 So, hi, my name is Lara Nezoni. I'm not very good at computers I am a team lead lock picker pickpocket magician Challenge designer, and I'm really passionate about security The thing is I think we people sometimes work really hard for little results Whereas I'm more of someone who use little tricks to great effects. So basically the trick I I have today is If it's too bitter it works, then it's not stupid So like we'll work really really hard and I'm really trying my best to find ways stupid ways to improve your security testing Today we're gonna be testing several things such as physical security social engineering tricks and We're also doubling a bit in defense because people told me my quite my talks were quite Offense oriented. So I'm helping the blue team as well So the first thing we're gonna talk and I'm going super fast because we have like 20 tricks in 20 minutes Physical security everybody's favorite. I really encourage you to try those but there are some things you need to take into account Have you seen one of those? Those are like basic HID Pin readers now. How could you attack this one? So the fancy way to do it is to buy a like cover 2d printed that you put over and you over engineer your solution until it works or You go to stupid way and you buy tide Do not eat the tide simply put simply put a little dab on each pit on each keys and Tight to go is UV fluoresce to fluorescent so like in the movies you can like know what pins they type Well, the four characters of the pins they typed and it costs like one buck It's that simple works really well All you need to do is to buy like one tight to go pen. It goes really well in your red team a kit It's that simple. Why do more? I Physical intrusion so some of you might do physical intrusion. We're getting in you would you piggybacked and Then you get into this paranoid mode like you're into this spoiler you're into this very large office and In that office like it's an open space if you feel everybody's looking at you You know, how can I get in and of course like in such an office? Everybody's seeing what you're doing. So what's the next step? Well You pre-print this amazing letter saying reserved for taxes purposes this accountant for the whole week Apologies and you stick it there and like every single time somebody gets into your room You're like, yeah, sorry that meeting is reserved Not my not my choice and you're able to reserve a room for a week And so we had to go to client every day for a week We put that on and we were able like by the fourth day. They knew we were here. They said hi and like It's very very nice. It's quite simple, but it's worth it I'm going really fast Logical attacks. So the first one here. Can somebody tell me what's wrong with this picture? once twice All right, so you might notice my name is Xerox printer 317 Why? Well, this is the world's easiest knack bypass so printers aren't really friendly with Knacks, so if you can't attack the technology attack the process So admins are super used to having alerts saying oh then this this printer wants to Connect to the knack. Should you wait list it? So they're super used of clicking yes so all you got to do is call your name Xerox printer or inkjet something something and And you'll see some admins will just whitelist you and it's as simple as this so Don't like there are really advanced knack bypass, but changing your host name is I think fairly simple By the same token social engineering few tricks So I don't know how familiar you guys are with social engineering, but there are ways to establish credibility or to Enhance your social engineering game. It's and it's quite difficult. It's a nerve-wracking the first few times you do it So I hope those tricks work So the first one is if you're doing social engineering in a like in a business environment you all have suits But sometimes the corporate culture people have polos or like you how can you what's the next step? Like how can you be further more convincing? so I got this weird hobby I collect lanyards and Lanyards are super cheap on eBay on a QGG you can buy like 10 for $1 You might notice some of your companies there. I apologize There are several more and basically They don't care about your your your your card if you got a right lanyard Like for real who cares you're at the skidded So all I do is I put the lanyard in my pocket like this Nobody sees my card and I go high and I get in and It's a simple thing. Of course if you're like here in my lanyard Of course, it's super shady, but if you don't care about it My favorites aren't ones are like auditors because nobody wants to talk to an auditor so It works super well. So lanyards. They're like I wish I had purchased one for several for everybody, but legal stuff But that's works really well and that's like people think about the suit But stupid things like a lanyard will really go a great way One more thing disarming that so that's an actually quite funny story We were in this engagement and we had to find the The username format so I call a spoof line number such as like every social journey thing and The person is super suspicious I present myself as that guy. I found a LinkedIn. He's like, are you really? And I'm like, yeah, I'm logging in. I have like that domain name slash Sorry, I have that domain name then the little line that's titled that's tied to the left He's like the little line that's tied to the left. What do you mean? Well, you know the line. That's not straight And you understand that you see him like oh That's a backslash sir Your account is this so I went from being the super like Suspicious person to all that just another user who forgot his account So as you're doing social engineering, you don't always have to use authority Playing it a dumb works really well and the word that little line that goes to the left is a great convincer same like when you say The way you say dots like Or dash you don't say dash you say Tres Union or like the way the way you say it Like think about your parents think about your grandparents the way they say things That's exactly what you want to reproduce and you'll see the the awareness of the people will go way way down Like it's not difficult. You just need to think about in what context can I disarm the people? so those were the very few offensive tricks this this time because Now we're gonna catch some pentesters and threats sometimes Because this talk was called stupid purple tricks and the reason why is because there are some offensive tricks What is called red team and some stupid tricks for blue teams? Because we as pentesters sometimes make stupid mistakes, too Let me just come let's start with a word of warning though If you catch pentesters Make sure you catch threats as well Like you can't just say oh we had a pentest We had this rule to catch a pentest from that company because we hard to code in their Mac address we won and Then expect you to be actually secure so there are tricks to catch pentesters And it's fine just keep in mind that as long as you keep catching threats It's totally fine, but you can't just say we catch pentesters were secure. I had to give this warning So let's attack tools This one is called better cap Better cap is a terrible terrible tool For people who used it. It's like there's one switch. That's minus minus apocalypse and it does man in the middle HTTP sniffing It has everything So I wasn't this pentest once Super secure zone where nobody should know about like this top security. There's no users usually I'm doing men in middle and I See this link So it's an HTTP link. It's a YouTube link. I Visit the loot YouTube link and I have a Rick Astley like Rick roll And I'm like who in that zone? Keep sending me Rick roll links So I go visit the sock and I'm like good job guys. You cut me right? That's amazing. Good job They're like what are you talking about? We didn't send you those and Then we start stressing a bit because that zone there should not be any users It's like a super secure zone and somebody keeps sending Rick roll links So several investigations later We find out that this link here in HTTP It's hard-coded in better cap So you will keep sending a probe Every ten minutes to that YouTube link for status reasons Now you might ask yourself wait, isn't there a better better cap called better cap and G? Yes Is that feature still there? Yes so as a sock Having a trigger on that HTTP link is a very good IOC to let you know Well, perhaps there's somebody playing with better cap. I mean that's a stupid IOC, but I'm fairly sure that works Um Partial Empire, I don't know if you all of you guys know partial Empire. It's a very very good Post exploitation exploitation tool. It's like meta-sploit or but for the last ten years. It's very very good But sometimes it's difficult to identify what's the What's the listener so how can I know if that website in my log Runs a listener and this isn't my idea It's an idea from Louis who might be in the audience, but I thought it was super smart If you look right here, you might see there's an hard-coded key Like in the in the code. It's not an option. You can't disable it, but there's a page called welcome.png So with a very very very simple script like it's six lines seven lines You can identify Empire listeners all you're gonna do is is there welcome the PNG is there an image and does that image match this hash And you'll find partial Empire listeners like this so It's a it's a default people could change it but in the wild so far I haven't found anybody who change that change that setting so as a blue team all you're gonna do is run that those six lines of Python to all your websites if you'd like and you'll see what are the listeners Same thing for Kelly burp In a sock you might log your DNS requests And I'm sure you know that Kelly every time he booted up makes a request to Kelly org to update itself So the moment you see a DNS request for a Cali that To archive the Cali org, you know, there's a pen testers inside because I'm not sure I've seen any non past pen testers run Cali like there. There's very little business requirements to run Cali as far as I know Same for burp burp is the defect open testing tool for web app I think it's a great tool, but the moment you open you open it it checks for an update So if you see request to perf data that parts figure net, you know, you have a Burp somebody using burp on the inside So those are like stupid I use these but they're really reasonable to make and you'll be able to catch pen testers and sometimes threats now How about attacking tools? so For example burp As I said burp is a really really nice tool, but I want to know if somebody is using it Testing my website Now as you know burp does not you can set up burp the way that All the requests are exactly the same like you it could be an exact copy of a request from Internet Explorer. So how can you tell? well, the thing is burp listens on Slash-slash burp on every single port by default So all you have to do It's a very simple you visit The you have a script that all it does is it try to load the burp on three random ports say one two three four 8089 and 5501 and If those three pages load, then you know burp is open It's that simple so under this little gif gif here, sorry on this gif all you see is I visit the website first without Burp and I have this burp testing page and all I do is I change it to have burp listen I click on the same link and I have If it works, of course burp detected So it's a super super simple script and I like kept it's like I have the sources It doesn't show in this because resolution. It's on the page. It's a super simple script. It's like six links six lines of HTML Well, I told you the how to do it you check if those if frames load if they do success and That's it By the same idea and this isn't well, I Felt I was the first to discover it until I read this great blog by Givoise I think he's French right so if he's here congrats Basically, you can lie to burp you can have a web page as a polyglot that as you If you look at it in burp, it has a different behavior than if you look at it In a browser and that's because the way meta tags are prioritized So in a web page, you have a header saying this is included using this whereas in the There's a meta tag that could tell the same thing now Usually browsers will prioritize the header or the meta HTML tag But burp doesn't the other way around so that's something what looks like when you're opening your file in burp So it's super simple, but most people when they get this they don't understand why it could be some form of security drop security Is it foolproof? No, will it block script keys that take most of your website? Yeah, perhaps But as I'm talking I talked about vaccinating hosts so most commodity malware They check for the presence of a debugger They check if there's something like using fine window. Is there a debugger that's debugging me? And if there is it exits saying I'm being debug. This is bad How can I lie to my system and make it look? Like there's a debugger present Now I am sure there are super fancy ways My favorite is using calc So you might know calc.exe being the most favorite Hacking tool of everybody if you're going to recon or conferences like when you see calc. You're happy It's basically the same thing So you take calc.exe you copy it and you call it debug.exe. That's the first difficult step The second step using PowerShell you can start it you can start it at startup and Having I mean it's hidden the reason why is it's because you don't want to have a user who keeps deleting they are closing it and Voila Like most commodity malware will just exit because you have a debug the exe process running and that's it Thanks calc and you're set So of course do please run an antivirus and like I'm not saying it's foolproof I'm saying it's helpful So please don't quote me saying this was the like it's not the revolution radio It just sometimes works, and it's super stupid And that's it like stupid tricks you have any questions for stupid purple team or tricks No All right. Well, that's already 22 minutes. So thank you very much and have a nice day