My qualifications/work experience:
I began pentesting professionally around December 2010/January 2011 (earlier if you consider my early forays into Google’s bug hunting program).
Since then I have worked for/run engagements against some well known/successful companies & their clients/business partners.
Some companies I have been directly employed by include Schneider Electric (Cybersecurity, Penetration Test & Vulnerability Assessment Lab Manager), National Grid (Senior Red Team Operator & Penetration Test Consultant), Boston Scientific (Security Research Consultant) & Stanley Black & Decker (Senior Penetration Test/DPS Lab Consultant).
These engagements have run a wide gamut: Windows AD environments, medical robots, medical implant technology, PLC/SCADA/ICS targets within Industrial/Energy sector facilities, prototypes still within staging environments, etc.
What follows are random thoughts concerning facets of Information Security, mostly focusing on Red Teaming, Penetration Testing and Hacking (I consider all three the same game under different rules sets) that have really stuck with me throughout the year and/or proved to be of some special significance or importance.
I have posted multiple articles here at 0x00Sec; I will link the majority of them at the end of this article.
My best known is Share thoughts after 6+ years in Pentesting, which was the first of these yearly articles (written/posted in 2017) with roughly the same theme(s) that I endeavor to post every year.
Let’s get dangerous.
I almost typed that with a straight face.
I believe we should begin a wide integration of deepfakes audio/visual tools into RedTeaming and that it should gradually become a regular facet of our toolbox
Our job as Red Teamers is to prepare our clients/customers for the realities that real world actors and their actions present.
Deepfakes usage by real world actors is already a reality and I believe that its going to become a normal facet of everyday cybercrime.
I am not saying that we need to try and apply it to a ludicrous, Ghost in the Shell-esque degree right away, and obviously it may not be a realistic threat where every client/customer is concerned.
It maybe more realistic to start normalizing audio deepfakes, especially in instances where a client’s/customer’s senior management (and more specifically, their voice) can be utilized to test an organization.
I don’t think deepfakes is every going to overtake phishing and other social engineering techniques in popularity, but they could certainly add to the effectiveness of them.
And I do not mean just utilizing deepfakes in a technology vs. person context, but also a technology vs technology context.
For instance, integrating deepfakes does not only have to be limited to attacking a clients people with social engineering attacks.
Attacking a captured device that normally utilizes facial and/or voice recognition is likely another reality that some clients/customers may eventually face.
I have seen drones widely integrated into Red Teaming scenarios; I think deepfakes is a similar case of a tool that doesn’t fit every threat model and is highly situational but is out there and should be in our toolkits as the technology continues to become more applicable/available.
And I am not only talking about the more advanced GAN variants, but also the simpler/more available mobile applications out there that achieve things that are similar to deepfakes technology, like facial filtering apps.
Skill in Linux/BSD administration/usage is more important/deadly then ever.
Linux is everywhere, now so more then ever with Windows implementations of Linux subsystems and tooling/utilities like OpenSSH.
Given a large enough network, you will almost certainly find a developer’s host with at least Python installed, if not a VM with a Unix/Unix-like OS or Linux subsystem.
When enumerating these targets, look for instances where “dev” is present within host/segment/subdomain/email names and naming conventions.
With a minimum of Python available, using pip to bring in Impacket is a huge win; it gives you a set of tools that can accomplish most facets of Windows exploitation/advanced enumeration like NTLM/SMB relay attacks.
I have never triggered AV/AM with Impacket’s tools, though I am careful with anything that utilizes Pass the Hash/PSExec type functionality (like SMBExec).
Impacket also gives you most/many of the prerequisites necessary to install tools like Responder and CrackmapExec, both of which pip can also facilitate.
Just having access to Python gives you some solid options for upgrading a shell you may have gained that is not so feature rich (such as those that sometimes occur when gaining a shell via Apache or using Netcat as a handler) to pseudo-terminal functionality via PTY.
Fortunately, PTY is part of Python’s standard library.
Dropping an .exe to disc is normally not the best idea.
However, in situations like testing the security of company issued laptops or when you absolutely need a Linux/Unix environment on a restricted Windows host, you can install Cygwin (and thus, a sizeable Unix-like environment) without Administrator rights from CMD using the “–no-admin” option (https://odoepner.wordpress.com/2014/01/10/install-and-maintain-cygwin-without-windows-admin-rights/).
