 I know we're a bit late, so I'll be as fast as I can. My name is Larenne Zonnier. I'm a challenge designer, as I said, magician, security amateur, lock picker. And today I'm going to talk to you about stupid pentestrics. So don't worry, you don't need to take notes, there won't be any zero days or anything. It's just stupid things that work. Just to give you a background, recently I went to a client, and that was the client every pentester loves to hate. They were awesome. They had Emmett everywhere, they had Bit9, they had FireEye, they had Patches, they had SRP, they had a Hablocker. Pretty much everything, they had so many things that I was stumped. I had a 10-day engagement, and by the ninth day and a half I was miserable. I tried so many things and nothing worked. So out of despair, I cheated, I'll tell you more about it later. And there's a really cool saying among pentesters, it's a following. If it's stupid and it works, then it ain't stupid. And the more you think about it, you'll see this is my approach, because I think that we as technical people, sometimes we really try to do awesome stuff and James Bond stuff and everything, but we could just be plain malicious and be more simple, because when you think about it, the real criminals are often not as sophisticated as what most pentesters do, yet they get in. So perhaps we overcomplicate things. So yeah, that was my client, 15 character policies, Responder didn't work, if you guys know what Responder is, it's the best tool for windows pentesting right now, along perhaps with Empire, nothing works. It was a nightmare and that's when it was fun. So what you do, you flip a table, I mean, there's nothing you can do about it. So today I'll cover four aspects, physical pentests, phishing, Wi-Fi, and actual windows pentests. So first thing, physical pentests. Think about it. Nobody is James Bond. I mean, for real, we try to, like people have a Proxmark or Ravenhid to do long range reader, it costs $1,000, it's difficult. People try to do key impressioning. People do lock picking, but I'm not sure when there's a rain or it's at night you're freezing, you're trying to lock pick outside, it sometimes could be very difficult. So how about we put things a bit easier? So how many people know about key impressioning? Like doing key impressions, like people have putty, that when you have access to a key, you put it in putty, and then you go home and try to replicate the key. Or I've seen people, they stick it in their forearms, hard enough so it leaves a mark so they could copy it. And I was like, why are you doing this? I mean, if you get access to a key, how about you take it and take another key from your spare set and exchange it? Because all of us, I'm sure we have one or two keys that we have no idea really why we still have it. If you look in your keys right now, I'm sure I'll have one key that perhaps was for something at some point that we have no idea about. So why do we guys keep copying keys when you can just plain steal them? So now I always carry a spare set. I have keys, I have medic hose that people have left me around, I have all the keys that I need, so I could just steal them. Now RFID cards. So RFID cards are cool, they're approximate, there are so many tools to clone RFID cards. So today I'm going to present to you our universal RFID card. It's this one, I'm not sure if you see it, that's the card. So this card, I'm going to try to do a demo. Let me scan this. Have you heard it? Let's try this. Oh yeah, it works. Yeah, it works, all right. So all it is, it's this shitty... And all you do is when you're piggybacking, because when you're piggybacking now, people are trained to look for the sound, because since they're before you, they can't see the light whether it's red or blue, or whatever. So all you got to do is I do this, and it beeps. And here. So why are we bothering with... People are bothering with cloning cards and doing many stuff. Well, a one dollar Chinese bus radio just did the same thing. So it's really, really interesting, it's very simple. But even as proxmox, say you really, really need to clone a card because that stupid trick doesn't work. Then, you know people keep their cards right there, and the average proxmark is an inch of range? So if you go here, like next to this region, and try, you look like a pervert, and it's kind of difficult, right? So what do you do next? Well, you know what, and that's a very real and stupid story. If you're wearing a hazmat suit, nobody challenges you. Like, if you're wearing a hazmat suit, people go like this and don't move. Because it's kind of worrying having two guys in a hazmat suit saying you running toward you, and actually it's not illegal in Canada. So in Canada, you cannot impersonate a lot of police officers. There are several things you cannot do. But as far as I know, it's not illegal to be a guy in a hazmat suit. So it works really, really well. So if you really need to read a few cards and you don't want to be a pervert, or nothing works, try a hazmat suit. It works wonders. Now one more thing. If nothing like this works, this one is fake. So I cannot show you the actual pictures. That picture is a fake. But keep in mind, hackers take selfie too. So I had this security guard, and I'm not sure if you can see on their card, but on cards there are numbers. And if you have those numbers, you don't need a fancy proxmark, you just need those numbers. So with a good phone and a selfie, you could take over companies doing physical pentests with nothing but a selfie. And that works really, really well. And so it's all a matter of approach. The way you can get a security guard to take a selfie is basically, well, that's my technique. I'm like, oh, hi. Are you working for a role? Aren't you the famous John B. Smith? Man, you look just like him. My wife will be jealous of me. Mind if I take a selfie? Because you don't want to look like a creep. Take the ego away. You look like an actor. You look really like that actor, John B. Smith. I don't know if he exists. And it's a really nice technique to take selfies of random strangers. Now, going over Wi-Fi briefly, when you're doing a Wi-Fi test, because back in 2000, Wi-Fi test was really