 Okay thank you everyone for coming. This is going to be our first live demo of the Recon Village and hopefully everything will work. We've got in another stream, I think we've been able to hear the panel log in. So when tapping any internet network intelligence is just absolutely key. If you have a lot of intelligence moving into the environment, you can add and not get great assessments on the target, but it's an entirely niche target. So what you're going to say is actually the author of Recon Village, which he's going to walk through in a live demo right now. What this tool does is it's a complete intelligence gathering tool. It is 100% passive and I will now hand over to William Bridgwick. Alright, so I'm going to talk to Mike. Do you all hear me? How are you all doing today? Good. Alright, so this is Recon Village. Okay, so again it's 100% passive pre-engaging both compromised tool. I'm just going to quickly run through these here. So we're just going to cover an agenda. I'm going to provide a brief introduction. I'm going to discuss some problems with modern day engagements and it's probably nothing new you will allow you. Also I'm going to propose a solution, which I believe is to communicate validation through pre-engaging passive recon. Then I'm going to talk about operating on an engine within the network. I'm going to involve a couple of different things. First of all, switch your perspective on networking a little bit. We'll talk about a couple of things and of course give you some different demos for both. This demo, one of the demos I'm going to give you is, it works about 100% time to 100% time. So we'll see how that works. Then after that we're going to kind of transition to a phase, talk about where it developed in my pit, related to your engagements, the future for both though, some closing remarks and offering you a chance for some questions, comments in the center slide. That's it, really quick, required slide. My name is William, I'm a hacker dustbin, I'm a father, et cetera, et cetera, and also a student consultant full fire last. I've got a lot of years of industry targeting all kinds of various organizations, through resume and testing. Basically, I like to tap all of the people. So that's enough about me though. Let's talk about line here. I'm here to actually convey the real value of the term of reconnaissance. I think that's something that, or orchestration is the fullest, has really taught the ball a lot. I'm also here a foster environment that I've heard you thinking. I think this happens when you think about everyone else, whether we come off of it or not. I'm here to challenge your assumptions about what you think about internal network reconnaissance. I'm here to solicit some input from the hacker community. I'm here to share the hell out of some network companies, which may or may not know that this is an issue, I bet you a lot of them do. They don't talk about it as much. I also want to start a conversation with network engineers and compliance bodies, and then lastly, Okay, so quick disclaimer, I'm not a real ninja, and I just do the right thing. So let's talk about the problem of modern day communications. Right? And again, I'm probably speaking to a lot of you where you guys are already tracking. But there's a lot of engagement overhead, just delays, things like that. We're operating in short timelines. We're operating in secure environments. We're inserting into an environment we actually know very little about. Some of the expectations that are put on us to discover that may need to be seen of various things. Also, there's new products that are designed to eject all some health from the environment that we're targeting. And actually this works with what I call compliance, or the scan of compliance. The fact is, sometimes when we engage with compliance, it's just a scan that's looking to check the box. And often customer-friendly environments that they actually meet. Or they define the scope. There's a lot of PCI that's around that scene. But we already know this, right? We know this, exactly. The truth is, we understand through knowledge in one-on-one, which is the law does not apply to me. And your scope does not apply to me. Scope is not a defense mechanism. And we've got to stop treating it like it is, because a real-world adversary doesn't care about the scope. But we know that scope's going to be a limiting factor. And we also know that, you know, if acts can come from anywhere, we know that that scope is potentially going to impact what's supposed to simulate a real-world engagement. There's also supposed to be a lack of this understanding on the new team side. And that's primarily or false. Those that are serving the new team have really affected the community. But we also lack a set of tools to be able to provide evidence of why baby scope shouldn't stand or how it should go, or how it should be watched, how the engagement should be done. So, again, my goal solution is enumeration and validation through that pre-engagement, passage, or promise. This provides a lot of various things. I think the number one thing that it provides is most important. It's a figure of the environment before you touch it. That gives you kind of a baseline to reflect upon and something that achieves. It kind of gives you a good baseline to validate scope and the intent of the engagement because this is scam. It kind of allows you to potentially create opportunities for exploitation of things that