Wild West Hackin' Fest

Ever needed to pentest a network with 10 gazillion hosts with a very limited time frame? Ever wanted to Mimikatz entire subnets? How about shelling entire subnets? How about dumping SAM hashes? Share spidering? Keeping track of all the credentials you pillaged? (The list goes on!) And doing all of this in the stealthiest way possible? Look no further than CrackMapExec!  CrackMapExec (a.k.a CME) is a modular post-exploitation tool written in Python that helps automate assessing the security of *large* Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection, IDS and IPS solutions. Although meant to be used primarily for offensive purposes, CME can be used by blue teams as well to assess account privileges, find misconfigurations and simulate attack scenarios. In this demo heavy talk, I will be showing off v4.0, a major update to the tool bringing more feature and capabilities than ever before! Additionally, we will be taking a deep dive into the internals of the tool itself to understand what makes it 'tick', how to properly defend against it and how to customize it to your needs! If you are interested in the latest and greatest Active Directory attacks/techniques, weaponizing them at scale and general cool AD stuff this is the talk for you!

Last year I released a tool called MailSniper which assists in locating sensitive data being sent within emails. Over the past year, a number of other pen testers and I have used this tool to search emails, and have found users sending CCNs, passwords, and insider intel all in cleartext over email. I will show some of these examples and will demonstrate step-by-step how to remotely compromise an organization through an external mail server. 

Fiat currencies around the world are beginning to transition to a purely digital form. Venezuela just killed the 100 bolivar note, India removed the 2000 and 4000 rupee notes, and the EU just removed the 500 euro note.  With a purely digital fiat currency, governments expect to expose black market monetary stockpiles, increase the number of participants in the banking system, and improve fiscal efficiency.  But there is also a juggernaut preparing to assault financial institutions: cryptocurrencies.  Money is flowing freely, with no capital controls, and the metadata surrounding financial transactions is more valuable than the money itself--yet often poorly secured.  It does not really matter if bitcoin is a fad or if the Hyperledger project can live up to its promise: blockchains are a disrupting technology and they will destroy established business models.  It is very likely the Bretton Woods economic system as we know it will transform before our eyes in the next few years.

This all poses a huge security risk as fintech businesses can no longer be secured in the way a traditional bank was, with locks, vaults, and stern guards.  The digitalization and outsourcing of digital processes in the financial world transforms IT companies handling these assets and processes into new forms of banks themselves.  We’ll discuss how the collision of infosec and finance is leading to a redefinition of what money itself means to governments and to you.

The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk, we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a roadmap to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us. This is an update to our 2016 Brucon talk. We plan to discuss what have we accomplished regarding the above in the last year. We plan to show how we have progressed with the automation of attacker activities and event generation using MITRE’s Cyber Analytics Repository & CAR Exploration Tool (CARET) along with pumping these results to Unfetter (https://iadgov.github.io/unfetter/) for aggregation and display in a useful format

Live demo and more information on the tool I wrote to generate password usage statistics in a Windows domain. This tool is useful to penetration testers and security professionals who have the ability to dump password hashes from a Windows domain controller. The Domain Password Audit Tool (DPAT) is a python script that will generate an interactive HTML report to help you understand password use in an environment and identify issues. https://github.com/clr2of8/DPAT

BloodHound has changed how red and blue teams approach risk in Active Directory environments. The interface is slick, the install is painless enough considering the dependencies, and the pre-built analytics deliver actionable intelligence. However, BloodHound isn’t just another fire & forget tool, it’s a platform for users to build on. The foundational elements – a reliable backend, a means for ingesting, querying, and displaying data – are already taken care of. The piping is in place for users to extend the already-great features and tailor it to their specific job function or workflow.

This talk will cover how I’ve adapted BloodHound to enhance my workflow as a penetration tester. I’ll demonstrate custom extensions used to track and visualize compromised nodes, highlight privilege gains, represent password reuse between users or computers, blacklist unwanted nodes and relationships, and more. Folks who attend this talk will gain a solid understanding of BloodHound’s underlying Neo4j data structures, as well as how to write Cypher queries in order to build their own BloodHound customizations.

Many organizations are accustomed to being scared at the results of their network scans and digital penetration tests, but seldom do these tests yield outright "surprise" across an entire enterprise. Some servers are unpatched, some software is vulnerable, and networks are often not properly segmented. No huge shocks there. As head of a Physical Penetration team, however, my deliverable day tends to be quite different. With faces agog, executives routinely watch me describe (or show video) of their doors and cabinets popping open in seconds. This presentation will highlight some of the most exciting and shocking methods by which my team and I routinely let ourselves in on physical jobs.

