00:00:00.367,00:00:03.503
>> So right quick before we get
started because we don't have as

00:00:03.503,00:00:06.273
much time as we had before. Uh I
just wanted to show you all

00:00:06.273,00:00:09.142
something. I gave this talk at
Black Hat a few days ago and uh

00:00:09.142,00:00:13.747
it went well there, I saved the
really good jokes for this one

00:00:13.747,00:00:17.818
uh but the uh there was a
Roiters photographer there and

00:00:17.818,00:00:21.321
he takes this great shot of me.
Catches.. catches me at just the

00:00:21.321,00:00:24.324
right moment, and this is it
right here. [Laughter] Like and

00:00:24.324,00:00:29.329
so… >> Same jacket >> Yeah and
same jacket. [Laughter[ There we

00:00:31.732,00:00:35.135
go right there. And so uh I've
decided I'm going to stop giving

00:00:35.135,00:00:37.838
talks at BlackHat and DefCon,
just gonna start holding

00:00:37.838,00:00:42.509
rallies, right? [Laughter]
That's what it comes down to

00:00:42.509,00:00:46.747
now. [Laughter] Alright so
serious topic but we got you

00:00:46.747,00:00:49.883
know, we're gonna have some fun
with it. It's.. the idea behind

00:00:49.883,00:00:52.352
this is you know when I was
putting this together, I didn't

00:00:52.352,00:00:55.088
really know how it'd go over
because it's actually a pretty

00:00:55.088,00:00:58.592
though thing to do. Right?
Because not a lot of the uh, not

00:00:58.592,00:01:01.662
a lot of the things we talk
about uh here in these

00:01:01.662,00:01:05.232
conferences. Not a lot of things
we tweet about every day are

00:01:05.232,00:01:09.403
introspective we…we like to
point out flaws in the software

00:01:09.403,00:01:12.639
that other people write other
people use the things they

00:01:12.639,00:01:15.008
deploy, and the mistakes that
they make when you're doing

00:01:15.008,00:01:18.912
those deployments and uh you
know as penetration testers and

00:01:18.912,00:01:23.483
I'm sure there's a few in here
uh you know you're used to that.

00:01:23.483,00:01:25.786
You're used to pointing out
those faults. But you have to

00:01:25.786,00:01:28.622
ask yourself, are we gonna be
introspective with this or are

00:01:28.622,00:01:32.125
we gonna look and see what are
we doing that might be putting

00:01:32.125,00:01:35.195
our clients at risk might be
putting us at risk and putting

00:01:35.195,00:01:39.633
you know all these processes um
uh that you know we're, we're

00:01:39.633,00:01:43.870
not improving with this over the
years. You all can look up who I

00:01:43.870,00:01:47.107
am, whatever. Uh so the
situation with this is that

00:01:47.107,00:01:49.643
insecure practices on
penetration tests the situation

00:01:49.643,00:01:50.978
with this is that insecure
practices on put clients and

00:01:50.978,00:01:54.448
penetration testers alike at
risk. So we stand on our

00:01:54.448,00:01:59.586
engagements we see you know, we
see very rarely do we do an

00:01:59.586,00:02:01.888
engagement and we found out
we're the only people there you

00:02:01.888,00:02:04.691
know if we find a vulnerability,
there's a decent chance we're

00:02:04.691,00:02:08.095
gonna find the artifacts of some
other attacker. Uh we see

00:02:08.095,00:02:12.165
attacks on our on our pen
testing infrastructure and so

00:02:12.165,00:02:17.638
seeing that we know that we have
to be very careful about how we

00:02:17.638,00:02:22.042
conduct these tests so we're
attractive targets so a

00:02:22.042,00:02:27.014
penetration tester will be will
have clients we do you know two

00:02:27.014,00:02:30.150
or three pen tests at a time.
Engagements last a couple of

00:02:30.150,00:02:35.155
weeks and so if you can pop us
then you have an in on so many

00:02:37.891,00:02:42.095
clients you have an in on so
many targets from there. And

00:02:42.095,00:02:45.699
that's not even counting the uh
so if you're running a pen

00:02:45.699,00:02:48.568
testing firm you got your own
intellectual property too. The

00:02:48.568,00:02:52.039
tools you wrote of 0 day that
you're hoarding and and not

00:02:52.039,00:02:57.177
disclosing. Um all that stuff so
it's an attractive target. The

00:02:57.177,00:03:00.180
root cause of the problems that
we're seeing with this with

00:03:00.180,00:03:03.116
vulnerabilities is just the lack
of awareness were smart enough

00:03:03.116,00:03:06.019
right, we know how to find
vulnerabilities in things were

00:03:06.019,00:03:08.622
just not taking a look at
ourselves with it. And in the

00:03:08.622,00:03:11.925
learning materials that we use
to train ourselves and to train

00:03:11.925,00:03:15.128
other team members to do this
they teach insecure practices

00:03:15.128,00:03:17.898
and they don't address these
issues. So these are things that

00:03:17.898,00:03:24.237
have to change moving forward.
So what we're covering today

00:03:24.237,00:03:28.175
there's too many things here the
biggest part of this is a study.

00:03:28.175,00:03:32.779
I looked at the… body of
learning material and did a

00:03:32.779,00:03:35.916
study on them to see what kind
of insecure practices are being

00:03:35.916,00:03:40.187
taught and what are they doing
to address security concerns for

00:03:40.187,00:03:43.023
operational security
communications security for

00:03:43.023,00:03:46.159
testing. Uh I'll talk little bit
about what I did in previous

00:03:46.159,00:03:49.930
talks but that that stuff's on
YouTube, you can find it. And

00:03:49.930,00:03:52.632
then finally we're gonna
demonstrate a tool because I

00:03:52.632,00:03:56.403
can't come on… can't take the
stage at DefCon without popping

00:03:56.403,00:03:59.906
a shell on something so uh even
though the study is not a

00:03:59.906,00:04:02.709
technical study, uh I'll show
you just sort of proof of

00:04:02.709,00:04:06.279
concept how somebody can snag
interpreter shell out from under

00:04:06.279,00:04:10.050
you. And uh basically we're
gonna draw some conclusions from

00:04:10.050,00:04:13.253
this and the whole idea is for
you to go back integrate these

00:04:13.253,00:04:16.957
sort of more secure practices
into your testing and for the

00:04:16.957,00:04:19.593
people who create learning
materials in this field to up

00:04:19.593,00:04:22.496
their game. The next edition of
the book should include some…

00:04:22.496,00:04:27.501
something that addresses this.
The two previous talks on the

00:04:27.501,00:04:30.837
pwn to pwn plug and I hunt
penetration testers. So these

00:04:30.837,00:04:33.607
were technical talks I
demonstrated actual weaknesses

00:04:33.607,00:04:39.980
and tools uh in dropbox pen test
type appliances uh in Wi-Fi