the customer may not know about. And they don't know that they can't defend it and it makes it forward on a really deep target. It also allows us to inform the customer about their real presidency. Because the fact is, defenders are defending environments where users are making changes but they're not attracting them. So I was thinking, well that's great. How are we going to do that passively? And I'm glad to ask. So let's just talk about leverage in the environment for some targeted exploitation. Again, I have to switch it perspective on that so you can have some conversations about it. There's a lot of things that I'm sure a lot of people hear nobody from that switch is right. There's such switches in just about every environment typically, you know, they're weird and topology. But the fact is people make a lot of work or assumptions about switches. They're actually quite insecure by default. They buy one security feature. And the fact is they're just medicine is powerful and they compromise quite a bit. Let's talk about what you may not know about even this one. Technically they're defined as even at bridges with some sort of McPhil's database and cheating engine in the background. So because it's McPhil's database, everyone assumes these things are safe because it's McPhil's database. The data can't cross between it. But it's just not true. The fact is that switches are just like every other component in the network. They have hardware and software limitations. And the fact is that they can't be impacted for various reasons, even because they're misconfigured or they just fly out over and out. So that's why, you know, I believe switches are safe. In fact, there's more intellectually close to a switch that is potentially easily accessible to a massive or constant. Just to give you a couple different things, network topology for trust relationships. How is the network designed? It's a lot of talk with people. Very useful if it's behind a firewall. How can I, where's my telcos to be able to reach my hardware environment? Network services, so what kind of network services are running out there? Authentication information actually gets filled on switches. Network host intent is the DMT servers, the Google Home server, is the workstation, things like that. So, for example, I might not know what one-second 2AWG3P is that doesn't mean jack dilly-dally, but the switch that I'm connected to may actually tell me that this is the advanced warfare for the password reset server. And suddenly, that's very useful in telcos. So, well, provide information about how they work, egress policies, which is great for students and stuff in the environment, best way to flow to the flow network. It can give us information about managed service providers, or previous compromises that we can leverage to potentially cater what's deeper to the environment. And most importantly, it can tell us about supported protocols and open TCP and PDP ports, I call this reverse port standard, because the fact is that switches are spelling unit password. So, I'm going to drop this. I've got a lot of really interesting comments from the community. But, yeah, there's a lot of trust that we put in unit password, but if you don't take my word for it, I'm just going to provide you with a couple of examples. Sorry for the terrible screenshot. Here's the standard review of Wireshark. Everyone's seen this soon. We see some internal hosts that are talking to Amazon. I already was, bought some TCP ports and MIDI ports, specific architecture. A lot of people are aware of that. Here's something, I think right this TCP is still a great tool. This is not any man-in-the-middle tax or anything It's just running passes in the background and getting S&P in one application, right? This is a broadcast protocol line, but it's fairly concerning and the environment gives me a clear text password and, okay, what can we do with that? There's a lot of things to do with the switch. The fact is that people read passwords everywhere. So, this was quite a lot of information. Let's dive just a little bit deeper. So, on the right there's the stuff that Cisco has been telling you that it can't read. I'm not so concerned about it. I'm more concerned about the metadata on the left. We have two different hosts that are talking to a host from TCP48888 and this is just out of the TCP push traffic or, well, this is TCP push traffic, but there's also synths and that in some of those cases. But what does this help? I know that there's a service on TCP48888 now we're probably taking enterprise cross-search in all of those lines and you know that would probably be right but I'm not going to fire that passively without setting a single thing aside a little bit deeper. Again, I don't have a little type of service in here. Just use a big rep for the environment and I get something that goes through a printer and you're like, so what? It's a printer but no, in this particular case it's a Windows Server 2003 R2 host with a username. Okay, so it's an administrator, everyone knows that. Now, what I have here is administrators are logging on to servers that are un-packed and unsupported and they're creating PDFs. It tells me a hell of a lot about the environment that I'm part of, the security costs and such. So, you know, depending on where you are on this dance if you're a defender, this might be your response if you think that that was still the switch just before me and haven't taken advantage of this a whole