whatever reason.
But if I stay in there and an IT person comes in,
which plenty of IT people work overnight or have to come in for a call or something,
I'm caught red-handed.
I've got no excuse for being in there.
And so I make a call that I'm going to start hauling as many of these computers to my desk
and then from my desk kind of bring them up.
And if someone comes by, hopefully I've got them tucked away or whatever. I can pretend
that it's mine or whatever. Right. I can hear them come in, hide it and go back to work. And so I
start taking arm loads, like full handfuls of these laptops to my cubicle area and stacking
them underneath my desk. And I ended up grabbing, I made, I don't know, three or four trips
and ended up grabbing about 30 laptops before I said,
you know what, this is probably enough.
I went back to my cubicle at this point, shut the door,
and just started trying to boot from USB and mount as many hard drives as possible.
He starts going through each laptop one by one,
spending hours on that,
trying to find if any of them have an unencrypted drive.
And he finds two in the whole stack
that were either old images or didn't get encrypted.
And now that he has an unencrypted hard drive,
he dumps the local administrator hash from that laptop.
And once he has this hash,
he starts running it through
that monster password cracking station he has, and he tries to crack the admin password. And once he has this hash, he starts running it through that monster password
cracking station he has, and he tries to crack the admin password. And I crack it rather quickly.
It was actually the company name and the year, the capital first letter on the company, a very
weak password. I was like, you know, are you kidding me? Everything else I've found has been
amazing and this is it. Just to test the password, he tries logging into his own workstation with it
and the admin password worked. Bingo. This means the admin password that he just found is likely the admin
password for all the user's laptops in the office, which should allow him to log into any user's
laptop. Finally, he's making progress. This is a big break. So he starts putting the laptops back
in the IT shack. And I took pictures of where they were so that, I mean, they were out
of order by this point, but I put them, I mean, stacked about as precisely as I possibly could.
Anything I touch, I put it back as closely as I found it so that it doesn't look like it's
been disturbed. And I'm like, okay, well, great. I got a lucky break. I can now use this to spray
everything, right? So at this point, I'm beat and I go home and I sleep. Feeling rested and happy that he has an admin hash and a password,
he comes back into the office, finally ready to dig deep into the network.
Yeah, come back in and okay, I've got the best thing that I have. I've got a local admin hash.
First thing I try to do is pass the hash, which just uses the actual hash as a password.
Which is a great technique. Often when you're logging into another computer,
your computer hashes your password and gives it to that other computer to log into.
So if you have the hash, just give him that and that could authenticate you. But in this case,
it wasn't working. There was some kind of error. But last night he cracked the local admin password
and IT administrators will often reuse this password. So this local admin password might
actually work on every laptop in the whole company.
So he tries to remotely log in to another computer using this local admin and password.
But it wasn't working.
The local admin hash was not letting me log into.
Again, it comes up as valid credential, but you're not allowed to log in, right?
And I'm like, this is asinine.
Like even the local admin needs to be able to log in.
It's not letting me.
So he logs into his own laptop again as local admin
to try to figure out what's going on.
When I log in with a local admin password,
they don't have access to the full computer.
The local admin, the local administrator
does not have full access to the rest of the hard drive.
It doesn't have access to the user level, which this doesn't make sense because that's how it's
set up. That admin has access to everything, right? And again, I'm punching myself in the face,
you know, and it turned out that they were using a third party non-Microsoft tool to do access
control and user control, et etc. This is quite impressive.
While the password was probably used for everyone's laptop,
the admin user doesn't have that many rights at all.
I've never heard of this myself.
But yet this is another safeguard that this company has put in place
in case this password got leaked,
which was really hard to find to begin with,
this would stop them even further.
And now I'm angry.
At this point, I can pop a shell from my computer with, this would stop them even further. I would be angry too. So many of his exploits
and techniques should have given him access to the whole company by now.
But this company was foiling his every single move and all his techniques.
Now he's tired of trying to fly under the radar.
He's ready to try and exploit on another computer that might make a little noise.
And then from there, if he can get into a computer, you can see if there's anything good on that and move around to another computer.
