 Hi guys, I hope you are well. I will start briefly by just Telling you this is my second talk the first one being stupid pentester tricks this year We take a new approach and use stupid problems to solve The intent being behind most Pentests and rent team engagements I have is if it's stupid and it works then it's not stupid Because in this room there are plenty of people who are super elite who know about assembly and do really hardcore stuff I'm not one of those guys. All I do is I cheat So I just want to share with you some stupid tricks that I use that really work In fact, it's like teaching old pentesters new tricks. That's really my approach. It's New approach on things really stupid So I hope that after this presentation you guys have confidence to try and you read teaming tricks But do not expect assembly or zero days in this talk So let me start with a classic the good old USB key drop. So We've seen it in movies like people drop USB keys The thing is I don't know for you guys, but we have perhaps a 35% success rate. Oh, oh It's flickering. All right Almost good So the good old USB drop thing is it only works 35% of the time Almost oh, it's good enough. All right so the thing is the reason why it doesn't work go so much anymore is because Lehman's know about it. It's in Mr. Robot It's in the born movies in the great movie firewalls the exceptional documentary hacker and CIS CSI cyber Like everybody knows about it. So that's why people don't just drop plug USB keys anymore because we all know about it I Changed this completely. I found this awesome new technique brand new zero day instead of Putting dropping USB keys. I drop keys with a USB and I swear. It's a whole different game We do post Infection interviews and all people are like, this is totally different. I was trained about not plugging USB keys But this is an entire different thing and It works really well now I know some of you are telling me well, you know This is last year. I talked about keys and people all wondered how I got keys So good this year. I purchased 20 kilos of keys for you that a volunteer will walk around with So you can buy it by the pound on eBay. So So don't worry about it. So please take as much as you'd like so So why key while you are getting keys the reason you need to know is this do you know who this guy is? This guy is the patron saint of pentesters. This guy is called Milgram. He's a cycle is a guy doing psychological studies in the United States in the 50s on two really cool subjects authorities and Influence and this guy found out that depending on the context You can do have people do pretty much all what what you want What he did is he sent letter to himself and he said either friends of the Nazi Party my very sick grandmother or the AAA and He looked about how many key how many cards he got back and turns out if you got a sympathetic sympathetic link with the person then you get more people to Do what you want in this case plug the USB keys So one last year for some people who are there there were some talks about Disney branded keys Well, turns out that if you have a baby face key chain or a Disney branded USB Disney branded key it works so much better because no pentester would do this right so So one more thing you can also target who will plug it in so you can also purchase hundreds and hundreds of RSA tokens and why you want can purchase hundred and hundred of RSA tokens is because when people find keys You want the sys admin to plug those keys? So if you have a VPN token People will simply say go to the IT department and say hey look by the way Did you drop those keys and they will plug it in Now I know what you're gonna say. Yeah, but who buys the hundreds and hundreds of RSA tokens turns out I did and there would be a volunteer sharing now Now that the USB trick is shared let me start any another stupid email tricks Sometimes I want to intercept emails between two targets, but I can't exactly do Men them at all. It's super complicated. So what about a stupid trick instead that would allow me to intercept emails between two people Well, I'm not sure if you know what OAB is but oh OAB is an outlook file called outlook address book and basically what it means is if you reply to someone or interact with someone you will get added to their offline address book and Basically, all you got to do is be before the person in alphabetical order. So say If I want to be John Smith I sent an email to called John a Smith and if I get the person to reply to me Then I'm just before them in the contact because who types the whole email in outlook You start typing the email and it'll auto complete, right? So all you got to do is make sure the person replies to you and you're the first one So you can mend the middle specific conversations between two people just by sending one email Now the question you should ask yourself is how do you get the person to reply to you? And that's where it's a bit tricky It's a bit tricky because you need to be just enough passive aggressive to get an answer But not too difficult because they'll call right away if there's if it's so awkward the person will just call So this is my favorite one. Hey name. Did you receive this email? Is there an email problem? Are you avoiding me? You're letting the person and out so they can see there's an email problem And it's out so they will not find the phone if you're too aggressive. They'll call and then They'll know something is wrong Um one thing if you're more an apt just buy a very similar name and wait for Files to enter like it. I've seen some campaigns where they buy a very similar name like they add a one more L at the last of the name or one s and They just wait for typos and they just grab the the the files they send