 Tom here from Orange Systems, and I am joined by Jason Slagle and Matt Lee. How are you guys doing? Good. How about you? I'm good. So this is a talk we did at CompTIA recently. So for those of you that were in person, that was kind of impromptu because things lined up, but we had a lot of fun with it. And we want to talk about how hacks actually happen. Not some of the things, we're not marketing people by the way, none of us are. So we're just going to talk about the experiences we have, cumulatively working in the market, what we've seen happen. And of course, give you a lot of tools to try yourself and poke at the network. So like, do try this at home where you own the network and are allowed to do this. That's important. Don't play a game and spearfish your friends. That's not necessarily what we're aiming at here, unless you have their prior authorization. But we want to talk about how companies, how IT companies, especially our big targets, we see this in the news constantly. I don't think you can go any length of time without seeing another target attack because we hold the keys to many kingdoms. Therefore, we have giant targets part of our back. We cumulatively is people who all work in the MSP and IT space. Now, I do have links to Jason and Matt and a lot of the different social media and posts that they do. But first, I want to mention they have a charity going on. I'll let Matt tell me about that one. Yeah. So, you know, about four years ago or so, my VP of operations asked me what it would take to shave my beard. Now, he happened to have catch me quite flush with cash and not in need of anything in dire emergency at the time. And I basically said, you know, there's a number, but you don't have it. He then postulated that, you know, would you do it for charity? And I said, man, you got me where my heart is. Yeah, I would. So I buried it for three years, naturally, and got away with it. And then Carrie Ritchardson and Ian come up with the idea to ask if I would shave my beard for charity as an event and to try to drive some of their vision of how marketing could be done in some ways. And I said, you know what? I am in 100 percent. How would I say no? And so we set a hundred thousand dollar goal of which we're at twenty six thousand something of it with people kind of waiting in the wings of what this event will be to donate the tens and 20s of thousands of dollars from different corporations. But the intention is I wanted to find startup charities that were serving the need around, you know, the cyber community. And so I picked bits and bytes, which teaches eighth grade kind of education around cyber. I've chose diversity cyber council, which is a gentleman and his friends that are ex-military that are giving back to underserved youth and populace in the greater Atlanta metro area. And then women who code, which is around the globe, putting out content to educate and empower women around STEM and coding and things like that in the professional career space. And bike walk, Wichita, which is actually just a personal charity of mine. I was on the board for several years and not any longer. But and then the other one that I am on the board of, which is the haunted hacker, Mike Jones has put together a hackers for vets charity that's a startup where they're going to ask for scholarships for people with, you know, successful exit DD 214s that are that are looking to be in the cyber community. And really, it's going to be nonspecific of how can I help you? How can I drive you forward? So yeah, we're shaving our beard for charity for those five charities. She shaving a beard and not just Matt, there's actually numerous people participating. The links will be down there. Jason's on there too. Who's I don't know if I can point the right direction. I'm trying. Yeah. Yeah. Yeah. Yeah, we're going to help these guys see their chin. If the charity hits the goals, these guys are going to we're going to find out what their chins look like because they're not sure either. It's been a minute. It's been a minute about 18 months. I think if we hit a certain amount, somebody who's going to turn the beards into a wig and wear it around for the week, not Ian. It is I'm going to hold them to it. That's why yeah, we're recording this in August of 2022. The charity is running until is it November of yeah, that's November this year. If not, it'll be November next year. We will make the goal. This will happen again. So if you're watching this past November 2022, this will still be going on. So as I see links of that information will be kept up to date down below. Now, let's get into the meat of this. And that's what people are really here for is how would I hack you? Let me quickly define you, though, is going to be narrowed in scope a little bit who may be an individual if you're a very high value target. It's not as likely that a personal general home user be targeted and using these attacks, not that it's not impossible, less common. The real common and people we want to focus on for audiences, people who own or work at IT MSP businesses, people who maybe are a group or a team at a large corporation of IT professionals, because they kind of work as almost an independent unit, but attacking those people and leveraging sometimes people to get in. It's going to be a lot of the audience we're pointing at here. And as I said, we're going to be leaving links to all these tools and everything else so you can kind of walk through the methodical process that the threat actors do when they choose a target. Yeah. Yeah. And you can also be defined typically as people with infrastructure that's exposed, you know, but also people that are high value targets in a forced multiplier perspective. Yes. If we can attack an MSP, then I can now attack hundreds of companies because of that position of trust and something we might touch on as we go through this conversation. Yes. I think we're going to start with the external recon part of this. Do you have some tabs to share with us, Jason, with some DNS dumpster? Yeah, we're going to. So we kind of decided we were going to pick on net standard and I hate the word pick on, but they were an MSP. Use as a teaching tool from the information. You can be serving as an example because they had a lot of exposed stuff there in the news for a recent breach that seems to be rather large. We don't know the details. Alleged breach? Alleged breach? Alleged. Incident. We'll start with there. You don't say the B word. Yeah. So, you know, we were kind of postulating as we developed this talk for ChannelCon. First, our kind of thought was that we were going to try to find some MSP in the room to pick on them or to show them and we decided that that was probably not a great idea. So we