So he scans his own computer to see if it has a vulnerability that he can exploit. I tried a variety of them, but the one that worked was
Unquoted Service Path, which the way Windows works is, say you want to run a program at startup,
and so it's designed to run this program at startup. But one of the folders that you run
this program in has spaces in it, right? If you don't put quotes around that full path,
what Windows will do is attempt to run up to the space
as if that word, so say like it was something
that said like Citrix space server,
and that's a BS one.
It would try to run Citrix as an executable first
before it tried to run Citrix server as a directory.
So if you go in there, if you have read, write,
and you can create a program, a malicious program
that's named Citrix as opposed to Citrix space server,
it will run your program as, in this sense, system
because the system was calling it.
And I found a directory that let me do this.
It wasn't Citrus Space Server, but I'm like, okay, great.
But I ran a check to see if I had read-write, and it said I didn't.
And at this point, I'm like, well, fuck it, I'm done.
You know, this is horrible.
Without the ability to write to the remote computer, he's unable to exploit that thing.
So because it said he didn't have the ability to write, he just gave up at this point, totally out of ideas.
He put his elbows on his desk, and he put his head in his hands.
Completely dumbfounded.
He's now on day three, and still has not gained access to any computer outside his own,
and a couple of powered off ones in the IT shack.
His report and findings so far look dismal.
This has been the hardest assignment he's ever had.
Now day three is over and he heads home.
Morning comes.
It's now Thursday.
He's getting ready to go into the office.
And I called up an associate of mine.
I told him, here's everything I did.
But I ran the check to see
if I had privs. And it said I did not have a writeability. He goes, well, did you try it
anyways? And I'm like, oh, God damn it. No, I didn't. I just assumed. And I went ahead and
tried to write to it. And I could. Even though Windows came back and told me I couldn't,
I was allowed to write. This kind of tells you don't listen to the output of the tools that you're trying to hack into.
Turned out, again, this third-party software that ran all the access control, the third-party allowed them to write, even though the native Windows didn't.
And third-party superseded native Windows.
At this point, I now have a meaningful way to escalate privileges to system level.
And I tried out, I went with my colleague, he wrote a stager and I wrote the malware for it.
So he wrote an executable that would then call my PowerShell reverse shell. And I think it was
just a tweaked version of Vail or some sort of PowerShell remote shell. So we tested it on my own workstation, unplugged from the domain.
At this point, I'm getting kind of gutsy here.
And it works.
Okay, so for this exploit, here's what needs to happen.
First, he has to put the exploit on a USB drive and then physically take it to another
computer.
Like, he would do this while a person wasn't at their desk.
Log out of their user, log in as the local admin, drop two sets of malware, drop it in as in copy it from the USB
to the computer, and then log out as admin. Then when the user comes back and logs in,
his malware should give him remote access to that computer. So even though I found this way to do it,
it's still under like, you know, a person has to break in by this point, have physical control.
And I'm like, you know what, screw it.
We're going to we're going to do this.
He thinks over this plan.
This is a risky move, but if done right, could get him access to that person's computer.
So whose laptop would be worth getting into?
Maybe the CEO's.
Hmm.
Yeah, but they weren't at this office.
Who else?
The IT team.
Perfect.
I'm going to go straight for IT. I'm going to hit IT and I'm going to team. Perfect. I'm going to go straight for IT.
I'm going to hit IT and I'm going to take them down.
I'm going to get system level remote access.
With this remote access, you'd be able to do everything, including reading the CEO's emails.
So the plan was to wait until lunch when he could go over to the IT team's computers and put this malware on it.
So he waits.
And waits.
Peering over his cubicle from time to time.
So he watches a few more of those onboarding videos for marketing and waits until lunch.
The marketing team asks him to go to lunch.
And he's like, no, no, no, I'm fine.
But they kept insisting.
And he's like, no, really, I want to stay.
So his team just leaves him behind.
And he thinks, OK, now's a good time.
I set up a listener on my rogue machine and I go start walking.
I've got a little thumb drive with my malware on it.