lot. I'm using some of the stuff I'm missing that's my day every day. Of course, if you're selling this stuff to people it might be eye-opening to what's available. So, let's just talk about my methodology that I used to use. It's about an hour and a half talk I'm going to give you about 30 seconds to gather this. I'm a big believer in passive reconnaissance. And so, I would run through various phases. Starting with OSIS. If you're not doing OSIS for internal tests, you're wrong. But that's okay. I mean, it makes it easier for me when I'm on. You know, let's go around and ask the interval we know about the environment. You've got, you know, a lot of self-awareness is just what the network told you about yourself and the network. You've got the passive recon, without transmission, taking a look at those key paths and things like that. You've got the semi-passive or semi-aggressive interactions where you're using maybe RDP or something like that. And I can carry a lot of on. But this particular case, RDP to a DNS server which was handed to DACP. It gives me not only the way it happens in its name, because it's logged in because most people don't use DNS, but it also gives me the worst version that it's logged in from. Two very useful things by simple logic to civil RDP. Moving along, there's all sorts of things. There's interactions within, you know, the environment, via S and B, DNS, you know, whatever else have you. It's working to map out that intelligence to find those targets of interest in sitting on a base. Then there's aggressive scanning. I heard that most of the interaction starts with this. It's just a damn shame because there's so much information that's available. You know, of course, there's common old things, right? It's what we like to do. So depending on what your methodology is and such, you know, this is rather complex. I completely agree with you. I actually work with the same kinds of people. The people professionals will come to time. We're losing time on this. We need to recover. So what can we do to actually recover that and gather some information? So let's talk about this being a hard fight without fighting. This is something that I reached out in when someone told me that it's impossible. And it's just a hundred percent passive tool designed to gather as much information about your environment, possibly before an engagement starts. You know, you're sitting there with engagement delays and things like that, sniffing out these little spills and gathering a good figure for the environment potentially even up an engagement information. It's about 15 percent complete. We're working on quite a bit of it, but it's fairly effective in some of the engagements that we're carrying out. Of course, it requires a lot of resources. Okay, so let's just do a probable demonstration. Before that, on Wednesday, when I took this out to my community and various people, they immediately talked it out until they started seeing some of the songs I got, and actually this led to some panic on the news side about whether this was fair or not. Of course, at this point, I was like, yeah, let's take this as a moral, but see some of that samples I have. And management was a hundred percent supported in me hauling all that over here. Actually, my management's cool, but they got a managed risk and I've got to figure out how to do that. So what I have here for you initially is a highly obfuscated sample with some real world data, and a lot of OSINT data, that's from OSINT sources, so that nobody gets burned here. So let's just talk about what we have here. So, in the left hand window here, you're going to see me listing my IP and then I need some TCP out. So it's just possible for whether or not I'm broadcasting. And then in the right window here, you're going to see me launching Prodellicle here. I'm just going to be contacting around for intelligence, so there I found a network source just to pass it to intelligence, so that's something that might be useful for following up. Oh, here I've got an HSRP password that's set in clear text, that's useful. And again, note that window in the background. Note that it's scrolling because I'm not broadcasting anything. I'm just sitting there in passive mode and this intelligence is floating around. I'm getting network egress information, there's a UDP port that's mapped towards a gateway so what, yes, that was gathered passively scrolling along here. TCP ports that were, oh this is useful. So once I go to Apple, I don't know what the heck that is, but the wrap is set in next post console might be useful for using the scan information to store on there and not delete it, right? Especially if it's a hardened environment. So most of it are identified through IC&P. Here we've got a password reset server where my customer said that's unfair and I don't care. I'm going to talk about everything because the adversary though, right? So that's fairly useful, right? And again, this is just 100% passive. If I was broadcasting and you didn't speak out what we're scrolling, right? I didn't have to be scrolling and things like that. But it's not, oh there's someone spraying the network for asking them to eat which might be useful for reclaiming somewhere else. Here's something where I would never gather that through force, but in a real-world engagement two-factor, poor switching matters, but something like that came out and started making queries and something that they didn't know about, but was rather