decided to pivot a little bit and look at a breach or a incident that is in progress. And we we've all heard about it's been in the news and kind of formulate how if we were the threat actors, we might have approached it. So from a I'm going to share my screen here theory. Now to find where Jason lands, we've probably found an IP address or maybe a name of an MSP or something in some overall network scanning. They probably triggered us to this. So this won't be as specifically targeted in the beginning. But it would start probably just as me stumbling on you as I'm running large swaths of the internet for a certain particular. Yeah, you start poking on show Dan and looking for exposed ESI ESXI infrastructure. And we know that's something that these people have. We know that this there was a message in the initial access broker forums for them going through and figuring out going, Hey, this is, you know, a company that's we have a potential breach for to be able to. Yeah, well, and it was it was really interesting because you bring up a good point, Tom, in the in this, the Johnny foreshadowing to this event, we knew that there was this access broker saying and maybe not even really a good access broker, just someone that stumbled on something and said, Hey, I have this. I don't have malware to attack it. It's lots of VMware servers. Can somebody go in havesies with me? Right? Like, like legitimately, you guys want to split this up? And any put down bit he or she put down Bitcoin, half a Bitcoin, which is about with $13,000, $12,000 to prove that they had some legitimacy in financial backing. So yeah, interesting part of that story. Go ahead and zoom that in, Jason. I actually shared the whole window. So so what we have here is we have a tool it's called CRT.sh, right? And in since roughly 2007 ish, I think maybe 2008, every certificate that's been issued is part of essentially a public record, right? So if an SSL certificate is issued, we can look at that chain of issued certs. And we can, it's public record, we can look through it. So one of the first things that I typically do when I'm investigating a domain is like, let's see what subdomains we can actually discover, or what other things they're hiding under their SSL certs, right? So without having to brute force it, right? Without having to do any of that kind of enumeration, we're looking at because you issued a cert, you probably wanted to protect it. And as a result, I'm going to know where to attack it in a lot of in a lot of cases. So And so up note here, this this doesn't really reveal a ton. A scan is kind of interesting. I don't know what that is. And I didn't really look at it. But like go and info, I assume and get marketing. I mean, those are all marketing domains. I mean, everyone has those or if you if you're bigger and you're sending email out as various things, these are probably just email domains. But most of their actual infrastructure is actually hidden behind a wildcard cert. And so essentially, it's invisible to me as far as from certificate standards, right? I can't really identify a lot here. And this is actually somewhat unusual, because I find certificates to be a really useful way in many cases. And here's the opposite side. Yeah, yeah, it's much shorter on this. And you know, there's certificates, but yeah, they're all Where else can we get this kind of information, Jason? So if users are enumerating this in a normal day to day basis, how can we get that data if we can't find it in a cert dump? Well, I can use a tool such as DNS Dumpster, and I'll zoom that guy into here. So DNS Dumpster aggregates. It's a service of Oh, I forget it's at the bottom of the page here we'll scroll all the way down. It's DNS service of hacker target. That's it. Okay, so it's a pre service, by the way. It's a free service. And basically, you can put any domain name in there and it will show you all of the a records it's able to find via a bunch of other services that it basically aggregates. It's also not doing a force attack. But when we go into here, suddenly the world gets a lot more interesting. Yes, we see some firewalls here, right? If I can make one point out first off, yeah, using public DNS records, naming the target and its juiciness by its first seven characters is wonderful is probably not an OPSEC move that Oh, no, no, no, wonderful. We're pertaining to the attackers. So it's great. From the other side. No, no, you revealed. I mean, come on, ESX. I know what that is on there. Yeah, yeah. In putting in putting all of your infrastructure that traditionally for me would have been private and sure, yeah, like the service council interface of an ESX host, like with that would, I would never even occur to me that that would be a thing that I would ever put on a public IP and to their credit, maybe they had ACLs on the public IPs, maybe they had things that were meant to take that very public infrastructure and create it as somewhat of a private win. And stylistically, and potentially through my experience, I would never do that either. Even in that case, I would route a private network or route a VPN level network of some sort over IPsec. But yeah, we I mean, for some of our infrastructure, we have internal domains for some of it, we have, like, basically, we'll use dot something dot cnwr.com or it's a lot of it. Domains that are private IPs, right? Like you can still do that as a method of delivering that DNS, right? Yeah. But of note here, a couple of things that immediately stood out to me, we have a VCSA here. So if you're not familiar, VCSA is it is VMware or V center server appliance, right? And V center is the like management layer that manages the SXI host. So we have a lab one exposed to the internet, we scroll down, we can always start with the lab as the threat actor. Yeah, they don't discover it as quickly, right? Because the theory would be the lab side would not maybe have as quickly of a rubber band effect on us 100%. And I mean, this is all in the same slash 16 here, right? So like in theory, it can all talk to each other. Right? So I pop the lab and see where I can move laterally. Here's their main v center. This guy here, this Wi Fi controller is actually unified controller. I did look it is patched for log for Jay. Yeah. So at least we got they got that going for him. Yeah. And then of note, when we were digging through this the other day, one of the things we found was connect and it's up here a little bit, but we popped connect into show Dan. So show Dan's another tool showdan.io. If you keep your eye out, so show Dan, you get very limited. Is that an eye joke, Jason? You know, I only have one eye here. You're gonna say keep your eye out. Yeah. Right? It's not nice. It hurts my heart, bro. Sorry, sorry, bro. If