And they're anti-virus detective because we kept it very low level.
And I go over to the IT area and I shit you not, the bulk majority of IT are sitting there eating lunch at their desk.
And I'm like, hey, that's not healthy.
That's not good work.
You need to get away from your computer.
You need to stand up.
You need to walk.
But are you kidding me?
These overworked, and this is not saying this is a valid defense technique.
Seriously, one person can be there if they really need to.
But people need to get up and move away from their computers, even IT.
But I'm frustrated. I start walking and pacing around.
At this point, I'm getting kind of heated.
I'm losing my cool.
I go around a corner.
I finally find an area that doesn't have anybody.
And sure enough, it's finance.
I'm going to take down finance.
And I go up there.
As I'm up there, I see one lady sitting down next to one of these cubicles.
And I'm just going to go for it. I tell her, I go, look, I'm IT. sitting down next to one of these cubicles. And I'm just going to go for
it. I tell her, I go, look, I'm IT. I'm about to do some updates. And she goes, OK, sounds great.
And I go ahead and do it. I pop it up in about 30 seconds. It takes me to log out, log back in,
drop the malware into the correct folder, log out again, and then leave.
He goes back to his desk and waits. Now what he's waiting for is that
lady from finance to finish her lunch and to log back into her computer. So he pulls Metasploit up
and waits and watches. Metasploit is like a hacker's tool bag. It contains hundreds of exploits and
tools to hack into stuff. And he's got this hack all set up. So he's staring at his screen and it
says the listener is running and waiting for mode activity or something like that. And if everything is set up right, when she comes back
and logs into her computer, he'll then have remote access to that lady's computer in finance.
And the screen will say interpreter session one open. So he waits for activity. Nothing.
Nothing. He peeks over the cubicle wall sometimes to see if he can see her.
He can't see anything.
He waits longer and longer.
And so he just keeps waiting.
Come on, lady. The wait is killing him.
It's now been 45 minutes at this point, and he's starting to think,
it didn't work.
She had to be back by now, and for some reason, whatever reason,
the malware just didn't work.
I'm about to give up. I see Meterpreter Session 1 open, right?
And I'm like, oh, yeah, there it is.
And then I see Meterpreter Session 2, Session 3, Session...
It popped eight shells.
It tried to call this thing like eight different times.
And I'm like, yes, I'm in.
All right.
I start rifling through this person's computer.
I get persistence.
I actually get a couple passwords for finance.
You know, some small wins.
And right as I'm about to start dumping memory, I lose my connection.
Session closed.
And I'm like, oh, no.
No, no, no, no.
I have fucking, I've been without sleep.
I've gone too far.
What the hell happened to my shell?
And I get up and i i
make a beeline right to that lady's uh uh laptop because i'm gonna go pop another shell you know
i'm like get out of my way and as i go i round this corner that this this this you know precious
little old lady reminds me of my grandmother she's looking up at this IT guy, and she's like, no, I don't understand.
They told me you guys were updating my computer, and right as I come around, she turns and
kind of glances at me and goes, him!
It was him!
And I'm like, oh, fuck!
And I let out this high-pitched seventh-grade girl scream, you know?
And I turn around, and right as I turn around,
there's two more IT guys right there.
I'm like, oh shit.
And they're looking right at me like,
who the fuck are you?
And why are you calling yourself IT?
They sat me down and they said, you know,
who are you?
What are you doing with these computers kind of thing?
When a penetration tester gets caught like this,
they have to think,
should I try to escape this situation or should I just tell them I'm here working for the CISO?
And in this case, he decided to say, I'm working for the CISO. At this point, I'm at the end of
my rope. I've done a very thorough test, even more than kind of what I've gone into here
over a good week. I've stayed late and I've done everything I can think of
and even learned some new tricks along the way.
And while I was able to find several different things,
you know, an easy password on local admin,
even a shared password,
even though they use the other ones,
some clear text credentials here and there,
you know, a lady gave me her pen over the phone.
A lot of these things, you know,
they could tighten up long and short,
you know, they stopped me and we brought in the CISO. He said, Hey, good job.
Here's the situation. He's okay. And we, we, we went into an initial debrief, both of what I had done and how they had found me. And I asked him, I go, look, I ran the safest, you know, fricking
shell that I could run. I even tested against your antivirus
and your antivirus didn't catch it. And I was only there for 30 minutes, you know, like,
how did you find me? And they said, they said you were running PowerShell from a finance computer
and finance doesn't run PowerShell. The only people that run PowerShell are IT and maybe some
of our devs, you know, and DevSecOps or DevOps rather. PowerShell is kind of like a super command line tool in Windows. And
yeah, only technical people ever use it or need it. The finance department would never run it.
So this sort of behavior is like anomaly detection. And that lady in finance has never,
in all the years she's ever worked there, ran PowerShell. But this exploit did. And since it
was so out of the ordinary, it's how he exploit did. And since it was so out of the
ordinary, it's how he got caught. But yeah, it was one of the toughest places. And I liked telling
that story when Blue Team kicked Red Team's ass because it showed what worked. And like I said,
I still found a lot of different things that they could tighten up and they weren't perfect by any
stretch of the imagination, but they had such robust security that they were able to not only detect me, but act on it.
It's not enough to detect an attack.
You have to do proper response and containment.
And I tell you what, they had all three.
I imagine the IT team was proud of what they did to stop him.
But they remained focused and serious as Tinker went over the report.
They were taking ready notes.
They didn't gloat. They didn't rub it in. And they also didn't take offense of the things that I found.
They were very professional and they said they appreciated it and looked forward to my full
report. I mean, it was the epitome of professionalism. I like this story because not only do we get to
see what a penetration tester does, but we also get to see what steps a company can take to make
it really hard for hackers to get in.
Because the harder it is, the more resource a hacker has to have.
They have to have more time or more processing power
or more people or more exploits or something.
And the harder you make it for them,
the more motivated they have to be to get through it.
And they'll probably just give up and move on to something else if it's too hard.
And just to recap what worked here for this company,
they had multiple layers of security,
defense and depth.
They had a minimum of 12 character password policy,
which made passwords hard to crack.
They had two factor authentication almost everywhere.
They limited access to each user,
which made it hard to do any remote logins.
The local admin had very limited access
and the logging that was on everyone's computer
allowed them to detect and find this hacker within minutes of him doing an exploit. All this added up creates a nightmare
scenario for Tinker and will probably be enough to create a nightmare scenario for any other hacker.
The CISO was very, it was just professionalism from the top down. You could tell that this was
a culture of continual self-introspection, right? And self-awareness as it related to their
environment and continual approval. And he, you know, he went in with the idea that, you know,
at a certain point you can't have a perfectly secure system or no one's going to be able to
use it, right? If someone can use it, you can, an attacker can emulate that user in some form
or fashion. And so he's like, you know, we're getting to the point where we have risk acceptance. You know, if you have to break into my place and physically access a
computer and do all this kind of stuff, at that point, the only people I'm really worried about
are really high-end criminal groups, the NSA and Mossad. And if it takes the NSA and Mossad to hack
into my place, fine, we'll accept that, you know, kind of thing.
Thank you so much for sharing this story with us.
Cheers.
Cheers.
And thank you for having me here to tell that story.
A quick shout out to the Dallas Hackers Association.
Never met a more vile bunch of criminals, thieves, con artists and hackers in my life.
But there's some good folks.
You've been listening to Darknet Diaries.
Thank you to Tinker for telling us this amazing story and teaching us about pen testing.
You should follow him on Twitter because he tells a lot more stories like this.
His name there is TinkerSec.
Also, thanks to Proximity Sound for doing that voice intro. That was really cool. Darknet Diaries
is going to do a bit of a rebrand in the next
few weeks with a new logo, webpage,
shirt, stickers. I'm super excited
to roll it out, so look for that soon.
This show is made by me,
the president of D-Corp,
Jack Recider.
Intro music is by Breakmaster Cylinder,
who you could always find hanging out at the Red Wheel Barrel Barbecue.