awesome. You could be a hero. People had web. So you could break things within minutes. That's awesome. But now, companies are being way more serious. People have EAP, valid clients. It's very, very difficult now to have results on a pure Wi-Fi engagement. I mean, now people, the industry has matured, and now Wi-Fi can be difficult. But you have to show results. Besides flipping a table, what do you do? Well, you cheat. It's a bit small. Let me read it to you. So now this is a logo of CGI, a company in Canada. I have it in bell blue, and it tells us green also, which are three major ISP, major organizations. So it's new Wi-Fi access. Hi, welcome to company's wireless service. Blah, blah, blah. Connect to Guest Corp. Enter your Windows credentials. The interesting part, and I'm not sure if you see the tape at the top, is I go early in the morning and I glue it to the outside doors of buildings because I don't have physical access. And you wouldn't believe how many people enter their credentials. It's like phishing, but easier. It's... And I'm really, really bad at drawing, so what I did is I went on Fiverr, I paid $5 to get this, and it works really, really well. So next time you have to do a Wi-Fi engagement, instead of buying those huge antennas and then trying to go on Cloud Cracker, try to take an exchange and try to crack it, and then you need a certificate and do all that stuff, which is awesome. But it's complicated. How about we just cheat? All right, if it's stupid and it works, it ain't nothing stupid. Now, when you're doing your Wi-Fi portal thing, use a different SSID than a real one. The reason why people have whips, people have fancy technologies to block it, but they only block your own technology. Like, I couldn't be an insect guest, but if I had an SSID called New Insect Guest, or this one works, or any one of those, then it would work and most whips would be none the wiser, right? So as you're doing... if you're doing this technique, just use a different SSID and you'll bypass pretty much all the whips technology. Hacking now. So I'm going a bit fast because I really want you guys to eat today. So in most... As any of you have done any internal pen test, you'll see that in most organizations with Responder, GPP, Mimikats, and perhaps a lot of PowerShell love, you can do lots of stuff. But sometimes all of this is blocked. What do you do then? Well, you can cheat. So in most of the tests I've had, people were complaining that Mimikats was blocked. All right, Mimikats is blocked, that's fair. But you need to be an admin to run Mimikats, right? So if you're an admin and you can run Mimikats, could you just disable it? Here's a registry request. To do this, you remove the anti-Mimikats fix. You're done. One line. I mean, why people bother? Like, now there's anti-Mimikats and people try to do stuff, but you could just remove it. One line. Done. Now here's my favorite technique that got me into pretty much every pen test. And it's so stupid you wouldn't believe it. It's called power spraying. So, like, when people... So if you do brute force, I think you don't understand the game. Most of the time brute force is a last resort thing. But let's do it the other way. For every account, let's try one password. If you're in Quebec, try Soleil Zeroir. Because that's the password that works the most. I keep stats on those. And in Quebec, that is the password that works the most in the organizations. I cannot tell you here why, but later on I can explain. I have traced it to why it is. But otherwise, try Company Name 2016. Welcome one, let me in. So you try one password for every user. And this works so well you wouldn't believe it. It's like magic, but no skills required. It's awesome. But you should try it... People who are in the defense side, try this. You won't block anything. And I swear you'll get hundreds of accounts. So Company Name the year, and then Company Name 1, 2, 3. Check your policies. Sometimes you put the exclamation mark in the end, but you won't need it to be honest. This is way more than enough. And it works. You'll get hundreds of passwords. So if you're doing a pen test, so external pen test, and you've got a list of users that you want to get in the VPN, like don't research zero days on VPNs. Just try Salazar in Quebec. That you're done. Like don't bother, anyway. So now in some organizations, you want to do Power Spray, but PowerShell is blocked. There are really cool research right now on how to run PowerShell when PowerShell.exe doesn't exist anymore, but just use Windows like a bat script, and that works really well. So now here's the ugly truth about Windows. There's an attack called SMB Related that exists since 1996. And while there were some patches in 203 that kind of somewhat a bit made the attack more difficult to execute, well less trivial to execute, SMB Relay is an awesome attack. What SMB Relay allows you is to impersonate anyone without knowing their password, and no matter what the password complexity is. So that means that my client who had a 20 character along policy, if you use SMB Relay, you're all set. You can impersonate a user. The very interesting part is that Tenable Nessus says this finding is a low finding. So nobody ever ever fixes this. So you'll get shells with this all day long. So if you're stuck and you have no exploit, you have no users, you have no credentials, then SMB Relay is your friend. And this SMB Relay X is a kind of new library from impact yet. Those guys are awesome. Because everything, even for the new protocols, like the new NETNTLM and everything, so SMB Relay is your friend, that's the request. I'll talk a bit more about SMB Relay. Now let's say all of those things don't work. You can still cheat. Call support. If you're admin and you got Mimikats, then you can get passwords in clear or use the steps before to disable and type Mimikats. Then you call and you need support to connect to you. And obviously when support connects to you, you get their password in clear or they're turbo-soaking. So how can you convince helpdesk to connect to you? Well, I have two favorites. And basically I use always those two same. My screen background is asking me for money. Because when you think about it, most ransomware, that's what they do. And if there's something that worries right now, a helpdesk person is this. So they will really, really connect to you as soon as possible and try to fix what's the problem. If that doesn't work, I have this really weird thing. And it doesn't make sense much, but people like it doesn't fit in any workflow. So they just connect right to you. Is why did you install a Dancing Pig icon on my desktop? Like what's this Dancing Pig thing? So the average helpdesk guy just go in their workflow and Dancing Pig, Dancing Pig, and they connect to you. And that's exactly what you want, because once you've connected to them, then you can cheat. You can invoke Mimicats, SMB Relay. In some cases, and this is the only non-stupid trick, if you're not admin, discard encrypted and you have no way at all to cheat, you freeze the RAM, dump the RAM, and it works. But that one is a bit more advanced. And one more thing that I'm using, and this is so much cheating, is I have this executable called fakeUAC. And all it does, it prompts you for UAC, asks you for your password, logs it on C-something.txt, and that's it. And it's a stupid trick, like asking for UAC, asking for a password. But if it doesn't work, just start it again. I've had network admins the first time they clicked on it, they didn't answer it. But by the 22nd time, they were like, yeah, bullshit, I'll just enter it. And it works wonders. And so I'm not a developer, so I don't do a lot of C-sharp, but C-sharp forms you just drag and drop something so it somewhat looks like a UAC form, like it's a two-minute job. So phishing. So to go back to my client, after nine days and a half, I had nothing. And my point of view as a pentester is if you hire a pentester and he finds nothing, either the scope or the pentester is really bad. The scope for my test was everything. So then the pentester must have been bad. So what do you do then? Well, in that case, I fished. And it works. So let me show you. I'm not sure if any people do phishing, but here's the thing. Sometimes phishing must be secret, but people try to skew the result and tell their secretary who then tells John from engineering, who then tells Mary from HR, who then tells it to somebody. And next thing you know, everyone knows about the phishing test. But you still need to deliver results. What do you do? You cheat. So here's my phishing. I'm a bit small, so I'll read it. I think it's the world's worst phishing ever. Hello, I'm the prince of Mugabe with problems, and I selected you to win $10,000 million. Just click here with a missing image. All right? How many people do you think fell for it? Pretty much no one. But just next, I send this email with the logo of the company. Hello, at company name, we take company very seriously. As such, you may have received a fake email. I'd like to thank all employees who followed proper procedures. People who click on the link may be subject to sanction and penalties in accordance to HR policies. Visit this link for a list of employees who clicked on the phishing email. If there are any errors, please report to them before March 8th. So I had a whooping 98% success rate. Out of a 4,000 employee. So it was a decent thing. And you'll also notice there's a missing icon at the bottom in this one too, all right? And there's one reason for it. You recall when I talked to you about SMB really being awesome because it gives you shell as long as people connect to you? Users are trained to forward their phishing email to support people and security admins. And those are the exact people we want shells from. So, in fact, this email, I didn't get any passwords, but I did get shells. The reason why I got shells is because that people found it so sketchy that they forwarded it to their security admin who checked it. And since he checked it with the SMB really connected to me, and then I got a shell on their workstation using this. So you can cheat within a cheat. I mean, I always, always put fake images with SMB really because people will forward it to their support. That's what they're told to do. So, yeah, that's really, really awesome. Yeah, a few things when you're doing domain selections. My favorite is just replace a dash instead of a dot. So, support dash my domain, dot, dot, dash my domain, HR dash my domain. So, and it works really, really well. It's stupid. It costs me 15 bucks, and that works really well. One thing if you're doing phishing, always set up SPF records. It's really trivial. I use SendGrid to send my emails. They send 4,000. I send 4,000 emails in one day with them. It works really well. All you need to do is have a valid SPF records. It's stupid and it's really worth it. No more spam for you because being in your spam filter is a problem. If you're doing phishing, make your life easy. I use phishing frenzy. It's an awesome framework. It's a ruby. It's really, really great. If you want, I'm also told GoFish is really good. So, if you're doing phishing, please don't do it by hand and start over all the time. You'll use those two phishing frameworks. They work awesomely well. One more key point before going to questions. As we're doing pentests, we're told, oh, I always look for my logs. How can you tell if people look at their logs or not? It's a good question, right? Well, what I do is I send this request. It's or one equals script alert dash, dash, slash, dash, slash, password. So that request does exactly nothing. But it raises every alert possible. And then I send this referer, which, oh, it's a bit... I have this referer that I only send there. So if people crawl my referer, it works, then I know the logs are being looked. And you can even cheat and fish there with the SMB relay thing. Because sometimes on LinkedIn, I have the name of the admins. And then I have admin name naked as a referer.com, as a referer. Or this person's porno as a referer. And so if I know which this admin will look at the logs, I can have their name in the referer, and I'm sure they will click. So when they visit the referer, then I do my SMB relay and I get shells and so on. So those are like really, really stupid tricks, but they really work. And that's pretty much it. Do you have any questions?