00:04:39.980,00:04:45.018
pineapples that was me… yeah. Uh
and basically just showing,

00:04:45.018,00:04:49.356
proof of concept was the tools
that were using have basic

00:04:49.356,00:04:52.392
vulnerabilities and just like
it's code right? And you can't

00:04:52.392,00:04:54.928
write perfect code.
Mathematically impossible to do

00:04:54.928,00:04:59.132
so. According to language
theory. Halting problem and all

00:04:59.132,00:05:05.172
that so as a result you know, we
we are spending all this time

00:05:05.172,00:05:09.376
looking at client's code, custom
web apps, uh mainstream IT

00:05:09.376,00:05:11.811
software and finding bugs in
them left and right, but if we

00:05:11.811,00:05:15.315
never look at our own software,
there's very easy bugs that just

00:05:15.315,00:05:20.821
fall out when you just start
looking at it. So why are we…

00:05:20.821,00:05:25.392
why are we an attractive target?
It's very simple. So, the tools,

00:05:25.392,00:05:28.094
tactics and procedures, the
intellectually property that we

00:05:28.094,00:05:33.633
have is very sensitive uh… it's
so one, you could just passively

00:05:33.633,00:05:37.537
watch a penetration tester and
learn so much. Exfiltrate so

00:05:37.537,00:05:42.943
much data. Uh doing that you
know you're going to wind up uh

00:05:42.943,00:05:46.346
gaining almost as much
information or more than if you

00:05:46.346,00:05:50.350
breach the system yourself. But
also it's just good operational

00:05:50.350,00:05:55.288
cover so if you know a
penetration test is going on uh

00:05:55.288,00:05:58.091
and you can kinda keep tabs on
what it's doing, piggyback off

00:05:58.091,00:06:01.928
of that, highjack the same post.
You're gonna fly under the radar

00:06:01.928,00:06:06.533
if you're an attacker. Um…So
whenever we're on a penetration

00:06:06.533,00:06:10.270
test uh it's my cell phone that
rings whenever something happens

00:06:10.270,00:06:14.207
with the client. So, 24 seven I
tell them if something weird

00:06:14.207,00:06:18.578
happens call me because don't
just assume that it's us doing

00:06:18.578,00:06:20.780
it don't just assume that
we've.. that we've knocked

00:06:20.780,00:06:23.550
something over, and stand it
back up you know like well

00:06:23.550,00:06:26.653
they'll be done in a couple of
weeks. Because nine times out of

00:06:26.653,00:06:30.056
10 they give me that call oh you
know we're seeing a lot of

00:06:30.056,00:06:33.994
traffic we're seeing you know uh
this system or that crash, it's

00:06:33.994,00:06:37.030
not us and it's something else
going on in the system and we

00:06:37.030,00:06:40.900
have to establish that. So a
penetration tester, they're

00:06:40.900,00:06:45.505
expected to break rules, attack,
elevate privileges exfiltrate,

00:06:45.505,00:06:46.840
all the things that you would
normally be looking for your

00:06:46.840,00:06:48.174
security appliances. So if you
wind up uh so if you if if if

00:06:48.174,00:06:49.509
you're doing all these things
that would be lighting up the

00:06:49.509,00:06:50.844
system. As penetration testers
we light up things like we uh we

00:06:50.844,00:06:52.178
make the log to go crazy. We
make the lights go crazy. It's

00:06:52.178,00:06:53.546
because even if you're emulating
advanced persistent threats

00:06:53.546,00:06:54.881
attackers nation states,
organized crime, things like

00:06:54.881,00:06:56.216
that. Even if your emulating
that, you're doing it on such a

00:06:56.216,00:07:01.154
compressed timescale that you
cannot avoid you have to be a

00:07:16.636,00:07:19.973
little bit noisy you don't have
six months. You don't have a

00:07:19.973,00:07:23.510
year, you don't have two years,
to play the long game on it. And

00:07:23.510,00:07:27.547
so given that noisy environment
is very easy for third-party

00:07:27.547,00:07:33.086
attacker to get in there. So
what we have here is a sort of

00:07:33.086,00:07:36.356
cause and effect. ANd so there's
the state of penetration

00:07:36.356,00:07:41.494
testing, still not a very mature
field and so most people have

00:07:41.494,00:07:44.431
been doing this you know 15
Years tops. And if you start

00:07:44.431,00:07:48.568
looking you know uh in into uh
into sort of older school red

00:07:48.568,00:07:51.638
teaming and things like that.
You know, nothing in the past

00:07:51.638,00:07:54.341
twenty, thirty years, right? As
far as computer security is

00:07:54.341,00:07:58.978
concerned. And so there's… there
are standards there are things

00:07:58.978,00:08:02.615
that pro port to be standards,
there's p tests there's uh you

00:08:02.615,00:08:05.285
know the recommendations in PCI
and things like that and they're

00:08:05.285,00:08:10.757
great but they're not complete
yet and you know frankly with P

00:08:10.757,00:08:14.294
tests, the penetration testing
execution standards we should

00:08:14.294,00:08:19.032
all be working on getting that
to to into a better state. Uh,

00:08:19.032,00:08:23.803
so really the quality of any
given penetration test is down

00:08:23.803,00:08:26.973
to experience, intuition,
pattern recognition. That's the

00:08:26.973,00:08:29.976
reason why like the Cyber Grand
Challenge stuff, you know you're

00:08:29.976,00:08:33.747
not gonna have a machine do what
a penetration tester does at

00:08:33.747,00:08:38.284
least not for quite a while
longer uh and so it's it's a

00:08:38.284,00:08:43.490
human driven process and it's a
matter of emulating the same

00:08:43.490,00:08:48.795
tactics tools and procedures
that uh the real attackers use.

00:08:48.795,00:08:51.631
The problem with that
standardizing that is what your

00:08:51.631,00:08:55.101
trade offer flexibility versus
rigger on this and so, if you

00:08:55.101,00:08:58.204
standardize it too much you've
taken away a lot of that

00:08:58.204,00:09:02.542
adaptability but there's places
like this where we have to have

00:09:02.542,00:09:07.714
a little bit more of a high bar.
We operate as we learn when

00:09:07.714,00:09:11.751
we're penetration testing. We
use the same tactics, the same

00:09:11.751,00:09:16.289
tools that we learn in our uh in
our training. So if you took a

00:09:16.289,00:09:19.926
training class on this, if you
read a book on this you're

00:09:19.926,00:09:23.863
likely gonna be just reusing
those same types of things in

00:09:23.863,00:09:27.367
your real test over time as you
gain experience you're going to

00:09:27.367,00:09:31.171
uh add more or you're gonna
develop more for yourself but

00:09:31.171,00:09:35.508
your baseline is what you've
been taught. And the teaching of