In my experience so far, unless there are Linux hosts amongst or maintaining connectivity to/with a Windows Active Directory environment, Windows Administrators are not yet configuring network defenses to deal with Linux utilities like OpenSSH very often.
This makes it valuable for bypassing things like firewalls/AV/AM; however, if detection is something you are trying to avoid, you may want to have your usage of these utilities match other network traffic/utilities in play.
As an aside, developer hosts are often valuable resources for lateral movement as they tend to have less restrictions/greater resources compared to other hosts within enterprise networks and often receive less scrutiny regarding the traffic emanating from them.
Sometimes they are Internet facing, though segregated into staging environments or something similar.
In my experience, if a staging environment shares a nameserver with a few of the targets domains/subdomains, there is usually a high probability that creds/hashes taken from the staging environment are going to be useful vs. other hosts outside the staging environment.
Also, as far as skills in operating Linux/BSD usefulness go,Unix/Unix-like operating systems dominate the Internet, existing in forms like Linux, BSD, Android, OSX, IOS, Solaris, etc.
For maximizing your returns on developing skills useful in exploiting/administrating both Linux and Android, playing with Busybox is a pretty sweet deal.
Similarly, developing the capacity to operate BSD at even a base level yields skills that are useful in operating OSXs terminal (Brew!) and (in my experience) has been at least a bit helpful in dealing with the odd Solaris/Sun Microsystems/HP/Oracle variety Unix (I realize Sun has been owned by Oracle for awhile now and still hate that the company is gone).
Hacking and the hacker community have given me the means to build something that is mine.
My childhood was no bueno. I grew up in a city that has been regularly ranked as one of the 50 most dangerous cities in the United States.
I have died. I have been homeless in Boston during the winter. When I was younger, I may or may not have been committed to being committed.
I am completely self taught with a GED education.
The last four companies I worked for were Fortune 500 or Fortune Global 500 companies and I held Senior or Manager related positions.
By combining hard work and the knowledge those that came before me gifted to this world, I have forged so much for myself.
The most important of those has been purpose and a place in this world, both of which I doubted the existence of for quite awhile.
If you refuse to give up on yourself and your dreams, those dreams can come true.
But you have to put yourself out there; you have to risk in the face of those things you fear.
No retreat. No surrender. Never give up on yourself. Ever.
Search engine dorking seems to be increasing in potency/effectiveness
This year, my experiments with search engine dorking led to some incredible finds, especially after learning techniques from online data hoarding and piracy communities who actively search for open directories containing media.
For instance, dorking using site:http://drive.google.com +“drive/folders” finds publicly available/accessible Google Drive instances.
In 2019 I found open Google Drive instances belonging to both the Clinton Foundation at https://drive.google.com/drive/folders/0BxhYOtObFLfiUzYzNUxLMGY4eGM & and various documents surrounding Donald Trump’s business dealings at https://drive.google.com/drive/folders/0BziqO0UMlQeYWThiQlQwVUQ0UEk
Using this and other techniques, I also located multiple online caches of paperwork/records belonging to multiple US courts; many of these included cases that were yet to be resolved or tried and many of them contained sensitive information.
My research is ongoing, but I generally drop sources/interesting finds via Twitter posts every so often.
Open your eyes
Tools like TCPDump, Wireshark and Responder in Analyze mode are some of the most important tools I run, and I run them almost constantly while in a target’s LAN.
These are my eyes. They allow me to see the environment around me.
Do I want to blend in better? I may look at host names, operating systems, user agents, common protocols/services/utilities used and spoof/change attributes of my host to match the environment around me.
What AV/AM is running within the LAN?
Instead of conducting more intrusive scans, I can watch for ePO and other traffic created by AV/AM within the network to identify what I am up against.
These tools allow me to make better decisions in regard to what and when I enumerate.
Every action I take in LAN raises the probability of being detected.
Instead of taking unnecessary actions or deploying tools which trigger IPS/IDS or stick out as an abnormality, I can enumerate hosts through analysis of the traffic and/or time when I use tools to coincide with periods of heavier/similar traffic to better blend in.
For example, many of the Industrial/Energy sector targets I engaged ran Ferret or a similar utility to collect data on/from the surrounding systems/hosts. Often, this traffic involved Ferret spraying ICMP and SMB traffic at entire IP ranges (some Ferret deployments I saw created waves of traffic that resembled fluxing/spraying worm malware).
