We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Pivoting Without Rights

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
7
 Cite
 Share
 Download Purchase
No logo availableDEF CON
 Walton, Geoff Kennedy, Dave

Formal Metadata

Title
Pivoting Without Rights
Alternative Title
Pivoting Without Rights: Introducing Pivoter
Title of Series
Number of Parts
109
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
One of the most challenging steps of a penetration test is popping something and not having full administrative level rights over the system. Companies are cutting back on administrative level rights for endpoints or how about those times where you popped an external web application and were running as Apache or Network Service? Privilege escalation or pillaging systems can be difficult and require extensive time if successful at all. One of the most challenging aspects around pentesting was the need to have administrative level rights, install your tools, and from there leverage the compromised machine as a pivot point for lateral movement in the network. Well, the time has changed. Introducing Pivoter – a reverse connection transparent proxy that supports the ability to pivot with ease. Pivoter is a full transparent proxy that supports the ability to use limited rights on a system to pivot to other systems and attack transparently from your system at home. Port scans, exploits, brute forcing, anything you could do like you were on that network is now available through Pivoter. As part of this talk, we’ll be releasing a new Metasploit module for shell DLL injection for AV evasion, a Linux version of Pivoter, a Windows version of Pivoter, and a PowerShell version of Pivoter. msf, run pivoter, pentest as if you are on the internal network even if you don’t have admin rights. Also during this talk, we’ll be releasing a new major release of the Social-Engineer Toolkit (SET) which incorporates Pivoter into the payload delivery system. Speaker Bios: Geoff Walton is a Senior Security Consultant for Cleveland-based TrustedSec. He joined after years of working in information security. Geoff’s expertise in pen testing, network security, and software analysis comes form over ten years experience in a variety of information technology roles including software development, network operations and information security specific functions; Geoff brings broad vision to assessments and penetration test engagements. Geoff has been part of diverse IT teams at organizations both large and small. He has experience across several industries including retail, professional services, and manufacturing. Dave Kennedy is founder of TrustedSec and Binary Defense Systems. Both organizations focus on the betterment of the security industry from an offense and a defense perspective. David was the former Chief Security Officer (CSO) for a Fortune 1000 company where he ran the entire information security program. Kennedy is a co-author of the book "Metasploit: The Penetration Testers Guide," the creator of the Social-Engineer Toolkit (SET), and Artillery. Kennedy has been interviewed by several news organizations including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News. Kennedy is the co-host of the social-engineer podcast and on a number of additional podcasts. Kennedy has testified in front of Congress on two occasions on the security around government websites. Kennedy is one of the co-authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. Kennedy is the co-founder of DerbyCon, a large-scale conference in Louisville Kentucky. Prior to Diebold, Kennedy was a VP of Consulting and Partner of a mid-size information security consulting company running the security consulting practice. Prior to the private sector, Kennedy worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions. Twitter: @HackingDave
DEF CON 2362 / 109
1
Thumbnail
50:24
Red vs Blue: Modern Active Directory Attacks & Defense
2
Thumbnail
44:13
Medical Devices: Pwnage and Honeypots
3
Thumbnail
44:33
Ubiquity Forensics: Your iCloud and You
4
Thumbnail
45:30
Drive it like you Hacked it: New Attacks and Tools to Wireles
5
Thumbnail
46:34
Advances in Linux process forensics Using ECFS
6
Thumbnail
24:25
Separating Bots from the Humans
7
Thumbnail
42:48
Cracking CryptoCurrency Brainwallets
8
Thumbnail
40:47
Hacking a Linux-Powered Rifle
9
Thumbnail
47:33
Knocking my neighbor's kid's cruddy drone offline.
10
Thumbnail
48:13
TLS Canary: Keeping your dick pics safe(r)
11
Thumbnail
43:28
Let's talk about SOAP, baby. Let's talk about UPnP.