Email is a large threat vector for many organizations. This is an area that could allow any outside entity to communicate directly with employees. Two of the most common attacks are phishing and malicious content delivery. Phishing is an attempt to capture a victim’s credentials or information that could lead to a system compromise or data leakage. Malicious content delivery, on the other hand, is a way for an attacker to send the victim an email with a malicious email attachment or link that could potentially compromise the victim’s system. In an effort to combat this attack vector a process was designed to annihilate emails that contained such threats. Emails that get reported are analyzed to determine which comprise of threats. Emails containing threats are eradicated, whereas benign emails are silently disregarded. The whole process and life cycle of the malicious emails were documented in way to show the efficiency of the process and are detailed to get a full understanding of this attack vector. The metrics that will be mentioned are from reported malicious emails, which is a good start to understanding how defenses could be implemented or improved against the email threat vector. The talk will emphasize the whole process from emails that get reported, to the analysis, and to the remediation of threats. This talk will also mention the various techniques to prevent compromises from malicious office documents and other dangerous attachments.

Imagine that you've purchased your small a cheap IP security camera to feel just a little better with your own physical security. Now imagine that the people who designed that camera know nothing about secure programming, security or programming at all. Imagine that your precious camera can be hijacked into a botnet with only one broken HTTP packet. Now stop imagining. In the end of 2016, my fellow researcher Yoav Orot and I published our research paper about hundreds of thousands of white labeled IP security cameras being vulnerable to a simple attack that allows an attacker to gain complete control of the camera, including code execution as root without any ability to patch. Our research was published in dozens of website and was even covered by security blogger Brian Krebs. We did not publish any technical details yet since we had to wait for the vendor's answer. This talk will dive deeply into the product, our research process and into the vulnerabilities themselves. I will walk through all of the steps in our research (from hardware hacking to firmware dumping and just plain old reversing) and demo the exploits and explain, step by step, where the developers went wrong, what could have been done to avoid this situation and why this problem is so severe. There will be root shells, there will be exploits, there will be tears. Attendees of this talk will leave with some insights about IoT security and embedded device hacking.

In this presentation, I'll be walking attendees through some of the primary attacks causing breaches today. He will discuss what the attacks are, how they happen and what organizations and employees can do to prevent them. This presentation is designed to discuss the breaches based on real-world examples and provide actionable solutions.

TLDR: “In the midst of chaos, there is also opportunity” Applying the strategies and precepts of this ancient treatise on bellicose arts to the attack and defense of Internet of Things. Using examples from recent InGuardians work, we will look at some of the most common ways to exploit IOT devices and what we suggest can be done to raise the bar in their defense.TLDR: “In the midst of chaos, there is also opportunity” Applying the strategies and precepts of this ancient treatise on bellicose arts to the attack and defense of Internet of Things. Using examples from recent InGuardians work, we will look at some of the most common ways to exploit IOT devices and what we suggest can be done to raise the bar in their defense.

The hacker/security community continues to struggle with how to get our message across to others. We know what's wrong, what's insecure, and what needs to be done to fix the problems. BUT...we seem to hear more stories about failure rather than success stories. Maybe WE are part of the problem. It's easy to give a talk at a conference where you're "preaching to the choir" and everyone speaks your language, but how do you fare when you are trying to give the message to your boss, or your bosses' boss, or C-Level management? This talk explores a variety of techniques that I’ve learned over my 20+ years of consulting/advising customers about how to get the right message to the right people so real change happens. I'll explore obstacles, attitudes, and challenges that I've faced in hundreds of companies; practical methods for getting your point across; helping others to understand what you are saying; learning to speak their language; and helping them to draw the desired conclusion. This is part art, part science, and maybe a little luck - but I believe there are skills you can learn that will make you a successful communicator and get your message heard.

Popular wordlists such as Rockyou and Uniq are great when used with a variety of rules and big hash sets. But what about the hashes that you aren't able to crack? And what about those users with a base word not found in a standard dictionary?

Queue Wordsmith, a tool that creates wordlists that are tailored to the target’s location. We’ve parsed and analyzed several geographic databases to find road names, cities, counties, landmarks, sports teams, and more for regions all around the world. Built using a modular framework and hosted on GitHub, Wordsmith’s database can easily be updated by anyone with a text editor and an interest in geolocation or spatial databases. With data from 249 countries and territories, Wordsmith can bolster typical dictionaries by adding the name of that unique street that a person grew up on, or by appending a region’s postal codes, all so you crack those hard-to-get hashes.

The modern Windows Operating System carries with it an incredible amount of legacy code.The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence and privilege escalation. We will present novel persistence techniques using only the registry and COM Objects.