What better time to deploy tools like SMBMap or SMBspider then when Ferret is causing it to rain SMB traffic to and from existent and non-existent hosts alike?
Finally, not only are the PCAPs a portable form of recon that you can study outside the target network to better decide strategies/tactics for the next session, but you can also run Predz and net-creds against them, stripping them of credentials, interesting URLS, names of interesting files, hashes, etc.
This makes tools like Wireshark/TCPDUMP akin to others I use in establishing a technique I call Passive Advantage: they serve multiple purposes, are fairly innocuous and can render tremendous results with very little investment of focus/activity when within the target’s network(s).
Android…
Android has been an important tool for my success in external pentesting/Red Team engagements.
Often, a lack of awareness or attention create the most vulnerable points in a target’s security.
Awareness of the vulnerabilities Android applications (or more broadly, mobile applications in general) can create in enterprise infrastructure definitely seems to be lacking.
For instance, decompiling Android applications can yield tokens/API keys/certificates that can be leveraged to access enterprise infrastructure/resources, especially where Cloud infrastructure is concerned (for instance, AWS, Google Cloud services like Firestore/Firebase, AWS instances, etc.).
A couple of the simplest means to leverage Android apps towards infrastructure exploitation: use Androguard GUI to search for strings such as URIs/credentials or Keyfinder to locate keystores and/or certificates.
There are also more advanced attacks against the perimeter that can be made through using Xposed Framework modules/older versions of Android (5.1 and prior) to bypass certificate pinning and more easily establish certificate substitution (while allows you to fully proxify traffic through Burp and such).
Then there are attacks with tools like Drozer which may allow you to attack content providers (which could harbor backend databases) that may be available.
There are a ton of facets of an Android application that can be used to gain a foothold in perimeter infrastructure or provide unique reconnaissance.
Most importantly, much of the knowledge/tools/techniques to do so can be added to your repertoire fairly quickly.
These skills expand the target’s attack surface and give you options.
The more options you have, the more opportunities you have to make the most advantageous decisions possible; at the very least, options give you the opportunity to postpone making a decision that places you at an outright disadvantage.
Even if you do not find an outright vulnerability that effects the perimeter by engaging/enumerating an Android application, in most instances, you are gaining greater knowledge of your target while usually sustaining a position that minimizes the possibility you will be detected (for instance, you can decompile an Android application offline).
Options are advantages.
Passive Advantage
As I have stated before, I believe Red Teaming/Penetration Testing/Hacking are arts of acquiring, applying and improving advantage.
During an engagement, I am always looking to acquire, apply and improve advantages. I study and train to better recognize and maximize the resources within an environment that allow me to gain, use and make the most of those advantages.
Gaining these advantages are more a product of knowledge and experience then an application of tools.
Advantages are the building blocks of tactics/strategy, which I believe are an understated facet of hacking in general.
Without tactics/strategy, an engagement becomes a contest that pits static quantities I possess (intelligence, knowledge of vulnerabilities, capacity to utilize tooling, etc.) vs. static quantities possessed by defenders/the target’s IT staff (their intelligence, knowledge of vulnerabilities, familiarity with the environment that will comprise most of the engagement terrain, capacity to utilize tooling, etc.).
Tactics/strategies allow you better/more creatively utilize those static quantities you possess and position yourself to best neutralize/exploit/manipulate those static quantities your target possesses.
One of the tactics I use most is what I call Passive Advantage: using automated tools to gain advantages for you via passive reconnaissance while you attend to other tasks that necessitate greater focus.
For instance, let’s say I am decompliling an Android application.
Before narrowing my range of attention/action, I start Spiderfoot (configured for fully passive reconnaissance, targeting the Internet itself but not touching target sites directly) vs. target domains/subdomains, Pagodo auto dorking vs. target domains/subdomains(automated Google dorking vs. the entire Exploit Database collection of Google dorking strings) and Datasploit.
None of these tools need my direct attention past first configuring/running them (until the time comes to analyze the results of course), they never directly touch the target’s domain/subdomains (so there is minimal chance these actions will lead to detection) and they are developing/delivering advantages for me while I am working elsewhere to create/improve/evolve other advantages.
When I finally get around to analyzing the results, I then start these/similar tools again vs. other target resources (maybe other domains/subdomains, email addresses of interesting employees, specific IP addresses/IP ranges, etc.).