12
Thumbnail
51:22
biotech and humanity 2.0
13
Thumbnail
20:37
Harness: PowerShell Weaponization Made Easy (or at least easier)
14
Thumbnail
21:36
I'm A Newbie Yet I Can Hack ZigBee
15
Thumbnail
35:32
Insteon' False Security and Deceptive Documentation
16
Thumbnail
40:53
Stick That In Your (root) Pipe & Smoke It
17
Thumbnail
45:10
`DLL Hijacking´ on OS X? #@%& Yeah!
18
Thumbnail
1:45:26
WhyMI so Sexy? WMI Attacks, Real-Time Defense, and Advanced Forensics Analysis
19
Thumbnail
44:45
ThunderStrike 2: Sith Strike
20
Thumbnail
43:42
Switches Get Stitches: Episode 3
21
Thumbnail
1:45:55
Licensed to Pwn: Weaponization and Regulation of Security Research
22
Thumbnail
52:34
Lets Encrypt Minting Free Certificates to Encrypt the Entire Web
23
Thumbnail
1:39:24
DEF CON Comedy Inception
24
Thumbnail
1:21:27
DEF CON 101 - Panel II
25
Thumbnail
27:24
DEF CON 23 CVE Closing Ceremonies
26
Thumbnail
1:39:08
Panel - Ask the EFF: The Year in Digital Civil Liberties
27
Thumbnail
36:57
Abusing Adobe Reader's JavaScript APIs
28
Thumbnail
47:18
Why Nation-State Malwares Target Telco Networks: Dissecting Technical Capabilities of Regin and Its Counterparts
29
Thumbnail
47:06
From 0 To Secure In 1 Min
30
Thumbnail
38:46
Hacking SQL Injection for Remote Code Execution on a LAMP Stack
31
Thumbnail
29:26
BURPKIT: Using WebKit to Own the Web
32
Thumbnail
45:07
DARPA
33
Thumbnail
46:01
I am a packer and so can you
34
Thumbnail
44:50
Hacking electric skateboards: vehicle research for mortals
35
Thumbnail
38:30
Applied Intelligence: Using information that isn't there
36
Thumbnail
16:46
Put on Your Tinfo_t Hat
37
Thumbnail
50:43
How to Hack Government: Technologists as Policy Makers
38
Thumbnail
48:22
Sorry Wrong Number: Mysteries Of The Phone System Past and Present
39
Thumbnail
48:07
Who Will Rule the Sky: The Coming Drone Policy Wars
40
Thumbnail
17:57
Tell me who you are and I will tell you your lock pattern
41
Thumbnail
54:42
Big Game Hunting: Peculiarities in Nation State Malware Research
42
Thumbnail
43:17
The Bieber Project: Ad Tech and Fraud 101
43
Thumbnail
20:43
Detecting random strings; a language based approach
44
Thumbnail
41:44
Investigating the Practicality and Cost of Abusing Memory Errors with DNS
45
Thumbnail
36:54
GPS Spoofing: low-cost GPS emulator
46
Thumbnail
50:07
Rocking the Pocket Book: Hacking Chemical Plants for Competition and Extortion
47
Thumbnail
40:43
Confessions of a Professional Cyber Stalker
48
Thumbnail
50:09
Secure Messaging for Normal People
49
Thumbnail
47:31
Stagefright: Scary Code in the Heart of Android
50
Thumbnail
29:45
"Quantum" Classification of Malware
51
Thumbnail
44:58
NSA Playset: JTAG Implants
52
Thumbnail
38:50
USB Attack to Decrypt Wi-Fi Communications
53
Thumbnail
32:15
Quantum Computers vs. Computers Security
54
Thumbnail
48:23
How to Shot Web (Better hacking in 2015)
55
Thumbnail
41:56
NetRipper: Smart Traffic Sniffing for Penetration Testers
56
Thumbnail
39:57
ThruGlassXfer: Remote Access, the APT
57
Thumbnail
13:38
LTE Tracking and Recon with RTLSDR
58
Thumbnail
1:26:44
Closing Ceremonies
59
Thumbnail
45:03
Staying Persistent in Software Defined Networks
60
Thumbnail
27:19
#HamSammich (A replacement talk)
61
Thumbnail
40:28
Forensic Artifacts From a Pass the Hash (PTH) Attack
62
Thumbnail
49:32
Pivoting Without Rights
63
Thumbnail
34:30
Abusing XSLT for Practical Attacks
64
Thumbnail
38:00
Inter-VM data exfiltration: The art of cache timing covert channel on x86 multi-core
65
Thumbnail
43:58
RE: Exploring Regular Expression Denial of Service
66
Thumbnail
21:25
What is fuzzing?