00:09:35.508,00:09:41.214
this is working off uh a matter
of lowest common denominator as

00:09:41.214,00:09:44.250
profit. If you make your class
too tough, if you're too

00:09:44.250,00:09:47.787
rigorous if you have
prerequisites uh if you have any

00:09:47.787,00:09:52.325
prerequisites to doing this you
know if your book requires that

00:09:52.325,00:09:55.295
you read five other books or
have you know a couple years of

00:09:55.295,00:09:58.098
computer science under your belt
to get started on it there's not

00:09:58.098,00:10:01.000
as many people buying so it's
not gonna be successful you're

00:10:01.000,00:10:06.072
not gonna make much money right
and so typically with the with

00:10:06.072,00:10:08.508
the training available is
there's never any formal

00:10:08.508,00:10:12.312
requirements reading started no
prerequisites no testing

00:10:12.312,00:10:15.148
requirements there's only AV you
know, offense of security

00:10:15.148,00:10:19.886
certification to require uh an
actual practical hacking in the

00:10:19.886,00:10:23.756
stuff exam otherwise you know
it's it's multiple-choice to to

00:10:23.756,00:10:27.193
get your certification was does
it even mean at that point? The

00:10:27.193,00:10:32.665
effect of this is the the
training that we have teaches

00:10:32.665,00:10:35.568
things in a way that's useful
for the one week training

00:10:35.568,00:10:39.005
course. An exercise that lasts
an hour-long you don't have time

00:10:39.005,00:10:42.175
to dig into the details of well
you know we got this

00:10:42.175,00:10:46.679
command-and-control channel uh
what what's the process that we

00:10:46.679,00:10:49.549
would have to go through to
encrypt this? What's the process

00:10:49.549,00:10:52.519
we have to go through to make
sure that it can't be hijacked?

00:10:52.519,00:10:55.788
That takes longer and it takes
away from the material you cover

00:10:55.788,00:10:59.726
in the training or that you
covering in your book and so

00:10:59.726,00:11:03.930
it's convenience and expediency
dictating how you wind up

00:11:03.930,00:11:08.234
operating on your real
engagements and uh and if it's

00:11:08.234,00:11:10.603
not even addressed you don't
even realize it that you're

00:11:10.603,00:11:14.908
missing that that extra level of
what you need to be doing. Uh it

00:11:14.908,00:11:18.177
means just overall that there's
a lower depth and breadth of

00:11:18.177,00:11:21.347
technical knowledge required to
get started in this field and so

00:11:21.347,00:11:25.218
you have a very large body of
penetration testers that don't

00:11:25.218,00:11:27.620
have a breadth and depth of
technical knowledge the best the

00:11:27.620,00:11:30.957
best test.. the best penetration
testers interest from network

00:11:30.957,00:11:35.028
administration backgrounds. Uh
you know for we… for us we hire

00:11:35.028,00:11:37.830
a lot of students with computer
science degrees. They know how

00:11:37.830,00:11:41.434
the systems work from the ground
up right? They know how this

00:11:41.434,00:11:45.672
software works and so they're
not limited to just finding bugs

00:11:45.672,00:11:49.209
that are on the common uh common
vulnerability list and things

00:11:49.209,00:11:52.312
like that. They can find 0 day
if need be and custom apps and

00:11:52.312,00:11:56.549
things. But what that also means
is if they can find that they

00:11:56.549,00:11:59.819
can do the introspection needed
to look at their own process and

00:11:59.819,00:12:02.488
figure out well how are we
opening ourselves up for attack?

00:12:02.488,00:12:06.392
How are we opening up our
clients for attack? And so we

00:12:06.392,00:12:11.364
were on a test very recently uh
where 15 minutes into the test

00:12:11.364,00:12:15.335
it turns into an incident
response because we find on the

00:12:15.335,00:12:20.773
first system that I take a look
at uh a Windows XP system that

00:12:20.773,00:12:25.812
will respond on SNMP with
everything and you so you can

00:12:25.812,00:12:28.748
turn this on. You can turns this
on in Windows, kind of fun, try

00:12:28.748,00:12:33.186
it out on a VM. Uh and it will
it will give you a process list

00:12:33.186,00:12:38.024
over SNMP which is awesome and
so I'm fine okay great what's in

00:12:38.024,00:12:40.293
here what's running on this
thing? Oh, there's a Java

00:12:40.293,00:12:42.729
interpreter agent running on
this thing listening on a high

00:12:42.729,00:12:47.300
port. And it turns out it it had
been sitting there listening on

00:12:47.300,00:12:52.672
that high port for eight months
between the time from so

00:12:52.672,00:12:56.743
stopping at the time we found it
right back to the previous

00:12:56.743,00:13:00.580
penetration testing firm rolling
in. They left that system open

00:13:00.580,00:13:06.052
that entire time and so the the
test stops at that point. It

00:13:06.052,00:13:11.791
becomes an issue of what
happened here? And so if if you

00:13:11.791,00:13:14.894
have the ability to look at how
you're operating, you'll put

00:13:14.894,00:13:17.330
those procedures into place to
clean things up like that.

00:13:17.330,00:13:19.732
You'll be like well, what does
it mean to have that thing

00:13:19.732,00:13:22.168
listening out there? What kind
of vulnerabilities does that

00:13:22.168,00:13:26.205
open up? It's a matter of
situational awareness. There's

00:13:26.205,00:13:29.208
no.. none of this training that
involved situational awareness

00:13:29.208,00:13:34.180
and there's no material that
talks about that really. And so

00:13:34.180,00:13:37.016
if there was though you can
imply you can apply that in the

00:13:37.016,00:13:39.452
training and you can apply that
in your actual operational

00:13:39.452,00:13:44.023
environments. So the study
looked at a whole set of books.

00:13:44.023,00:13:48.661
Uh a few publicly available
informational classes and a

00:13:48.661,00:13:50.797
handful of standard
documentations. The body of it

00:13:50.797,00:13:54.133
is the books really. Uh you know
even the training material

00:13:54.133,00:13:56.502
typically kind of follows the
material in the book so it's

00:13:56.502,00:14:00.273
very similar. And so, so the
idea was to ask a set of

00:14:00.273,00:14:05.978
questions. So taking 16 books, 3
training materials and core

00:14:05.978,00:14:09.515
standards documents uh asking a
set of questions and saying yes

00:14:09.515,00:14:13.653
or no doesn't cover this
important aspect of operational

00:14:13.653,00:14:18.691
and communication security in a
test. The disclosure on this is

00:14:18.691,00:14:21.894
as much fun as it would be just
to drop names in an alter names

00:14:21.894,00:14:26.199
and things like that this is not
about calling out individuals

00:14:26.199,00:14:30.703
it's not about calling out
specific materials and so I have