you look, you can you can find sales. They run them what twice a year ish. So you can get basically unlimited. It's limited access for life, right? So you don't get access to everything, but you get access to more searches, more API, five bucks, usually 10 bucks, five or $10 and they usually run a Black Friday special. And they run some type of spring sale as well. Yeah, but it's great because it gets you that extra layer you're looking for and you can use the API commands from the command line. You load it up in Linux. It just makes it handy because you can start dropping in IP addresses. You can script your recon essentially. Plus still it and by the way, for that small amount of money, they offer monitoring. You can monitor your own things to see if you show up and show Dan for that. It's really inexpensive. It's really low hanging fruit and they're pricing they have a basic beginner pricing now too if you don't buy it on sale. So you can kind of start using this right away without having to wait till a Black Friday special. But yeah, there's a lot of good stuff. It's expensive. The ability to search for like vulnerabilities and stuff gets a little pricier. Yeah. But I mean, I haven't found a need for it. When I have found it, I have enough friends in the industry that I can usually get somebody that's paying for it to run the query. I need runs. So but here we actually so when we were talking about this last week, we actually I surmised that I thought this was screen connect. Yeah. It was not. And so we poked at it and it turns out it's actually RD web. I don't know. And it's in the same slash 16 too, right? So theoretically based on segmentation, we might have full access. Yeah. All of this stuff is in the same slash 16. So here in this instance, we have RD web exposed to the world. So we can go look at vCenter. And if you're doing enumeration like this, it's very helpful to think what should I be documenting? What should I be writing down? And that's what the threat actors are doing here is they're going, Okay, we found a VCSA. All right, we found maybe an RD web. And then the next step, you know, after you go through show Dan and find what's exposed and see if you can determine a little more about that service, right? I saw it was an IS 10, which meant it was probably on, you know, a newer server iteration. You know, you can learn a little bit about that so that you can then take in and take those vulnerabilities and find and map them to vulnerabilities. So when you were showing the class, you also brought us to a way to look through a lot of those vulnerabilities, Jason. Oh, yeah, yeah, yeah. Okay. Yep. That is 100%. Exploit dash DB. Yeah. Yeah. So, so actually to your point, you know, when I'm doing this, it is an engagement. So let's say I'm doing a pentester and external vulnerability assessment for a client. I usually have a one note notebook running where it's like I'm just brain dumping stuff I find, find it, right? I like mind maps myself. Yeah. That's my method. I'm starting to get there. I haven't quite gotten there yet, but it's like I don't, otherwise, I'm very squirrel. It's like I'll go up on an agent and it's like I have to, it's like, if I write it down, then I can come back to it later. Yeah. Ooh, shiny object. Ooh, shiny object. Yeah. 100%. And there's a lot you can find here and what you start looking for is as you find these, and this is still very passive. We're looking at Shodan. I think Shodan did enumerate their Unify controller, but Unify makes it easy because they'll tell you the version. That's how JSON knew right away. It was patched for log per J because right in the page it gives up is the version. Lots of software does that and then the next thing you do is you head over to the exploit, you're going to start looking at, all right, what is exploitable on this particular version? Yeah, which if I was giving any advice to a vendor that creates 8.43. Yeah. Yeah, that creates this stuff, I would say, hey, don't put right in your Ajax response on the front page your version so I can determine instantly whether I attack you. I talked about this at the speech we gave. I did a research project, Tom, in a bunch of the major cities in the United States and I pulled up Unify controllers from Shodan, and I went and looked at the page because right there in the middle, if you see a new Unify, you see 6.554, which is not one of the subject vulnerable versions, but you could go look for those versions manually. So what I did was I just got a giant Excel sheet and I just put out every city, the top 100 I looked at, were they vulnerable or were they not vulnerable, right? And in addition to that, threat actors will change small vulnerabilities, right? So you get a tiny vulnerability like log4j that gives me access to the Unify user. Yeah, tiny fair, Touche. Sorry, I apologize for the PTSD out there, that's on me. But this massive vulnerability log4j, but it is limited to the user scope and so I now didn't have very much I could do. I can mess around with the Unify database, maybe I take out some networks, I could do some things like that, but I couldn't really do anything to monetize what I was doing. I wanted to land, pivot, and expand and so I needed to gain privileged access and right at the same time and also included in the same version you had Pwnkit, which was a pull kit of vulnerability in Linux that was just massive again, but it did give escalation capabilities and I was able to use a string of log4j and Pwnkit to demonstrate that I could script my way through 5,000 of these vulnerable controllers and I'll ask you guys if you remember the stat, what percentage was the overall of the entire country of the United States as I got done with these major cities, what percentage were vulnerable? Two months after log4j. You said it was between 1670 if I recall. It's massive. Yeah, it was 60 to 70 percent. Some geos were like way better and I will say there's a hosting platform out there Hostify that I did not find a single one of their controllers to be vulnerable. My friend Riley was very on top of it. Yeah, bro, it was a hundo pee. I could not do anything. I mean I did not enumerate his network, I just want to state that legally here but he did a good job. He spends a lot of time thinking about these things. He's extremely engaged with the cybersecurity side of it. If you go back over to the Unify Network, one thing I've noticed here and this is important to Matt Lee's point, see they're running 6554 is patcher log4j but that's still an old version. That means they're doing the minimal. They're on the 7s now. Yeah. Yeah, they're you may not want 7 but yes. I'm running 7 at home and it hadn't failed me but you're right. Yeah. There are definitely things to consider referring to a major version upgrade with that. Yeah, for sure. Well, let's bring it back though because we're now in this phase where we've enumerated some surface area. We're looking for vulnerability. So what are you using here Jason? I think this looks like a search platform where you can just type in what you found. Yeah, so this is exploit database. If you happen to have a Kali box, you can use search exploit and to basically search like a local copy of it that gets installed and this is like a shopping cart. It's like Amazon for exploits. Yeah. So you can basically just type in a product name and if there's a POC for it or an exploit, you can usually find it. And we can see here, you know, we have a VMware 7 RCE. This one's a little older from 2021, right? So, but if they weren't patched then here's this random Python 2 because one thing I've noticed about threat actors and people that write these like POCs, they just don't like Python 3 for some reason. I know. I know. And what's bad is just to admit my own stupidity. I can't tell you how many times I've banged on the keyboard against failure after failure for certain dependencies. Not realizing, oh, I had to do a switch back to Python 2 and I'd be fine. Yeah. Like I'm just stupid. What I want to highlight about this is there's plenty of places you listing CVEs and known problems, but this is so much more fun because this is the exploit itself. It's here's the Python. Here's the code. You can just download and grab it. And this is how easy it's become to start building it. People think and not just not to discount it that there is some hard work involved in being a ransom operator, but this is making it easier for them like, oh, we'll just grab this. It's not when people say why don't they shut down something like this because it's making it easier, but the other side of it is it's making it easier for red teams to do their job and expose and go, look, this is how you would do this. It also allows you the owner of this network to say, I wonder if this is really vulnerable or what would happen. So you can actually use these tools to well point them at yourself, start doing your own security testing. The reality is, even if someone didn't make this fancy website, they were doing it before this fancy website existed. This would just exist. It would just be an onion link, right? Like so, like it doesn't really the barrier of entry of hiding it or making it public. That's nothing, right? Like even without this, if you go search a vulnerability or a CVE, I can go find POC and GitHub a thousand times faster. We can do that right now. We can do CVE that and then just do POC right there we go. There you go. Right there. It's going to be findable. It's not hard gents and ladies that are watching this right now. It's actually somewhat interesting because as we were developing this talk, you know, we kind of went through and this is kind of my thing that I'll do. There's more that I would potentially do here. But you know, I would start by seeing what public stuff is attackable. If they were local and I really, really, really wanted to get them. I know now that they're provider from over here in DNS Stumpster. I know that this is light edge. Yep. You know, I it's time for a clip board. 100% or a call, right? It's you know, I had a provider the other day there was somebody I was poking or poking at or looking at the other day, right? And I could see they were on spectrum. So, you know, I'll call up potentially I'll call up their receptionist and say, hey, I need to patch your cable modem against that new a risk bug that's been in the news, right? So like, hey, can you get me remote access to this PC so I can do it, right? And then maybe give her a screen connect link or something like that to get in. I would approach the least technical person I could to do that, right? A little bit of social engineering there. And they're in with this information, there's just so much you can do. And now that we're kind of going out of the identity social, social piece of this, I think I'm going to hand it over to Mr. Lee here for a bit. Yeah. Yeah, yeah. Let's let's see if I'm capable of creating a screen share. There's there's been, you know, larger things that have whooped me today. So we're going to go with it. But I'm going to go with this screen over here. I'm going to do the whole screen because I'm living, living large. You know, one of the things Jason said is, you know, we taught we would attack the infrastructure would start with what we have from an infrastructure perspective. And I like that because now you're starting to know what assets are out there. I wanted to bring up a couple pieces. Tom had kind of turned me onto this, but if you're wondering how do you get started on some of this, there's some really good guides out there around what do you do next, right? Right now we're kind of in the recon and enumeration space from that perspective, but walks you through a lot of this. But the point I was going to make was Jason focuses very infrastructurally. I believe that we're in this bit of a schism, Tom and Jason already in our world where we have a legacy infrastructural vision of the world and a identity centric vision as extensibility starts to become single sign on, SaaS consumption, now attacking the identity is the same as what would have been attacking the network in the past, right? Because if I get to that privileged user or user has access to those accounting files or access, then I have ubiquitous access to those, to those identities. So I would probably attack you from an identity centrism type approach. And I would probably focus on those single sign on tokens. So the first one I want to talk about is Microsoft came out where the release saying that 10,000 organizations since September 2021 had been hit from a AITM which is just their rewording of man in the middle now as an adversary in the middle or attacker in the middle depending on the way you have read it before. But essentially it's saying, Hey, I'm going to take your passwords like I usually did but I'm also going to go ahead and steal the very essence of the identity centric world which is a token. Once I have that cookie which we all know cookies, that cookie is a token that's a cryptographically signed identity and group membership package if you will depending on whether it's you know, Samuel gets into a whole different conversation but focusing on OAuth or OIDC I want to steal that token and so Microsoft says Hey, listen, there's tons of people that done this and also it gets by MFA, right? As a threat actor I stand up a zoom that in a little bit Matt, let's focus on a little piece right there. As a threat actor I spin up a redirector essentially a middle where server that's running an emulator that basically takes what you're seeing and then re-encapsulates it and transmits it off to Microsoft and brings it back. So as the attacker I send a phishing email to you if you go from this red guy over to the right. I have a redirector page so I bought Microsoft-online-offline.com and I owned it for all of like seven minutes when I was doing my tests as soon as it saw a certain let's encrypt it was gone they did a domain seizure back. Yeah, Touche and then there's a man in the middle or an adversary in the middle phishing page and that page has a cert I can spin up that cert through let's encrypt for free doesn't even cost me anything right. I can probably get the domain name for free. The first time I did this I was getting it from those free domain pools but Microsoft's faster to take those back and then I have somebody land on that page. Now to the user they're seeing a visual of a green check a lock in the top corner it's beautifully encrypted everything's fine but it's taking over and sending that back and forth session to Microsoft. So the credential is compromised I actually take that after it's wrapped up from Microsoft. Now depending on how you have that setting set I can take that token portably and bring it into another Google browser and be you and that's what I mean by I don't care about the network because I'm going to land in the network vis-a-vis being you right. I mean depending on how how the architecture is set up right but in this case they go on to use it as a business email compromise. I would start looking through your email trying to find out what what core systems you have what password resets you've done from things I would be having filters and word searches to go through that and find the right stuff and find your lab tech instance your screen connect location and then I would start start to use that identity to extend or break in and have capability set up forwarding rules for password resets make it so that I can get those password resets and become you but then that's loud right the method Jason's making is a little less loud in the sense that he's coming in in a trusted system and becoming some trusted process inside those systems if you will right that's running and gaining I'm trying to say as long as I can trick or get past the one user I can get in as that user and elicit my behavior so these AITMs are very very valuable for that for that purpose and a lot of people mistakenly think and this is where the cat and mouse came now Microsoft is and the chuckle is because both these gentlemen have registered domains and to see how fast Microsoft will take them back down it's really quick we've wasted a few dollars on domains 24 hours about 24 hours so it but that also leverage it's really interesting problem because if you're a target and it's worth it domains are cheap and if I can get this to happen in a small window the fact that this gets spun up so fast happens on a domain that was not previously known by any web filtering tools or anything like that this is how a lot of these are bypassed everyone thinks oh my web filter my AV my firewall with a beautiful block list that's real time updated from the firewall vendor will just stop all of these and these aren't things I have to worry about but unfortunately that's just not the truth and Tom I have 30 or 40 domains that I've let bake in that I've set up with legitimate pages that I've set up and let run that I own that I just keep as these clean room domains right like and it wouldn't be hard to do that as a as an ongoing systemic basis have 50 domains in reserve so you can always get one through a filter go register it as positives make the exceptions on filters like four to gate and the big ones that are the big five and so yeah that's not hard to do right to to get through those AV systems exactly so well back when we did a lot of WordPress work I would run into people who couldn't figure out why they were just getting an immense amount of traffic and I'd find a sub domain of their WordPress because they took an established domain popped it from an an updated WordPress installed something that would collect all these so you already have a trust of domain one of them was a printing company like they just right you know very generic and had been established for years without an update so it passes all the muster of your usual filters yeah these they're a local print operating company nothing about them looks suspicious but there is a sub domain that seems to look exactly like a Microsoft login yeah yeah exactly the average user may not notice that right I was just going to say that like in in many cases because you use 365 SSO to sign into so many things like do you do you validate that you actually land on a Microsoft.com URL every time you do that because I mean I do sometimes right that's a great point though Jason so how can people protect themselves I like to give some pragmatic things around this how can you protect yourself. If you look at your Microsoft conditional access space you can and hopefully you're using conditional access when Jason and I asked this question in the presentation we had like three people raise their hand which was horrifying to me like out of 25 it was quite horrifying yeah yeah or something like that at an at a comtea conference of MSP and IT business owners yeah not a general public conference here but if you're using CA there is a persistence setting that will say if this token is moved in some way if fingerprint changes of the underlying browser don't let it be used which almost helps protect against this in a lot of ways because now I have to attack you during the session right I have to harvest data while the sessions there as I'm ITM and stealing data that way that's a very limited window compared to owning you so that's the first one the second one would be set session timeouts so even if you do have something say hey I think the defaults like nine months or six months six months six hundred eighty days and so take that default down my text had to reauthenticate every week but if you're signing in Azure Active Directory doesn't matter it's automatically done by your TPM but if you have the session token set really low you can set them even lower for more advanced things right our RIT glue is daily like yeah like that like you can't I think it's eight hours so that's this can't be understated right I've been on kind of my soapbox here about this for a little bit because everyone's pushing SSO is the solution to all these problems this bypasses the NFA and takes SSO to a horrible level the problem is is that the default out of the box settings I would argue potentially less secure if a token is stolen well a hundred percent less secure if a token is stolen then if you're then having separate passwords right yep oh yeah and and more importantly if you're running business basic or business standard you actually can't make them more secure you have to be up at the business premium because you need Azure ADP1 to be able to set any of this stuff yeah me saying that nor pex eight I just want to make sure it didn't seem like a shameless plug but yes business premium for sure the other piece I want to show though is if this is the attack and this is how I would get in and and I've talked about how to defend yourself I want to show you how easy it is to do evil jinx or even genics yeah evil jinx or evil genics is a platform that is made in 2017 which uses a custom version of in genics which is most people's proxy in a lot of cases right the web application firewalls things like that run in genics in a lot of ways and so or in genics am I being I call it I call it in genics I apologize for being stupid it's okay I'm weird I'm sorry more than I listen HTTP server to provide man in the middle or AITM functionality to act as a proxy between a browser and a fish website which means I don't even have to be very good at what I do I'm a script kitty right for me to stand this up and get my firewall port set and get the domain name set it's pretty reasonably easy to use I don't know if I'd describe it as extremely it's pretty reasonably easy to use now we'll say there's a current bug with this the author only gives us out in private now K Gretzky but their token harvesting methodology is broken because Microsoft updated their schema and the current schema and this has not been fixed there's some community out there that have fixed it but in general it's not going to grab a token today unless you've already reached out to the author yeah anyways unless you've already reached out and gotten that a parsed code difference that doesn't seem like they're gonna update but the point is what it does it makes this little site you direct people to it with that phishing email we talked about and if you notice here in this section that's blurred out a little bit that's the remote IP of who signed into your attack what the fishlet was which was Google in this case what the password was and what the remote IP and what time of the actual stealing that and then if you zoom in you'll get the token as well but and zoom in I mean like type in ID-19 as you're in that system and bring up that that that session this is linked in below so you can look at the GitHub and I have a video of me demonstrating that that we can link and that will be linked down below as well but if you look four years ago so I mean this has been around since 2015 that's five years at least best I can calculate this so for Microsoft to be releasing hey people are under attack now I just want you to know how endemic the identity attack is and how easy it is for me to do it's really really simple somebody somebody publicly mentioned it so they finally had to admit it existed as basically yeah landed yeah that's another advantage these tools have because sometimes Microsoft I think the Microsoft will not fix list is in our links somewhere oh no yeah Microsoft most of them are fixed now for what it's worth but yes but it took someone making a public list of Microsoft will not fix these problems it takes almost people like us just displaying it getting awareness out there that these flaws exist for Microsoft goes fine I guess we'll do something about it like I actually got hung by my own patards on this one one time Tom so I found a vulnerability when you when you joined Azure Active Directory as a secondary measure without administrative rights like let's say you open Outlook and there's a requirement for ma'am or Outlook and there's a requirement for for that it brings your device into that ma'am management but it doesn't give you mem management it doesn't give you the ability to like run scripts and things like that supposedly what I was able to find is if I took that shadow device and put it in a group with a script in mem it would execute that script whatever it was under privilege and so I was able to do privests I actually had an MSP that took over a client and they were like hey I can't get access they won't give us the admin creds we need to take all these systems and move them over and I was like I have a theory try this and they didn't it worked and I was horrified right so they were able to gain access and privilege to every single machine and put an admin account in so they could do what they needed to do but the point was Microsoft I worked at two paths I submitted a bug bounty and I was like man I'm gonna get my first bug bounty with Microsoft this is awesome but I also talked to a lot of my insider people from the stuff that I do in advisory they fixed it and when the bug bounty finally looked at it they said you aren't qualified because we already fixed it in a production release yes this is possible we fixed it and I was like but how is the production release you sorry bastards anyways but but joking aside I would attack the identity and I would use something like a AITM methodology then the next way though that's that could be attacked is a little bit even scarier because this is something that I don't have a lot of great answers for and I'd love your advice but FBI warns that deep fakes might be used in remote job interviews if you have a decent you know PC like maybe what Jason's talking about for his new for his new production machine that he's building but if you have a decent machine you can run software to take your live webcam and overwrite that with a hundred percent of a pretty I mean really good I played around with it for three or four hours and got some really good ability to do that with a clean green screen a lot of good information but the deep fake software is not hard to run and they're saying listen I could call up Tom and say hey Tom you've got this open position at your MSP my name is Jason Slagle I think we've met before we joked around right probably that one wouldn't be great just because of the deep personal relationship but if I was calling any other MSP right yeah let's talk about remote hiring and this is where it gets really scary because and we'll throw this out there for my friend Riley at Hostify and shared some links with him about this because he's not met as employees and yeah think about that he's built a large company and he had posted today they they reached a new they've got several 2200 mostly MSP signed up using his stuff he's got over 400,000 devices under management at Hostify but he hasn't met as employees that help operate all this directly and they live globally and this came up and I think Jason may know what I'm talking about here there was a private chat in a vendor group we had where someone had cloned and faked as if they worked a bunch of projects and GitHub and it was only through the suspiciousness of it they actually built a clever resume if I'm not mistaken the way they faked their GitHub essentially was a cloned different history through other people but the hiring person said I'm really suspicious of this person because they seem to be really smart at a very young age and have contributed immensely to all these things and they were able to back date a bunch of stuff combine that with deep fakes you can build quite the profile to be a great remote hire candidate that checks a lot of boxes you participate in GitHub you seem to have a presence because they were able to exploit a way that lets you back date comments yeah I know you have to yeah they just rewrote the history so that they were the committer yeah yeah so it looks like they did all these commits it's a lot of cleverness and it's hard to decipher as a hiring manager especially we're talking like our technical skill level didn't make it obvious to look at that we were able to repress our smell tests and we're cyber security people too you know what I mean this is yeah what do you feel Jason how would what would you picked up on it easily or all right so we typically we'll do some amount of a combination of in-person questions and and some test stuff and I would have assumed that the person would have failed one of those two yeah but it's definitely a problem because especially you know you don't even have to deep fake the way Matt's saying you could just say you're in a location with with the internet's not good enough to do video yeah right like and then you just have to do audio at that point yeah so that would be the other other method I would do it right and I would probably try to fake somebody that that doesn't have a lot of connection in that space but has the direct real creds right behind it that someone's going to see so but that is just a kind of out there method but we're starting to see it and if the FBI's warning of it then you probably already have some use of it in the wild if you will right beyond beyond just a summation of an idea the other the other piece I wanted to touch on that I would probably use to attack you is identity of your of your your tenant less so than your human maybe potentially and the way I would try to accomplish that this was actually from 2018 a very long time ago but a poison peer to peer app kicked off dofoil coin minor outbreak right and it's talking about that but if you think about enterprise applications in the same vein Microsoft enterprise applications like if you go into app registrations or enterprise applications in a ad dot portal dot azure dot com those enterprise applications have certain privilege they have certain rights right and I can ask for those certain privileges and rights as I ask for them and so what I can do is start with the user if I don't have a partner center ID which I could easily go get but if I don't have a partner center ID I can't run signed code I can't run something that some approved but I can get your user like Calendly for example can let you sign in you get your user details your user calendar details your user email details those kind of things and that can be done at a user per user level by default Microsoft so what I can do is I can create an enterprise app and I have one I couldn't get access to it because the law of demos I couldn't get into my digital ocean account this morning it's just that seems to work but I have a poison enterprise apps called do you want to play a game and it pops up and just says you've reached do you want to play a game app would you like to have access from Microsoft and it's just like when you sign in with Facebook or just when you sign in with Microsoft is that OAuth signing is this identity SSO model that's self-registering and so you as a user get tricked into clicking this and approving the app everything goes on you go on about your day the rest of it continues it tells you you're fine I actually have a web page that launches instead afterwards that brings up your picture from AAD and then your information your cell phone number your manager name anything I can enumerate from graph and I display that on just a simple web page and so that's what the user sees to try to demonstrate the concept but imagine I was just harvesting that and then becoming you and being able to read your email and now it's not you changing your password that doesn't change anything your password has no relationship to the enterprise app that's an identity layer application that I now have is almost a permanent link and depending on what rights I ask for I could wind up being an admin I could wind up being able to do everything almost in the world and more and more as Microsoft converts it so you know Jason what are your thoughts on defending against enterprise apps like that I mean a non-zero amount of business email compromise going on right now is just installing enterprise app as the user right and then sucking the email out it can send as user right like you can create rules yeah you the biggest defense there is again if you have an advanced policy I don't know if you can do this as standard or not you can turn off the ability for users to install enterprise apps they have to be approved yeah yeah and in that setting Tom basically just says nope you cannot register an app you have to wait and your administrator will approve it and it waits in that queue now and it's probably ideal because you really it may be inconvenient to your administrator but I also hope it's not because they shouldn't be trying to authorize a lot of apps all the time that's just in general not good behavior so yeah yeah and I think that if you take it back to security you know letting users register apps means that you have no way to determine what your surface area is and where your data lives right and I think that's where you have to have some degree of a planned method of are we going to use Calendly then add it to the business impact analysis and say yes and let's make sure we're set up correctly for us so let's stop the use of login credentials let's tie it direct to this app let's put a group around it you know those kind of of things right and so I think as we start thinking about the risk area of identity it's very apparent that that's going to be a big attack surface for me in the future as your data lives in sales force and as your data lives in these extensibilities that I use identity to get to so for sure now I think we reach most of the end of the big list there's a couple of things we we can kind of talk to combines the two so from an external there is Google dorking and we're not going to show up because Google seems to take less kindly on YouTube to diving into it but just Google Google dorking good news is Google doesn't stop you from doing it you can use it to find all kinds of files and things related and you'll be shocked at how many companies have somehow published extra memos internal information that gives you a ton of external information completely passively acquired so nobody at the company is on the wiser they're being targeted and then you turn it into what Matt said so you go from the JSON external recon to the mat all right now we want to be this person they're the person that seems like I want to be they're going to have the right amount of privilege for me to impersonate so I'm a spear fish that person and how would I spear fish them well I looked under social media and then I said hey they really like this or they seem to check in at Buffalo Wild Wings all the time let's send them a coupon like when you think about it sometimes it really is as simple as that when it comes to a fishing just figure out what they like and figure out what they're most likely to click on they're probably subscribed to it and it can be their personal email is way unfortunate and I recommend you block this but if you haven't many employees will check their personal email at work they should not be doing this but they will do this so it's it's a huge risk factor yeah and then use the same passwords right let's get into the meat of how that all kind of spreads out as well and I say this my wife's not with an ear shot so I can actually talk about this right now but I got a password manager and I was so smart I was like babe let's get everything in your password manager I want all the stuff in that family shared folder we're gonna have access to it with these type of settings and all that kind of stuff right and then I'm so happy because she's like I'm done it's all in my password manager I start looking through it one day and using the password I was like why is it warning me these passwords the same she had literally brought in the exact same password she was using everywhere in to said password manager right and so users are gonna be users is kind of my point and I think it's our job to educate that we have to have a process to force them to do it we have to have some kind of executive support to get on that path but yeah I also wanted to share one more thing real quick Tom to your point of how can people educate themselves and just how easy it is for me as a baby threat actor to learn and do these things to to teach myself where the surface area is so I brought up a site called kitploit.com I thought it was interesting because the first thing I saw in here was S map a drop in replacement for in map powered by Shodan.io so it's now taking in map and scanning capabilities but also enriching the data with what it already knows from Shodan right so you could imagine but the point is this kitploit.com has new types of stuff so you can learn where the world's going right a fast tool to scan SAS pass app written and go serious go so it's it's to go and take a domain name and go find where all these other endpoints exist where does a where does an SSO end point exist where does a right so you can start seeing a world from an identity centrism and how that extends out into all these applications but the tools are so easy to get and I play around with probably five to six tools a month out of this category and catalog so I guess I just said if you want to attack map put new tool that attacks map in this catalog yeah that's download numic grants yeah this is how you wish map yeah I digress also worth mentioning and we didn't say it's I think very well in the beginning but neststandard.com a lot of it was because their same admin or sales emails are also where they point the infrastructure I like companies that do things like I'm guilty of this too to an extent of you register a completely seeming an SSO domain domain yeah yeah yeah yeah yeah asynchronous to you my somewhat findable infrastructure.com we don't even know who's this is but it's not likely someone's gonna search it's a way that you can still have the convenience of having things pointed at domains because it's easier remembered at when you move things around shuffle large amounts of infrastructure but at the same time you're not publicly exposing it so there's it's just a couple different things you can think of to start creating that separation between yourself and it goes without saying but it's we're saying right here I like screen connect I use screen connect but I don't need to be admin to use it to uh they don't to help people so there is Tom and there is a completely different not the word admin user who logs in to do the updates to screen connect or do an admin privilege because I just don't need it on the daily basis and this is something that's really hard to convince IT and MSP people that they don't need to log in as administrator all day long yeah they should have separate accounts for these things that way if you get fished hopefully you were not logged into that extra privileged account because you only go in there don't check your email in a privileged account by the way you're limiting blast radius right at when I was at my MSP as the director of security the way I looked at it was I wanted to remove the blast radius as much as possible and limit the damage because I lived compromised and so the term I used was live compromised in that sense and trying to say okay if Tom's always going to be good Tom and then sometimes bad Tom right because of this impermanence of trust then how do I take when bad Tom appears and limit the damage that bad Tom can do and that's why that separation of admin rights that's why principles at least privilege that's why our back all those things but yeah I know we all have to run I don't want to run you know me you can pull my string I'll go for like 400 hours but yeah yeah let us know in the comments what you think of all this we all these things will be linked down there so all of you have some homework to do to check all the privileges that you have click all the links donate to the beer charity whether it's the 2022 edition or further on and reach out to these guys too they're a wealth of information they have channels and social media and LinkedIn that they can be connected with on it as well so thanks everyone who hung out this long and yeah just enjoying this is fun we may do more of these let us know in the comments down below thank you explore a lot of fun things see you yes all right see you later check out our affiliate links in the description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you