and that's it So basically emails are not that difficult most of the time now in the past I've also done alarm systems Alarms I'm going super fast because I want to make sure you guys get all the content I can give you in 30 minutes and alarm systems I see most people struggle a lot with it people struggle a lot because we take the problem differently We're all trying to sabotage assist to bypass the system while it's on But most of your organizations the alarm systems are off at least half of the day when clients are in so how about instead of bypassing the system and using Special radios and decoding and keys and difficult stuff How about you just buy a PAM? so I'm not sure if you know what PAM is it's like grease and It is wonderful to bypass Pretty much every movement detector spray PAM one light spray will totally block any Movement detector and you're done Now let me ask you how many people clean their movement detector before they leave I think the answer is next to none This technique is totally not mine I stole them from antwerp diamond thieves and I think if it's good enough for antwerp diamond thieves It's good enough for us If you can't say you don't have PAM on you just move an object in front of the sensor You wouldn't believe how many time I've just moved a plant a few inches left and blocked a whole sensor And that's pretty much all you need to do Now you've bypass or you're already a ninja you've bypassed already all the Movement detectors, but you still have doors now most of the door systems are super simple and keep it can be bypassed with magnets But the trick you need you ask yourself is how do I know if the system has an alarm and How do I detect where to shim because that's how you bypass the system? The trick is is called magnetic viewing film. This is magnetic viewing film. This is a magnet So the moment it's next to a magnetic field, it'll show up So you just put this next to the door and you know immediately Where to put your shim so you don't need to carry fancy electronic equipment. You don't need to carry anything else All you got to do is carry this around no batteries required Nothing costs five bucks over eBay and that's it You know exactly where the alarm system is how to bypass it just with a simple film Now in the movies, we know one a very important part in any heist is obtaining blueprints It's a super important part in any heist now. I'm not sure if you've tried to get blueprints in a heist But it's not you can't just call the city and say hey by the way Do you have the the the blueprints for that vault people don't usually get give you this So how you do it? Well turns out there's a company called emporis that buys pretty much every plans they can in Canada and the United States So for 15 bucks you get pretty much any blueprints you want. It's a Building research company and it's really awesome. So I guess they don't show that part in the movie But it's pretty much like in the movies you call you download the thing. There's techno music. It's pretty cool I'm Moving to a next subject command control so for people who are not a bit into malware CNC or command control is How your malware interacts with? With you how you give it order? The problem is when you're doing red team having your CNC detected is a problem because if it's found Then your campaign is pretty much over So let me give you a few tricks that I found useful that are pretty stupid um my favorite one is if you can host your CNC on Your server of your victim server So turns out there are quite a few places where you can put data and I'll stay there Say for example if you have a forum or product review that you can inject Text while send your text there. You have the malware fetch it and this way if people are looking at logs, they'll just see Legit traffic going to legit There's two legit websites and most of the time if it's internal There's no not even any proxy between the client and the corporate server. So pretty much. There's no inspection points Now what kind of where can you find this? Best place if you have a note server. That's just notes. Sorry for users if you have a lot just notes There are special keywords you can look it up online that allows you to upload or edit forms without permissions So you can hold it there Many workflows are multi-step Forms so you do the first step press next to the second step do next do the third step But if you stop at the second step the The data on the form will be saved Server side and you can use this as a command control so you can leverage your own client server as a CNC And this way is super nice because whoever inspects traffic going to them self Of course encrypt your data because the last thing you want is your client Finding out about it and leveraging your own CNC to clean itself. So use some encryption at least Um one thing is super nice once again, this is not mine, but I felt it was super nice is a side channel so there's a a Framework called gupt and what gupt is it's malware that? looks for SSIDs around it and Execute commands been based on SSIDs around it So if you're next to a if you have physical access or near a place where you have physical access You infect the malware and use a side channel being the name of the SSIDs around it to send commands to it There's no way a sucks gonna find this. It's really nice super simple. It's not mine, but it's awesome So I'm sharing it with you guys One one thing I find really nice There's a talk at the black cat this year that will talk more about it. It's not mine. So apologies to that person Most some some hosts are not even allowed to access the internet Sometimes there's several proxies or different things, but what pretty much all hosts can do is send emails via outlook now Microsoft sent Awesome documentation how to use Outlook to send emails really mail receive emails So there's it on technet. It's really really well documented You can use outlook as a channel to send and receive emails and this way you can have your malware do this And of course Provided there's no weird words or anything There's no proxy. There's nothing it works super well Of course, you need to make sure you delete the file the emails as you send them and as you receive them Otherwise, it'll be fairly obvious for the the person who receives it Now have something brand new for you guys So this morning I was watching this talk about shell codes and image, right? Don't kill my cat and it's super awesome But it's super complicated it requires knowledge about assembly and everything And I felt this is really hard. There must be a stupid way to do it turns out there is So instead of putting the code do a poly BMP polyglot. How about you just? write the code in text in And do a print screen of it So we have a gpeg file of the text of your assembly and then use PowerShell to do OCR on the file so instead You will just and it works the same like there's no the moment We have AV people doing OCR on images. We've won guys like there's no way this is gonna work So it's just a same do the same thing just differently and it works All right ex filtration So we all know about DLP about some super super advanced techniques to prevent ex filtration Let me show you two really nice ones The first one is encrypted that uploaded to virus total So some people may know if you're gonna a paid account on virus total you can download submitted samples So say I want to exfiltrate data, and I don't want to be a link between myself and the client I can submit it to virus total then later with a paid account download The file so if people are looking network traces, there is no way there's gonna find The the whole the exfiltration super nice Just make sure if you're a pen if you're a bad guy No problem if you're a pen tester and sure you encrypted before cuz you don't want to Really share all the secrets with the client to just be careful One more thing there are some really simple systems that block USB keys on On the hosts, but most of the time all they do is they block the driver USB 32 to assist so take your old zoom or any protocol talking MTP and suddenly you'll bypass most USB blocking software, so it's a simple trick by a zoom they're like five dollars in eBay, and you're done Now let me start to talk to the next subject deanimization So all some contracts were allowed to attack clients at home So if we can find where they live we can perhaps attack the Wi-Fi at their home But the problem is how you get their address most of the time all we have is a cell phone Well in this case You can call the idea is you need to find a service that when you call with the spoofed phone number They'll give you your address and turns out there are way more than you believe So first thing you need to know how to spoof a number. It's fairly simple There are apps that do it for five dollars or this is really really easy and You can call all those services like automated taxi services name withheld They will say oh, do you want a taxi at the following address? Which is the last address you went but all it takes is your last phone number So it looks on your your so if you spoof your phone you can have that first and last taxi location Some large energy providers if you report an outage that energy provider was will say oh, did you mean Is there an outage at that address and then you get the address of the person? Some delivery and postage services have a similar service when you can say there's an automated teller system that tell you Give your phone number and I'll tell you if there's a package at what address So what's amazing with all those? All those services is you don't need to speak to a human All this can be scripted and it works super well So if you want to de-anonymize someone Someone sells phone to address all those tricks are super simple now rubber the keys So it's a very let me talk to you first. What's a rubber ducky a rubber ducky is a device that emulates a keyboard They're super nice hack five. That's really really nice Rubber the keys. There's only one problem is they cost 50 bucks So first let me share with you and this is not mine either Did you know that you can buy a $1 rubber ducky? It's called the app tiny 85 and It's a $1 rubber ducky So suddenly it's a way more interesting if you lose it or forget it in the admins laptop for example Then it's less of a problem that if it's a $50 rubber ducky and it's super super simple It looks like this is why there's no way you're gonna see this, but it's that small costs one dollar really nice I Give you the link so it is I repeat this is not mine. It's some awesome researcher But it's stupid because you just need to follow the two instructions and you're done Same thing there's a super awesome research. So let me Set you the scene once again. We're in the movies Imagine if you could as you walk between computers see all the computers go black and shells start popping up That would be really nice, right? Well turns out it's totally possible There's a really cool attack to attack tool that can hijack keys in wireless keyboard and mice and There was a talk at blackout last year super simple and now there's two available for it so try imagine you walk around no physical access except a window and You and if people have wireless keyboard and mice you can inject keystrokes such as windows are partial minus NOP something something wirelessly into keyboards just as you walk around. It's super nice You need to look it up And that's it guys I was super fast. Do you have any questions?