00:14:30.703,00:14:34.407
obfuscated names. Now you dig in
to the white paper this you

00:14:34.407,00:14:36.809
start looking at the stuff
that's out there and how I found

00:14:36.809,00:14:39.579
this material that you dig into
white paper, you could figure it

00:14:39.579,00:14:43.716
out right? I'm just not gonna be
calling them out because that's

00:14:43.716,00:14:47.186
not the drama I wanna cause here
today. I wanna make sure that

00:14:47.186,00:14:50.223
everybody just moving forward
takes this into account because

00:14:50.223,00:14:53.292
honestly I don't think it's lack
of knowledge, I don't think it's

00:14:53.292,00:14:56.662
lack of capability, it's simply
it hasn't been addressed yet but

00:14:56.662,00:15:01.167
it has to. So the questions that
we ask of each of these pieces

00:15:01.167,00:15:04.971
of material. The first one being
host security penetration tester

00:15:04.971,00:15:08.341
and so they'll have a sort of a
bolded title like this and then

00:15:08.341,00:15:12.779
the actual question. So does the
work address precautions for

00:15:12.779,00:15:15.515
preventing penetration testers'
systems from being compromised?

00:15:15.515,00:15:19.185
So straight up uh uh the
machines and the software that

00:15:19.185,00:15:22.655
you're using on your test if uh
somebody's already in the

00:15:22.655,00:15:26.125
environment or if there anywhere
on the network between you and

00:15:26.125,00:15:29.295
them. So if you doing these
tests over hostile networks like

00:15:29.295,00:15:33.699
public Internet the best hostile
network right? Uh you know

00:15:33.699,00:15:37.069
there's X number hops of people
that can be looking at what

00:15:37.069,00:15:41.040
you're doing and firing back at
you right? And so what are you

00:15:41.040,00:15:44.443
doing to protect your systems?
There is one caveat for this

00:15:44.443,00:15:49.182
question in my study and it was
that… and I had a very low bar

00:15:49.182,00:15:52.685
for these questions. If there's
anything in the book, that re…

00:15:52.685,00:15:56.923
that addresses this question. It
it gets ticked off as a yes,

00:15:56.923,00:16:00.993
right? And here I had to make
one exception, I did not count

00:16:00.993,00:16:04.130
if the book or the training
material said please change your

00:16:04.130,00:16:07.733
Kalle password away from TLR.
[Laughter] This did… that does

00:16:07.733,00:16:10.770
not quite good enough right. How
about.. however some of them

00:16:10.770,00:16:13.739
didn't even do that right and
I'm sure if you scan the network

00:16:13.739,00:16:18.344
here, uh that you get a lot of
play out of that one. [Laughter]

00:16:18.344,00:16:22.548
Just saying… uh.. I don't
advocate any of that stuff. Uh

00:16:22.548,00:16:27.386
host security for the client. Uh
same thing but during your test,

00:16:27.386,00:16:31.324
what keeps somebody else from
coming into the client systems

00:16:31.324,00:16:35.695
through the same means you took,
uh are through the tools and

00:16:35.695,00:16:39.866
implants that you've put in
place. So select interpreted

00:16:39.866,00:16:43.336
this is sitting there it
would've been at least a little

00:16:43.336,00:16:46.606
bit better had it been reverse
shell so it's not just sitting

00:16:46.606,00:16:49.742
here listening on high port
that's not good enough and I'll

00:16:49.742,00:16:53.512
show you in a little while why.
But uh that's even a little

00:16:53.512,00:16:57.817
better right? And so, so what
keeps that from happening?

00:16:57.817,00:17:03.756
There's an issue here though.
Oh, sorry. There's an issue here

00:17:03.756,00:17:08.127
though, because uh if you're
able to break into the system,

00:17:08.127,00:17:11.264
what keeps somebody else from
doing it? Right? And so, this

00:17:11.264,00:17:15.334
also kind of goes along with
the… in situational awareness

00:17:15.334,00:17:19.739
the position you do your tax
from on the network to make sure

00:17:19.739,00:17:24.043
that you're not in a position
that many attackers will be able

00:17:24.043,00:17:26.679
to see what you're doing and
follow up on it. Man in the

00:17:26.679,00:17:31.284
middle, that sort of thing…so.
COMSEC, this is a big one. Very

00:17:31.284,00:17:34.987
few pieces of material cover
this. Does the work establish,,,

00:17:34.987,00:17:37.790
uh does the work address
establishing secure means of

00:17:37.790,00:17:40.793
communicating with the client
about the engagement? That cell

00:17:40.793,00:17:44.163
phone call that I get at two AM,
you know, everything is blowing

00:17:44.163,00:17:47.767
up, is it us? You know, they
need to be able to… they don't

00:17:47.767,00:17:52.204
need to send that to me in an
email. Right? Uh, a cell phones

00:17:52.204,00:17:54.340
probably good enough for this.
It doesn't need to be encrypted

00:17:54.340,00:17:56.943
email or it doesn't need to be
anything like that. Now a

00:17:56.943,00:17:59.979
clients gonna do what a clients
going to do, right? But you know

00:17:59.979,00:18:04.250
I really encouraged them to call
me up even if it's awkward. Uh

00:18:04.250,00:18:06.719
and when you deliver your
report, I don't know about yours

00:18:06.719,00:18:10.856
all reports but our reports are
blockbusters right? They like,

00:18:10.856,00:18:14.560
if somebody got ahold of one of
those for a client, they've got

00:18:14.560,00:18:18.597
about you know, three weeks of
of very easy stuff to pop

00:18:18.597,00:18:21.701
because they haven't been
remediated. Yeah. Uh you know

00:18:21.701,00:18:25.438
there's there's uh basically
ours are a story of how we broke

00:18:25.438,00:18:30.242
in and and yours are too. So so
the idea there is you're giving

00:18:30.242,00:18:32.945
somebody a road map into the
client. So how do you get that

00:18:32.945,00:18:37.717
report to them securely. Client
Data in Transit. This is really

00:18:37.717,00:18:41.020
talking about exfil so uh if
you're pulling a sensitive

00:18:41.020,00:18:44.690
information out so if you're
doing a proper you know advance

00:18:44.690,00:18:50.029
penetration test you're taking
client data and you're sending

00:18:50.029,00:18:52.765
that over the network to you so
you can prove that this the

00:18:52.765,00:18:55.401
impact of this marmalades. It's
not just we got into this

00:18:55.401,00:18:58.804
system, this this is how bad it
hurts for you. Right? But the

00:18:58.804,00:19:02.408
problem is you're sucking
sensitive data over a network to

00:19:02.408,00:19:07.313
your machines. Are you doing
that over over a secure

00:19:07.313,00:19:11.517
connection? Are you doing that
in a way that uh that's secure?