I am chaining Passive Advantage, creating a near constant flow that finds/refines/contextualizes data specific to the target; the process creates options, while allowing me to better weigh my actions and advantages.
I will keep Passive Advantage perpetually running, which usually results in a process of refining the most applicable data I find: the first series may run against a master domain, then the subdomains found, then specific IP addresses/ranges found; this may shift to a particular employee email addresses/corporate email convention as I look for passwords that may have been disclosed in a recent breach/dump, etc.
Eventually, your mind will get quicker at analyzing the data that you are constantly making available to yourself.
For instance, I have become pretty good at searching/prioritizing the categories Spiderfoot logs results under and focusing my attention on those categories that are likely to aid the situation I find myself in or issue I am facing.
When engaging a target,I want to create offensives rather then just offense; Passive Advantage is a key tactic in establishing/sustaining that strategy.
I want to have as many moves to play as possible throughout an engagement.
OSINT is awesome and its quantity/quality continues to grow
As I have stated before, we live in a world that is hyper communicative, with much of this communication occurring on the Internet.
On the Internet, companies/products want to communicate their value to customers and people want to communicate with other people.
Open Source Intelligence (OSINT) is a byproduct of these online communications, and as the quantity of these communication continue to increase, the resources that yield OSINT will also increase.
In hacking, Red Teaming and Penetration Testing, we weaponize information through the application of our experience, intelligence, strategy, creativity and tooling.
This capacity is a major distinction that separates an experienced hacker from most other users on the Internet.
Our world is permeated by the digital world; more and more often, occurrences in the digital world shape occurrences/behaviors in meatspace.
This has led to a crowded headspace where more and more things are trying to gain our attention.
The more these things try to gain our attention and the more they try to differentiate themselves on the Internet, the more OSINT there is to collect, analyze and then weaponize.
Know thyself and make your attributes/interests work for you.
This game is more about evolution then emulation.
Start out on the paths others blazed, then wander farther and farther off of them.
Let your interests lead you off the path…don’t be afraid to get weird, don’t be afraid to be wrong and make mistakes.
Don’t be afraid to fail.
At some point on my own path, I became determined to make meaningful contributions to the world and came to believe hacking is/was my main mode for making these contributions.
I am not intellectually gifted and this is a field teaming with geniuses.
However, I have an excellent memory (especially when I read the information and I am interested in the topic), have suffered lifelong bouts of insomnia & a have a strong work ethic.
On the negative side, my mind often drives me to constantly explore different facets of a subject rather then just focusing on what is at hand; I may start learning new facets of a programming language only to end up programming something completely unrelated because some facet of my learning compelled me toward it (maybe an example or quick aside/topic mentioned in the reference material).
When I began learning to hack, many written sources stated that specializing in some facet of hacking (wireless, reverse engineering, network penetration, etc.) was the way to go after learning gain at least basic understanding of topics like Windows/Linux systems/network administration.
Eventually, I decided to specialize in being as well rounded as possible offensively and defensively (though with a greater focus on offense).
This greater focus on the offensive side of things grew from my natural interest in adversarial tactics: finding, penetrating and exploring blackhat infrastructure in the wild is especially interesting to me.
Since it interests me so much, I learn as much as I can about the infrastructure and modes of exploitation, persistence and command/control used, which in turn aids my defensive skills.
While working for Schneider Electric, I designed the GPO/LGPO, Internet Explorer, general security and GDPR/general privacy settings for their implementations of Windows 10/Server 2016.
I was lent out to Saudi Aramco (the most valuable company in the world, worth an estimated $3 trillion dollars) during the Shamoon 2.0 attacks in February 2017; my analysis (which included remediation, identification, containment, forecasting, etc.) based on documented SMB worm traffic patterns/behaviors/indicators and past uses/evolutionary patterns of W97M.Downloader, became the basis for an action plan used by Saudi Aramco as well as other Middle Eastern Industrial/Energy sector companies.
I had the necessary skills because I followed my natural interests, capabilities & temperament; by learning offense I understand defense, by learning defense, I understand offense.
Have fun. Having to study less interesting stuff is inevitable, but focus more on what interests you and follow the path where that delivers you.
Keep doing that consistently and you will find your place.
Other articles I have written here on 0x00Sec: