Breaching The Perimeter Tips From The Red Team

Who am I Harold Rodriguez aka superkojiman ● Security researcher with a focus on offensive security ● Penetration testing, red teaming, tool development, vulnerability research ● Cut my teeth on CTFs back in the day ● Certificates ○ Offensive Security Certified Professional (OSCP) ○ Offensive Security Certified Expert (OSCE) ○ Certified Red Team Operator (CRTO)

What is this talk about Different techniques we've used to gain access to a company's network ● What is a red team ● Reconnaissance ● Creative ways to break in

What is a red team ● Real world attack simulation to test a company's defense and responsiveness ● Blue team is unaware that it's taking place ● Objective oriented; e.g. access database hosting customer data ● Different flavours such as traditional and assumed breach

Reconnaissance

Physical Reconnaissance ● Number of entrances ● Access controls; locks and card access ● Cameras ● Places to hide out ● WiFi SSIDs and security protocols ● Network ports and power outlets ● Printers and computers ● Receptionists ● Security guards ● Employee seating ● Employee hangouts (cafes, lobbies) ● People traffic ● Dress code

Digital Reconnaissance ● Website and online presence ● Subdomains ● Other websites operated by the company ● Employee information from LinkedIn ● Company login portals ● Company reviews from employees ● Company job postings ● Credentials from data leaks ● Services used by the company (cleaning staff, maintenance, ISP, phone provider) ● Company floor plans

Execution

Password attacks ● Look for published password leaks and database dumps ● Don't underestimate people's ability to create weak passwords ● Even IT will use easy passwords for new employees ○ Welcome1! ○ CompanyName123! ● People will use weak passwords that conform to password policies ○ Winter2023! ○ January2024! ● People will use predictable password patterns ● Exploit using slow password spraying attacks with rotating IP addresses

Examples of password attacks Got credentials? ● Try to VPN into the company's network ● Login to Azure portal and enumerate the domain and users ● Login to Microsoft 365 and look for sensitive documents / emails ● Upload malware into Sharepoint and share with other employees ● Social engineer or phish other employees

Phishing ● Have a clear goal of what you want your target to do; capture credentials or download and run a file ● Use tools like ChatGPT to get you started with the text ● Take advantage of what's happening in the world like holidays, major events ● Get creative, don't limit yourself to email; try snail mail, faxing, SMS, QR codes

Examples of phishing login credentials These examples trick the user into authenticating to a login page designed to capture their credentials ● Email developers notifying them that they have successfully added a new email address to their GitHub account with a link to a fake GitHub login page ● Email employees about new employee benefits and promotions that requires them to click on a link and login to a fake login page ● Send snail mail to employees with a QR code for them to scan and login to a fake login page to claim a gift

Examples of phishing login credentials

Social engineering ● Have a clear goal of what you want to accomplish; get access to a location or some information, or get the target to do something ● Blend in and act like you belong ● Give your target a reason for your reaching out to them ● Mention things that give you credibility ● Be friendly but persuasive ● Don't be afraid to use props

Social engineering examples ● Pretending to be a customer or guest to distract a receptionist so your teammate can sneak in ● Having your hands full with a box of donuts and coffee so someone lets you tailgate in ● Pretending to be a courier delivering flowers to employees during Valentine's Day, had receptionist leave her desk to bring flowers to employees, install backdoor on her laptop

Hardware implants A device plugged into a network port or computer that gives you a foothold into a network or a user's computer ● Company might have a tight external defense but internal security might be more relaxed ● May require some social engineering or sneaking around to pull off

Hardware implant examples

Hardware implant execution

Closing tips ● Intel gathering increases your chance of success ● Some things you try might end in failure, learn from it and refine your technique ● Get creative, think outside the box and don't over complicate things Socials: ● Web: https://techorganic.com ● Discord: @superkojiman ● GitHub: https://github.com/superkojiman