67
Thumbnail
55:51
Crypto for Hackers
68
Thumbnail
40:27
DT and 1057 - Welcome to DEF CON
69
Thumbnail
34:32
One Device to Pwn Them All
70
Thumbnail
38:57
Hacker in the Wires
71
Thumbnail
46:21
How the ELF ruined Christmas
72
Thumbnail
46:17
Are We Really Safe? Hacking access control systems
73
Thumbnail
43:22
Docker, Docker, Give Me The News, I Got A Bad Case Of Securing You
74
Thumbnail
43:40
Alice and Bob are Really Confused
75
Thumbnail
43:08
Drinking from LETHE: New methods of exploiting and mitigating memory corruption vulnerabilities
76
Thumbnail
46:14
Bugged Files: Is Your Document Telling on You?
77
Thumbnail
45:57
Hacking Smart Safes
78
Thumbnail
48:08
I Want These * Bugs off My * Internet
79
Thumbnail
45:46
Beyond the Scan: The Value Proposition of Vulnerability Assessment
80
Thumbnail
40:36
Introduction to SDR & the Wireless Village
81
Thumbnail
45:31
The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and technologies, and You
82
Thumbnail
30:17
How to Train Your RFID Tools
83
Thumbnail
50:56
Fighting Back in the War on General Purpose Computers
84
Thumbnail
42:56
Don't Whisper my Chips
85
Thumbnail
40:27
Spread Spectrum Satcom Hacking
86
Thumbnail
46:06
Hooked Browser: Meshed-Networks with WebRTC and BeEF
87
Thumbnail
38:48
REpsych: psychological warfare in reverse engineering
88
Thumbnail
46:33
Questions and Answers
89
Thumbnail
38:18
Hacking Web Apps
90
Thumbnail
43:02
Extracting the painful (blue) tooth
91
Thumbnail
45:44
Hack the Legacy! IBM i (aka AS/400) revealed.
92
Thumbnail
42:19
Fun with Symboliks
93
Thumbnail
36:46
How to hack your way out of home detention
94
Thumbnail
31:28
Game of Hacks: Play, Hack & Track
95
Thumbnail
46:29
Working together to keep the Internet safe and secure
96
Thumbnail
36:44
Dissecting the Design of SCADA Web HMIs: Hunting Vulnerabilities
97
Thumbnail
44:40
Linux Containers: Future or Fantasy?
98
Thumbnail
46:30
1057 - RICK ASTLEY
99
Thumbnail
37:43
802.11 Massive Monitoring
100
Thumbnail
53:08
...And That's How I Lost My Other Eye Further Explorations in Data Destruction
101
Thumbnail
39:18
Hijacking Arbitrary .NET Application Control Flow
102
Thumbnail
47:06
QARK: Android App Exploit and SCA Tool
103
Thumbnail
45:22
Hardware and Trust Security ELI5
104
Thumbnail
40:51
Shall We Play a Game?
