Breaching The Perimeter: Tips From The Red Team

Transcript

1. Breaching The Perimeter Tips From The Red Team

2. Who am I Harold Rodriguez aka superkojiman • Security researcher

   with a focus on offensive security • Penetration testing, red teaming, tool development, vulnerability research • Cut my teeth on CTFs back in the day • Certificates ◦ Offensive Security Certified Professional (OSCP) ◦ Offensive Security Certified Expert (OSCE) ◦ Certified Red Team Operator (CRTO)

3. What is this talk about Different techniques we've used to

   gain access to a company's network • What is a red team • Reconnaissance • Creative ways to break in

4. What is a red team • Real world attack simulation

   to test a company's defense and responsiveness • Blue team is unaware that it's taking place • Objective oriented; e.g. access database hosting customer data • Different flavours such as traditional and assumed breach

5. Reconnaissance

6. Physical Reconnaissance • Number of entrances • Access controls; locks

   and card access • Cameras • Places to hide out • WiFi SSIDs and security protocols • Network ports and power outlets • Printers and computers • Receptionists • Security guards • Employee seating • Employee hangouts (cafes, lobbies) • People traffic • Dress code

7. Digital Reconnaissance • Website and online presence • Subdomains •

   Other websites operated by the company • Employee information from LinkedIn • Company login portals • Company reviews from employees • Company job postings • Credentials from data leaks • Services used by the company (cleaning staff, maintenance, ISP, phone provider) • Company floor plans

8. Execution

9. Password attacks • Look for published password leaks and database

   dumps • Don't underestimate people's ability to create weak passwords • Even IT will use easy passwords for new employees ◦ Welcome1! ◦ CompanyName123! • People will use weak passwords that conform to password policies ◦ Winter2023! ◦ January2024! • People will use predictable password patterns • Exploit using slow password spraying attacks with rotating IP addresses

10. Examples of password attacks Got credentials? • Try to VPN

    into the company's network • Login to Azure portal and enumerate the domain and users • Login to Microsoft 365 and look for sensitive documents / emails • Upload malware into Sharepoint and share with other employees • Social engineer or phish other employees

11. Phishing • Have a clear goal of what you want

    your target to do; capture credentials or download and run a file • Use tools like ChatGPT to get you started with the text • Take advantage of what's happening in the world like holidays, major events • Get creative, don't limit yourself to email; try snail mail, faxing, SMS, QR codes

12. Examples of phishing login credentials These examples trick the user

    into authenticating to a login page designed to capture their credentials • Email developers notifying them that they have successfully added a new email address to their GitHub account with a link to a fake GitHub login page • Email employees about new employee benefits and promotions that requires them to click on a link and login to a fake login page • Send snail mail to employees with a QR code for them to scan and login to a fake login page to claim a gift

13. Examples of phishing login credentials

14. Social engineering • Have a clear goal of what you

    want to accomplish; get access to a location or some information, or get the target to do something • Blend in and act like you belong • Give your target a reason for your reaching out to them • Mention things that give you credibility • Be friendly but persuasive • Don't be afraid to use props

15. Social engineering examples • Pretending to be a customer or

    guest to distract a receptionist so your teammate can sneak in • Having your hands full with a box of donuts and coffee so someone lets you tailgate in • Pretending to be a courier delivering flowers to employees during Valentine's Day, had receptionist leave her desk to bring flowers to employees, install backdoor on her laptop

16. Hardware implants A device plugged into a network port or

    computer that gives you a foothold into a network or a user's computer • Company might have a tight external defense but internal security might be more relaxed • May require some social engineering or sneaking around to pull off

17. Hardware implant examples

18. Hardware implant execution

19. Closing tips • Intel gathering increases your chance of success

    • Some things you try might end in failure, learn from it and refine your technique • Get creative, think outside the box and don't over complicate things Socials: • Web: https://techorganic.com • Discord: @superkojiman • GitHub: https://github.com/superkojiman