strong, right? So this is going to be an example of test backup servers. Love test backup servers. I'm a huge fan of alternate client resource. But yeah, that just kind of gives you a good idea of what we built up though is what it looks like with the environment that we like to provide initially. All right, so I recently dropped this on a lot of various good feedback and some people were like, that's impossible. And to be honest with you, this became your change for environments. At the time I feel like I'm smart and the other half of the time I feel like I dropped a baby on a beach, you know? Because I've seen some intel that's very useful. Things that I can't tell you about yet before we talk with some big players. But it seemed to change the kind of intel that I would get. It was very critical. You think about it on the both sides later on, right? If you're here too, it's not secure. Go away. Not really secure. So I'm going to try to give you a little demonstration of some hardware here. One-half years I've got a Central Switch, American's favorite brand. Pretty trustworthy. It's been powered up for a while here. They can't handle it. It should be full of popularity. But in this stupid stack here I've got various different pieces of activity. I've got devices reaching out over S&P. I've got devices that access to each other. Maybe with top. Trying to generate a lot of t-speak push traffic in some of those pieces, right? So here we go. Got it. Here's the top. Do you like it? Yeah, it's worth it. You want me to turn on my phone? Yeah. Yeah, so here we go. So you put it on channel one right now. Channel two. Come on. Box two. Alright, so what I've got here is I've got a basket in that room. It's where you pick up some traffic, right? So there's some traffic. So we pick up the space that's available there. And then it also the little clients. So what I'm trying to do is we're going to try to push a little bit more traffic. And you'll try to push an over-round network where the traffic is a little bit more patented so what I'm trying to do is see if it's good enough. It's my artwork and I apologize if it doesn't work. Thank you so much. Alright, so what you have here is you've got an actual TCC people to traffic and sit at the traffic that's being disposed here. And as you can see so do I apologize for the font size but you can actually see it's actually matted on posts and listening to TCC services. I'm not doing anything to capture this. There's also, I'd say we get an instant peak in the industry. Looks like a senior package team. So I could really play that advice in the end without making a finger on that. So one of the things I got from much comment was like, well that's great, how's it work on wireless? I was like that's a good question. So whatever I want to do a little bit and I'm on house and I can hack a lot of things. There's some things that my kids and my wife can do for me if I break them. And I'm just going to say one of the things I do not force can or mess with with this road too, because it's there in pain so it's really set up in the storm. So what I had was I had this AC star and this is the guy I can show you this whole fire can't stack in two of these because it's my dad, so whatever. So we got these devices connected to this wireless router and it makes it work properly. So we're going to go into a net-air process switch which is a pretty good sister of Lucy Graham which was cascaded into this Steve Goddow net-air switch which was then cascaded into a VN running on this post. And something came out that was interesting and told me about this post 10.6 to 3 of course 86. I'm like what the heck is that? I'm doing an OUI lookup and it says that it's a road too. I'm like okay well BS, it's wrong because there's no way I'm going to get wireless traffic into this cascaded switch but I'm not even part of it. But sure enough if you see the bottom on the net-cat I'm going to be able to access that service. That's nuts. Well this isn't supposed to go there last night I was associated with the network in the Vegas area just for the hell of it and I found this this wonderful environment that this net-air infrastructure and found this whole thing in the description and oh so what? You've got a hostname in the description. What do you do with that? Well it turns out Google was very helpful and it stopped several high-end technologies to include a post authentication command injection. Now that's one hell of a wireless assessment right? How many of you guys are looking for wireless for peers with command injection to establish for assistance in your wireless insertion? I didn't know about this because I was like hey I'm this hostname and I'm going to look into it. So what causes this right? Well there's a lot of things that do that I didn't know for a fact cause this system a little bit to the top three I don't know what that is about but the environment just really comes from being all around AC and it's routing the traffic is flowing from both sides actually at least from different delans to get spills and get collected information from that. This is going to be topology changes the impact of that actually goes out. What it does is it shorts the time that something were made from the hand table and when that gets short the switch doesn't know about a packet that comes through. What does the switch view where it finds a frame that it doesn't have a max associated with this and this hand table is anything we know. It goes out all hoarse and that's how I'm sitting in that. There's also some interesting things about SCP and by default it's my director pointing this out a lot of people don't configure SCP so the group is usually 32,768, right? So by default if everyone's 32,768 who's the group switch that sends out these SCP TCN notices? Well the answer is the device that follows MAC address. So if you guys don't configure that I can potentially just throw a change on MAC address to A or the D for weather and suddenly I'm in control. That's a bit risky cause you're about 100% passive so I don't know if I'll even get to there but I do know that when people are less around with their infrastructure long connected that's actually going to cause an impact to the hand table which is going to spill information to me There's also an issue with mountain clients which is if you look at some of these guys on Cisco forums one thing they'll say do not plug in a switch that doesn't speak SPT or respect SPT There goes well we have a lot of devices that need to speak SPT or you'll need some of the cheaper devices to start and roll that in but what we're going to need from that filter on those packets that SPT uses to manage the devices and just say ah, it's only going to impact the spend entry protocol which is originally designed to prevent transmission or we think that we shouldn't be getting that information but again switch them to just like any other device they're a limited resource and Cisco only can tell you about this so there you have it ok so we're going to try to do a live developer so it's an environment where they're like you know what we don't know how to scope this and things like that this is a future request of somebody with a developer so I said yeah sure why not so should we just go through your year did that right can't see ok so again we have a packet that I just found from the internet we don't know much about this this is just going into its process in this data and I think I skipped the original demo that I had but the developer actually has a backing database and that's the capability to report on data so it can actually give you a sit-rep desk-desk report just gives an idle summary it's found networks, it's found hosts it's found maps, TCP and reading ports and some of those pieces because this tool is useless it doesn't provide useful intel I used to just sit there with a screen and do research but it gives a database so anyway this is just helping somebody out that doesn't know how to scope an environment they're trying to defend who's talking to my environment or they're showing me looking for an IOC to indicate a compromise or something where they're not just talking to me this information that it shouldn't be because some advanced adversary is a lot of me, right? so that's kind of how that works so I'll see if I can put in a moment it's so hard to see that font so I did a basic report on here we both looked at that and told me we found some interesting things about this it looks like some interesting hosts have been identified there's some things like that, right? there's that work that I've put out that was picked up I think I can see the screen to change the font so I followed this there's some interesting hosts you might want to look at some sort of some kind of additional intel I'm sure I want to build that to humanized table but anyway that's the keycap demonstration so let's just talk about those role in your creation so what should we do to be doing about this my answer is to exploit it we should be exploiting this in red teams and pen tests on a regular basis this is useful to fill the gap in instances where we're waiting for an engagement to pick up or something like that just imagine logging into a device and then being like, hey here's authentication to this router this switch or whatever else have you I have customers that are like what's this network like how do we know about that oh it's productive you shouldn't be seeing that well I am because it's interesting the cascade and stack this information gets spilled all the way down the stack sometimes it's just very easy but I think it should be exploiting or it's time to work to do something for me but it's just for the handbags to remediate all of this stuff to be honest with you so I think it's just useful for red teams because it just provides powerful insight with zero transmission uses very little storage so the problem when I used to have a p-cast and it's like you might fill the disk you don't know you're running that screen session I don't worry about that anymore because I can gather quite a bit of information in short amount of time to fill this but it's also useful for red teams and pen test teams because again it's the zero transmission information gathering tool right so that's just going to provide powerful insight without being caught we dropped this on a red team a little while ago on a financial institution and nobody saw it because it doesn't transmit anything you can't see a probable combination but it's also useful for those idle seats on the blue side to learn a probable environment people are like oh it's going to touch a great thing no it's a probable transmission thing and you can find things that are interacting with the environment and you can sit there and just run however long you want using a ton of resources and provide some sort of indication that something is interacting with this environment that it shouldn't anyway so about the future you know per some people's request to send a pass into a constant space they told them to do so but probability was primarily a 100% passive tool so I had some people like do you make a thing do a contest? I'm trying to provide a different respect in a different way you import scanning a system behind a firewall that you can't reach but identifying services and ports as well as identifying the general host that reached that environment that's useful in intelligence I'm going to replace other tools that do that aggressive scanning they did a great job obviously we've got some sort of C2 you know we're not we're going to pour out to the mouth shit but you can do that so as Provolto understands what's allowed to aggress the environment that's how you flow through when you're getting data out of the network it's the flow like the network so if ICP's allowed on the internet then maybe Provolto if told to do so can I report out to the internet about what it's called eventually operating in kind of a mesh configuration like four observers really want to report back to the mouth shit but the beauty of Provolto is it's got the single instance database and I can use that from both the host to host if I find it to be capped in a pin test I can certainly replay that a certain additional database I'm going to figure out what I'm going to do I think the question is we'll assist both red and blue teams through a task audit and defense but again it's not going to replace it's not always I mean if you log in and you find credentials right off the bat then maybe so you're closing look, switches are snitches if there's anything I want you to have to leave with it says switches are snitches and intelligence is everything and these switches it's not a manufacturer's fault it's going to do the best that they can but the fact is there's data that's leaking from here and I should be using these packets so if you just leave from here with anything remove those switches and snitches Probella was designed to automate 100% passive reconnaissance I think it's great for both offense and defense and I think that you should use this if at all possible prior to the dirty migrations to really work to understand the environments that you either attacking or defending so that's about it so I don't know how much time I have but does anybody have any questions comments or concerns okay yes yeah so this I try to enterprise environments so the answer is yes the answer is there is leakage there's evidence of leakage even physical telling that we have to leak to each other in an overwhelming so if you're on the blue side your blue side is telling you that or bandwidth is not good enough for our environment you better address that even the bandwidth they need we're all funded but yes and I recently thought that some people said well maybe a CPP or a STP let's do this and oh I'm doing this in three way handshakes this is real basic stuff so it's not the magic there it's just the fact that the leak in the frame it's supposed to be a report that we're not expecting we're kind of in trouble from that well it's from the red text from that I'm just a half in a program but I'm trying to get as much information as I can on that but I'm doing it without lifting a finger yes what's your ETA for completion of a program okay so question one was was my ETA for completion of a program so the answer to that is you remember the Trump baby so every time I try to write something that's very interesting my impact is just like a module so that we can give you additional information from the environment to the environment to change particularly in a little while to really understand this and it's just because the environment's overall and there's a backup window or the environment's overall with a bunch of real screw it, remote desktop sessions and things like that right so I really don't have a window again I'd rate to go to this because people said it's impossible so let's just don't leak information and that's where our version started let's start again from a lot of other guys have been using it it's been great so I don't really have to get in the window I have a bunch of ideas that I'd like to do but really I'm here to solicit input from other people you know it's open source available on Ket Hub and I think we should just be expecting this as much as possible because again nothing is secure if you're there to piece this compromise or which wire is the only ones any other questions yes are you looking for a community contribution and if so do you have like guidelines for your contribution on Ket Hub that kind of thing question was one if I am looking for a community contribution and so go ahead and find the answer is I would love for anybody to contribute to this I've had people from other organizations that have been providing contributions to this I'm just a hacker I'm not a programmer a lot of hackers get their programs but they're not right and say a thing right I'm the smartest person I've ever meet so I get to think there's a lot smarter a lot more smart people out there they're like hey good break we get X that doesn't mean we'll always capture that in the environment but absolutely this thing is bigger to me right that's why I'm here right so two of that in five lines the answer is no because I'm just a hacker not a programmer so I need to get all that because Ket Hub's constantly running hey I thought this would be great so I don't know any other questions hello