00:19:11.517,00:19:13.953
Then client data at rest. Once
we have it on our systems, once

00:19:13.953,00:19:18.057
we have it on our infrastructure
uh is that uh is that data

00:19:18.057,00:19:21.227
encrypted? Is it uh inaccessible
by people who are not supposed

00:19:21.227,00:19:24.864
to be on the engagement? Is it
inaccessible by basically by

00:19:24.864,00:19:28.234
anybody that whoever needs to
see it? And what do we do with

00:19:28.234,00:19:33.773
it after the engagement? RIght?
How long do we keep that? That's

00:19:33.773,00:19:39.712
a conversation you have to have.
This ones interesting. Uh the uh

00:19:39.712,00:19:45.284
Open Source Intelligence
Gathering, OPSEC. So, when we're

00:19:45.284,00:19:48.254
looking up information about
clients you know you're digging

00:19:48.254,00:19:52.358
around on public Internet you're
digging around on and on and

00:19:52.358,00:19:57.196
anonymity networks like ToR. For
you information match a client.

00:19:57.196,00:19:59.865
So, there's job listings and
things like that but you also

00:19:59.865,00:20:03.335
wanna see like uh uh is there
any buzz about this particular

00:20:03.335,00:20:08.507
client on on the various hacker
forms on ToR right? Uh, when

00:20:08.507,00:20:11.610
you're doing that how do you
search this in a way that

00:20:11.610,00:20:14.513
doesn't tip your hand as to what
you're doing right? You can't

00:20:14.513,00:20:19.985
just go on like old hat bebe on
ToR and start searching for the

00:20:19.985,00:20:23.789
clients full company name right,
you don't want to do that. Uh or

00:20:23.789,00:20:26.725
or maybe now you are thinking,
maybe I shouldn't have done

00:20:26.725,00:20:30.296
that. Uh because that's just
that somebody can look at those

00:20:30.296,00:20:33.499
logs and see oh, somebody's
interested in this maybe there's

00:20:33.499,00:20:36.936
something there. And there's a
really cool example of this

00:20:36.936,00:20:42.241
involving public proxy list and
a thing that I'll show you. So

00:20:42.241,00:20:45.211
for Potential Threats. Does the
work address issues with

00:20:45.211,00:20:48.514
conducting tests against systems
over hostile networks, uh public

00:20:48.514,00:20:51.717
internet… basically this is this
is very similar to the other

00:20:51.717,00:20:55.054
questions. This one's really
specifically talking about uh do

00:20:55.054,00:20:58.724
they discuss that there might be
somebody out there. This is a

00:20:58.724,00:21:03.996
sanity check right? Uh… Does the
material address the issue of a

00:21:03.996,00:21:08.067
potential third-party attacker?
Are not being the only person on

00:21:08.067,00:21:12.338
the system when you're attacking
it. This ones bolded red because

00:21:12.338,00:21:15.674
it's an end verse so I know no
is a good answer and yes is a

00:21:15.674,00:21:18.811
bad answer. Uh does the work
demonstrate or teach at least

00:21:18.811,00:21:21.413
one example of an insecure
practice without describing how

00:21:21.413,00:21:24.550
it might lease the tester or
client vulnerable? Uh fail

00:21:24.550,00:21:28.254
across the board on this one
right? And so the results for

00:21:28.254,00:21:30.389
this as you can imagine,
thinking of those questions,

00:21:30.389,00:21:33.225
it's mostly red. Almost every
single one of these that

00:21:33.225,00:21:36.729
specifically teaches insecure
practices you'll notice in the

00:21:36.729,00:21:42.168
far right hand corner of this
the um the the… the colors are

00:21:42.168,00:21:45.571
inverted and that's the that's
the question on insecure

00:21:45.571,00:21:49.108
practices. Uh no is a good
answer on that. Uh the yellow

00:21:49.108,00:21:54.713
ones here they are no by virtue
of not covering any practices.

00:21:54.713,00:21:57.650
[Laughter] Uh those and so there
are there's learning material

00:21:57.650,00:22:00.519
dot penetration testing. It's
about managing the tests, and

00:22:00.519,00:22:04.123
doing those securely. Uh that
that they don't have like oh

00:22:04.123,00:22:08.027
here's how you do a net cat
reverse shell or something like

00:22:08.027,00:22:12.131
that. So that's why those are
are there. Uh the book that's

00:22:12.131,00:22:16.635
note that's all greens all the
way across. Uh you know, I

00:22:16.635,00:22:20.940
haven't done a full review of
that book and so uh uh it seems

00:22:20.940,00:22:24.944
like a pretty decent book and
everything. It addressed briefly

00:22:24.944,00:22:28.113
each of these issues so I hit
all the points. That one I

00:22:28.113,00:22:31.183
disclose it in the white paper
because it actually did pass all

00:22:31.183,00:22:33.852
this. And it's Professional
Penetration Testing, Second

00:22:33.852,00:22:38.490
Edition by Thomas Willhound and
so take that for what it's

00:22:38.490,00:22:42.261
worth. Another book that didn't
make it into the study that I

00:22:42.261,00:22:44.930
actually quite like. And it's
not a pen testing book but it's

00:22:44.930,00:22:49.068
basically a book about cyber
operations offensive operations

00:22:49.068,00:22:53.939
it's Matthew Montes' "Network
Attacks and Exploitation."

00:22:53.939,00:22:58.544
That's a really good book and so
if you're if you're doing if

00:22:58.544,00:23:02.481
you're doing large-scale like
like a team-based approach.

00:23:02.481,00:23:05.951
Advanced Penetration Testing you
know you can learn a lot from

00:23:05.951,00:23:09.021
that. It really takes you into
how nationstate attack each

00:23:09.021,00:23:11.523
other and that's that's the sort
of mindset you want to start

00:23:11.523,00:23:16.929
getting yourself into. So out of
the 24 works that were in the

00:23:16.929,00:23:23.435
story uh 14 of them did not
address any issue at all. Uh

00:23:23.435,00:23:29.174
four only four books address two
issues. Uh every book covered,

00:23:29.174,00:23:34.146
every book every training
material every uh uh standard

00:23:34.146,00:23:37.449
covered some technical practice
that was potentially dangerous

00:23:37.449,00:23:44.223
almost. Uh except for the one so
the the the penetration…

00:23:44.223,00:23:47.259
professional penetration testing
it warned about unencrypted

00:23:47.259,00:23:51.230
networks whenever it talked
about uh reverse net cat shells.

00:23:51.230,00:23:53.098
That's the kill. That's the one
that knocked everybody over.

00:23:53.098,00:23:57.169
Right? Uh if not, more and I'll
give some fun examples of those.

00:23:57.169,00:24:01.106
Uh two of them didn't cover
anything. And the most common

00:24:01.106,00:24:05.411
flaw. You know reverse netcat
shells or just straight up

00:24:05.411,00:24:10.182
netcat shells like list um
31337. And take commands right?

00:24:10.182,00:24:15.287
Uh you know default meterpreter
stuff which is you know and the

00:24:15.287,00:24:18.791
reason it's not call out culture
on this is because like if

00:24:18.791,00:24:21.493
you're teaching meterpreter it
was only been in within the past

00:24:21.493,00:24:24.997
year that you could do paranoid
mode and actually avoid these

00:24:24.997,00:24:29.968
issues and so uh you know uh
it's it's it's kind of it's kind

00:24:29.968,00:24:32.338
of thing where it's only now
that we can start really

00:24:32.338,00:24:36.408
addressing this. So I have the
greatest hits here. Uh if you

00:24:36.408,00:24:38.844
were at the BlackHat version of
this talk, you'll see some of

00:24:38.844,00:24:42.014
the same ones you'll see a
couple different ones and I

00:24:42.014,00:24:46.185
saved the funny ones for this
one. This one you saw at the

00:24:46.185,00:24:49.388
BlackHat version of the talk but
this is this is I just love this

00:24:49.388,00:24:53.559
one. Uh is in a in a portion of
uh this training material uh

00:24:53.559,00:24:58.931
it's a book but also training
anti talks about uh it talks

00:24:58.931,00:25:03.235
about using publicly available
proxies to to run your pen test

00:25:03.235,00:25:06.805
through. Which is awesome right?
So, Step one I don't even

00:25:06.805,00:25:09.608
remember what it was. But step
two, enter proxies into your

00:25:09.608,00:25:12.211
favorite search. Enter the word
process into your favorite

00:25:12.211,00:25:15.948
search engine. Find a list of
publicly available proxies. I'm

00:25:15.948,00:25:18.550
sure they're all very nice
people that run them. [laughter]

00:25:18.550,00:25:21.253
Uh each proxy on the list
contains and IP address and a

00:25:21.253,00:25:24.623
port. Randomly select a proxy
from the list and let's write

00:25:24.623,00:25:26.692
down the IP address and port.
And then punch it into your

00:25:26.692,00:25:30.729
browser and rock 'n' roll right
? [Laughter] Uh, and note,

00:25:30.729,00:25:33.866
choose a proxy based outside the
US to best simulate what an

00:25:33.866,00:25:38.670
advanced attacker would do.
[Laughter] Some of you, some of

00:25:38.670,00:25:41.774
you, learned from this book and
you know exactly what I'm

00:25:41.774,00:25:46.612
looking at here so right. Uh uh,
another one here. So and you can

00:25:46.612,00:25:49.615
see that this one's a little
bit. little bit, old. It's

00:25:49.615,00:25:52.451
talking about backtrack still.
If your version of backtrack

00:25:52.451,00:25:56.555
doesn't have FTP installed,
install that right? So that way

00:25:56.555,00:26:00.959
we can uh, that way we can uh uh
uh you know have an honest FTP

00:26:00.959,00:26:04.863
slide up there for anybody to
hit on our infrastructure. But

00:26:04.863,00:26:08.500
you know uh you know, one
technique that you could be used

00:26:08.500,00:26:12.104
to maintain remote access is to
use the metasploit framework to

00:26:12.104,00:26:19.011
enable telnet on Windows. To
provide persistence, right? So

00:26:19.011,00:26:23.749
don't do that you know. And so,
what blows your mind about this

00:26:23.749,00:26:27.886
is the double standard here. We
would flip out, like we have we

00:26:27.886,00:26:31.089
have a section of our reports
that these are the systems that

00:26:31.089,00:26:35.594
we found that you could do
administrative tasks tasks on

00:26:35.594,00:26:41.400
unencrypted turn off your telnet
turn off your plaintext FTP uh

00:26:41.400,00:26:46.605
you know, turn off your non SSL,
uh web interfaces to these

00:26:46.605,00:26:50.442
administrative things and then
on your test you're gonna enable

00:26:50.442,00:26:56.615
that? It's ridiculous right?
This one this one's weird so

00:26:56.615,00:27:00.452
this one's talking about setting
up Zigby Network uh to do your

00:27:00.452,00:27:03.989
test over not necessarily pen
testing zigby but using it as a

00:27:03.989,00:27:07.993
gateway huh as like a remote and
pen testing uh uh gateway on to

00:27:07.993,00:27:11.964
on to the site. So your drop
boxes would communicate back to

00:27:11.964,00:27:16.301
over a mesh network of zigby uh
enabled uh nodes like a

00:27:16.301,00:27:19.638
raspberry pie or something. And
so okay that's kind of

00:27:19.638,00:27:22.674
technically cool and everything.
I was like oh that's that's kind

00:27:22.674,00:27:24.576
of neat, I'm on board so I
started reading that part more

00:27:24.576,00:27:27.045
carefully and I was like this is
neat. And uh and then there's a

00:27:27.045,00:27:30.148
part here where its like you may
be tempter to just automatically

00:27:30.148,00:27:31.884
start encrypting all of this.
It's an option when you're

00:27:31.884,00:27:34.920
setting all these things up to
encrypt the zigby traffic.

00:27:34.920,00:27:37.456
Before you do so, realize that
there are certain drawbacks to

00:27:37.456,00:27:41.493
adding encryption. [Laughter]
And so, and so it was like don't

00:27:41.493,00:27:48.100
do it man, it just makes it
slow. [Lighter] Uh and so I was

00:27:48.100,00:27:51.103
oh okay well maybe at least he's
you know kind of in close

00:27:51.103,00:27:54.506
proximity. No he's like yeah
doing the pen test poolside at

00:27:54.506,00:27:57.509
the hotel down the street thats
good, staying in a nicer hotel a

00:27:57.509,00:28:01.346
few miles away that's even
better right? [Laughter] And so,

00:28:01.346,00:28:05.551
so uh and so technically a very
cool piece of material a very

00:28:05.551,00:28:08.353
cool project that you can do for
doing this. But don't do it on

00:28:08.353,00:28:11.323
an actual engagement right? Not,
at least not without enabling

00:28:11.323,00:28:15.494
the encryption and figuring out
if it's any good or not. Uh and

00:28:15.494,00:28:18.864
so but think of the attacks
surface you've opened up it's

00:28:18.864,00:28:22.568
not just like the Wi-Fi bleeding
out of place anymore it's miles

00:28:22.568,00:28:26.204
and miles of being able to just
hop on this network and it's

00:28:26.204,00:28:29.708
getting easier and easier to get
onto these weird protocols. And

00:28:29.708,00:28:33.478
then this one. There was a book
in here that uh that I just

00:28:33.478,00:28:36.915
didn't really know what to make
of uh I was very close to just

00:28:36.915,00:28:39.084
like just removing it from the
study because it was just

00:28:39.084,00:28:42.154
apropos of nothing right and
like there's stuff in this book

00:28:42.154,00:28:45.190
about truth drugs and using
those interrogations. [Laughter]

00:28:45.190,00:28:47.793
I don't know what kind of
engagements they had. I want to

00:28:47.793,00:28:50.228
talk to whoever scopes them
though because we need to figure

00:28:50.228,00:28:52.564
out how to approach that with
our clients. [Laughter] Warning

00:28:52.564,00:28:57.336
inciting a riot is not a tool to
take nightly nor blah blah blah,

00:28:57.336,00:28:59.705
what did I just read on this you
know? You know I mean, it's uh

00:28:59.705,00:29:04.710
and what this illustrates what
it really illustrates in

00:29:04.710,00:29:08.647
something like that there is
another not that I had that

00:29:08.647,00:29:09.982
talked about he proxy list and
things like that. There was one

00:29:09.982,00:29:11.984
uh it did the same sort of proxy
public proxy list thing and the

00:29:11.984,00:29:13.318
recommendation at the end of it
is essentially uh uh you know

00:29:13.318,00:29:14.653
watch out for these proxy
maintainers because some of them

00:29:14.653,00:29:19.658
might be willing to turn their
information over to the feds.

00:29:28.333,00:29:33.238
And I'm like why am I worried
about that as a pen tester on a

00:29:33.238,00:29:37.676
legitimate engagement right? And
so a lot of times penetration

00:29:37.676,00:29:41.680
testing and training in tool and
training in books is codeword

00:29:41.680,00:29:45.150
for learn how to hack stuff and
they're pandering to that

00:29:45.150,00:29:49.087
audience because that audience
goes to Barnes & Noble and buys

00:29:49.087,00:29:52.758
these books way more than
professional pen testers do. You

00:29:52.758,00:29:56.395
gotta stop pandering to that
though. The recommendations for

00:29:56.395,00:29:59.097
this you know, improve all of
these things that's really all

00:29:59.097,00:30:03.268
there is to it. Take steps to
improving you already know how

00:30:03.268,00:30:08.006
to do it you just haven't. Uh
I'll get back to the

00:30:08.006,00:30:11.109
demonstration and everything and
I'll show you how to hijacks

00:30:11.109,00:30:15.213
some interpreted sessions. The
TCP ones are just as easy uh but

00:30:15.213,00:30:19.751
uh but the uh HTTP,… the TCP
ones are theoretically as easy

00:30:19.751,00:30:22.754
but you gotta do some fun stuff
with sequence numbers and stuff.

00:30:22.754,00:30:27.025
The HTTP ones, they're stateless
so it's even easier/ Uh I'll

00:30:27.025,00:30:30.729
come back on this and it'll be
what we close with. The

00:30:30.729,00:30:34.332
conclusions for all this though
is test thyself on this right?

00:30:34.332,00:30:38.670
and so if you have folks that
are on your team that are sharp.

00:30:38.670,00:30:42.741
They can find vulnerabilities in
things. Set this up in a test

00:30:42.741,00:30:47.412
network. However, set it up to
where uh you can see you can

00:30:47.412,00:30:50.515
sniff and watch what another
third-party attacker would see.

00:30:50.515,00:30:55.153
what the tax service exposed is.
And so uh you know, we're

00:30:55.153,00:30:58.090
demonstrating what kind of
vulnerabilities are occurring

00:30:58.090,00:31:01.993
and deploying these threats. And
the real key take away here is

00:31:01.993,00:31:05.497
you can't have it both ways. You
can't report on vulnerabilities

00:31:05.497,00:31:10.102
that the clients have. Uh we
can't freak out about our social

00:31:10.102,00:31:14.406
networks that we use not
supporting HTTPS when the fully

00:31:14.406,00:31:17.609
featured backdoors that were
deploying don't. So we have to

00:31:17.609,00:31:21.513
improve these tools techniques
and processes. I'm gonna bounce

00:31:21.513,00:31:26.118
back here to the metasploit demo
here. So the meterpreter, it's

00:31:26.118,00:31:29.921
great. You know, this is not
like proving a vulnerability in

00:31:29.921,00:31:32.657
metasploit. This is proving a
vulnerability in how most people

00:31:32.657,00:31:35.360
use it right? So they're shaper
folks, they know what they're

00:31:35.360,00:31:37.362
doing and they actually know
about this issue and have been

00:31:37.362,00:31:40.165
addressing it. It's just the
most commonly used and

00:31:40.165,00:31:43.602
documented tool for this. it's
easy to use, it's more fully

00:31:43.602,00:31:48.807
featured than a shell, popular.
Uh, and so you see operational

00:31:48.807,00:31:51.676
usage for this everywhere. And
you know tested remote

00:31:51.676,00:31:54.646
penetration test you see this
this sort of traffic going over

00:31:54.646,00:31:59.551
public network of hostile
networks. It's a simple protocol

00:31:59.551,00:32:02.187
that meterpreter uses it's just
the type length value type

00:32:02.187,00:32:05.957
length for commands and
responses and so when they enab…

00:32:05.957,00:32:08.727
when they started allowing for
this to roll over HTTP its a

00:32:08.727,00:32:13.732
natural fit because it stateless
essentially. Um but thing is is

00:32:16.501,00:32:20.572
you might think okay HTTP
clearly maybe that's a bad idea.

00:32:20.572,00:32:25.143
We'll enable HTTPS and roll from
there. The encryption in HTTPS

00:32:25.143,00:32:30.315
is used by meterpreter not for
the security of that protocol

00:32:30.315,00:32:34.920
it's used to evade IDS. Right?
it's used to make it harder to

00:32:34.920,00:32:38.023
see that this is meterpreter
traffic rolling across the

00:32:38.023,00:32:42.227
network and so that's what it is
and so it doesn't check the

00:32:42.227,00:32:45.697
certificates basically. Right?
And so whatever certificate yeah

00:32:45.697,00:32:50.335
that works let's roll. Uh, the
developers you know the the

00:32:50.335,00:32:53.705
folks that maintain the
meterpreter know this and so

00:32:53.705,00:32:56.007
there's a paranoid mode. You
know you go to their wiki and

00:32:56.007,00:32:59.344
there's documentation there on
how to get it all set up and uh

00:32:59.344,00:33:03.048
basically you got certificates
and everything to validate and

00:33:03.048,00:33:05.317
make sure that you're connecting
to what you're thinking

00:33:05.317,00:33:08.787
connecting to. Uh nobody teaches
how to do this. The official

00:33:08.787,00:33:11.623
documentation does but this is
not in any training material,

00:33:11.623,00:33:14.025
learning material so most people
don't even know it's there

00:33:14.025,00:33:19.130
right? Uh and so non-paranoid
mode hijacking let's take a look

00:33:19.130,00:33:24.135
at it. Alright I need to unease
my VMs here. So It'll just take

00:33:28.406,00:33:34.880
just a moment here. While were
doing that I'm gonna point out

00:33:34.880,00:33:39.017
the uh the white paper on this.
You know uh if you're gonna go

00:33:39.017,00:33:42.721
to a talk and gonna get some
value of it dig into the white

00:33:42.721,00:33:47.325
paper right because uh I think
more people should be submitting

00:33:47.325,00:33:50.462
these with their talks because
this is this is the archived

00:33:50.462,00:33:55.867
version of what's what's…what
I've done right? And so you know

00:33:55.867,00:33:59.337
there's slide decks and there's
gonna be the recording of this

00:33:59.337,00:34:01.573
but ultimately if you're gonna
sink your teeth into this you're

00:34:01.573,00:34:03.742
gonna need something a little
bit more little bit more

00:34:03.742,00:34:08.947
advanced. Uh taking the tour of
the VM's we have going here will

00:34:08.947,00:34:12.684
file the third-party attacker
unpauses we have the penetration

00:34:12.684,00:34:15.921
testers here. The penetration
testers sitting here ready to

00:34:15.921,00:34:21.626
roll with uh uh meterpreter
handler sitting there listening.

00:34:21.626,00:34:28.199
It's listening on port 44443 on
this IP address and its uh its

00:34:28.199,00:34:33.638
uh payload is the reversed
HTTPS. So we're gonna kick that

00:34:33.638,00:34:37.442
one off so, pen tester is
waiting for the you know a

00:34:37.442,00:34:41.346
client to double click on
something or get exploited. You

00:34:41.346,00:34:44.883
know, anything that you use to
deploy meterpreter right? Uh our

00:34:44.883,00:34:48.253
third part attacker is also
chilling out here with their

00:34:48.253,00:34:52.090
handler running on another IP
address and another high port.

00:34:54.459,00:35:00.165
Meanwhile the client uh has
something on their desktop here

00:35:00.165,00:35:03.835
linked Wesley's McGrew's docs on
paceman. not a dot exe at all.

00:35:03.835,00:35:09.274
Uh and so this could be the
payload to your O day everything

00:35:09.274,00:35:13.044
from that too. Uh payload to O
day, or you know the social

00:35:13.044,00:35:15.714
engineering attempt because we
definitely want to see uh we

00:35:15.714,00:35:19.284
definitely want to see what Wes
is up to. So we double-click it,

00:35:19.284,00:35:21.486
it doesn't work so we
double-click it five more times,

00:35:21.486,00:35:25.323
right? [Laughter] Uh… [Laughter]
But so meterpreter session pops

00:35:25.323,00:35:30.428
up on pen tester right and so
all that works. Oops.

00:35:30.428,00:35:36.167
[Indiscernible] So uh just to
just to show ya that we're on

00:35:36.167,00:35:41.806
this Windows machine here uh and
so this is this is you know your

00:35:41.806,00:35:44.976
your normal work in progress
here. Behind-the-scenes which is

00:35:44.976,00:35:48.780
what you get with this HTTPS
payload. What's happening uh is

00:35:48.780,00:35:52.517
we're running a Web server
essentially in metasploit here.

00:35:52.517,00:35:57.822
Uh uh uh listening for the retro
agent to pull in for commands

00:35:57.822,00:36:02.994
and to send in responses. Pretty
simple so, repeatedly even as

00:36:02.994,00:36:06.264
we're just sitting here idle, uh
that thing is making requests to

00:36:06.264,00:36:08.199
see if there's a new command.
Over and over it's making

00:36:08.199,00:36:12.370
requests. Snag-terpreter dot py,
it's available in the conference

00:36:12.370,00:36:15.874
materials. It's a script, you
know it's really simple. I was

00:36:15.874,00:36:18.510
like oh, I'll write this whole
thing to do it. No it's just a

00:36:18.510,00:36:22.781
front end to IP tables and arcs
booth right? And so if you're in

00:36:22.781,00:36:27.085
a network position to hijack
this thing. If you can by any

00:36:27.085,00:36:31.456
means necessary redirect traffic
or something you can you can

00:36:31.456,00:36:34.392
take this over. So if you're on
a local network with the pen

00:36:34.392,00:36:38.663
tester or you're just somewhere
on the network but between you

00:36:38.663,00:36:42.801
provide a uh you provide a few
things . You provide interface.

00:36:42.801,00:36:47.906
Uh the client IP, listener IP,
port numbers. Uh the port to

00:36:47.906,00:36:51.309
forward it to here. All that
stuff if you were clever you

00:36:51.309,00:36:54.412
could automate this and say
let's seek and destroy. Uh

00:36:54.412,00:37:00.218
meterpreter sessions on that on
a big network like the Defcon

00:37:00.218,00:37:03.855
wireless. Alright uh… not that
not that I recognize this or

00:37:03.855,00:37:08.159
anything. So we've got our
malicious handler uh uh rolling

00:37:08.159,00:37:13.431
here. Look at me, I'm the
captain now. [Laughter] And so

00:37:13.431,00:37:17.602
here in a second, what's gonna
happen is Boom. Okay now it's my

00:37:17.602,00:37:23.174
section. And so the neat thing
about the stateless version with

00:37:23.174,00:37:28.179
this with the with the HTTPS and
HTTP meterpreter is that um

00:37:30.849,00:37:33.985
unless like the pen tester
issues command outs gonna fail

00:37:33.985,00:37:36.387
gonna fail but otherwise they
don't get any indication that

00:37:36.387,00:37:40.759
it's been stolen out from under
them. And if I hand this back to

00:37:40.759,00:37:45.163
uh the pen tester by canceling
this out our [indiscernible]

00:37:45.163,00:37:49.501
fixes it all back up for us and
everything. Uh in a moment here

00:37:49.501,00:37:52.937
probably almost now I can go
ahead and issue another command

00:37:52.937,00:37:56.341
here. And so if you weaponize
this, if you make this fast, you

00:37:56.341,00:37:59.944
could get in start another shell
for yourself or just do what you

00:37:59.944,00:38:03.381
gotta do. Fast, quick, get back.
Hand the session back, the pen

00:38:03.381,00:38:08.653
tester never even knew what
happened. And so with that,

00:38:08.653,00:38:11.523
that's the sort of thing that we
have to learn to improve. We

00:38:11.523,00:38:15.493
have to learn to not use
measures like this on real

00:38:15.493,00:38:18.730
engagements for our clients that
are at risk. So I appreciate you

00:38:18.730,00:38:22.367
attending, I apologize for the
late start and I hope you have a

00:38:22.367,00:38:27.372
great rest of Con. [Applause]
For questions. We're gonna go

00:38:31.075,00:38:32.744
over there [Applause]