105
Thumbnail
45:57
Angry Hacking: How angr pwnd CTFs and the CGC
106
Thumbnail
47:42
Abusing Native Shims for Post Exploitation
107
Thumbnail
22:41
How to secure the Keyboard Chain
108
Thumbnail
33:18
Guests 'N Goblins: Exposing Wi-Fi Exfiltration Risks and Mitigation Techniques
109
Thumbnail
47:52
High Def Fuzzing: Exploring Vulnerabilities in HDMI-CEC
00:00
System programmingNoise (electronics)Real numberPresentation of a groupInformation securityHand fanRoundness (object)Spring (hydrology)Context awarenessMultiplication signDemo (music)Social engineering (security)Software development kit
01:02
Mathematical analysisCodeSet (mathematics)Electronic program guideInformation technology consultingSoftware testingBinary codeBitDataflowInformation securityRoundness (object)Software frameworkMultiplication sign2 (number)Social engineering (security)
02:58
Virtuelles privates NetzwerkInformationComputer clusterSoftwareSoftware testingBitFunctional (mathematics)MultilaterationGoodness of fitPivot elementProxy serverMultiplication signSocial engineering (security)Web application1 (number)
05:09
Physical systemRadio-frequency identificationSoftware testingFocus (optics)Term (mathematics)Self-organizationHacker (term)InformationPenetrationstestSimulationInformation systemsInformationSelf-organizationSoftwareComputer programmingHacker (term)Type theoryProduct (business)Category of beingSoftware testingIntegrated development environmentBitUniqueness quantificationLine (geometry)NavigationMereologyPhysical systemAreaHypermediaCASE <Informatik>System administratorRootInformation securityRandomizationPoint (geometry)CuboidPivot elementFocus (optics)Data miningSoftware frameworkTraffic reportingPlastikkarteDifferent (Kate Ryan album)Domain nameTouchscreenExploit (computer security)Service (economics)Figurate numberMechanism designComputer animation
09:45
Self-organizationFocus (optics)Process (computing)Level (video gaming)Different (Kate Ryan album)Capability Maturity ModelMultiplication signControl flowType theoryProduct (business)WindowElectric generatorCategory of beingLine (geometry)CASE <Informatik>Software developerComputer animation
11:27
Self-organizationEmailInjektivitätDemo (music)SoftwareCodeTouch typingSoftwareTelecommunicationHacker (term)Semiconductor memoryType theoryMacro (computer science)Level (video gaming)Electric generatorSoftware testingIntegrated development environmentBinary codeBitFunctional (mathematics)Line (geometry)InjektivitätPhysical systemEmailToken ringQuicksortConfiguration spaceRevision controlDivisorServer (computing)CASE <Informatik>Directory serviceRemote procedure callField (computer science)Information securityGastropod shellPoint (geometry)AuthenticationCartesian coordinate systemDirection (geometry)Scripting languageWindows RegistryComputer filePasswordWebsiteDifferent (Kate Ryan album)Domain nameKerberos <Kryptologie>TouchscreenFlagMultiplication signVulnerability (computing)Right angleService (economics)VirtualizationWeb 2.0Antivirus softwarePhishingMechanism design1 (number)Computer animation
16:28
EmailInjektivitätDemo (music)Extreme programmingExploit (computer security)Proxy serverSoftware developerCodeIntegrated development environmentBefehlsprozessorLine (geometry)Power (physics)Core dumpGodCASE <Informatik>PredictabilityLatent heatNeuroinformatikVirtualizationPattern languageComputer animation
18:27
Proxy serverTelecommunicationPersonal identification numberCrash (computing)InformationSoftwareTelecommunicationIntegrated development environmentPhysical systemPhysicalismInternetworkingProcess (computing)Gastropod shellCuboidMultiplication signType theoryBuildingWindowMereologyMoment (mathematics)AreaCAN busPersonal identification numberLattice (order)Right angleSuite (music)Computer animation
20:25
Tap (transformer)Computer networkBridging (networking)Demo (music)SoftwareSolid geometrySemiconductor memoryFilter <Stochastik>Integrated development environmentState of matterConnected spacePhysicalismLocal ringVirtual machineInstance (computer science)Software repositoryReverse engineeringPlastikkarteOperating systemInterface (computing)Computer animation
22:19
Computer networkBridging (networking)Demo (music)Tap (transformer)System programmingTime domainProxy serverPivot elementData managementDynamical systemLibrary (computing)WindowSoftware testingBitFunctional (mathematics)Maxima and minimaConfiguration spaceServer (computing)Information securityCuboidPersonal identification numberApplication service providerComputing platformProxy serverMultiplication signWeb 2.0Web applicationMobile appEnterprise architectureComputer animation
24:25
BitVirtual machineVisualization (computer graphics)Server (computing)CASE <Informatik>Run time (program lifecycle phase)Object (grammar)Computer worm2 (number)Goodness of fitGastropod shellWeb 2.0Lecture/Conference
25:03
Integrated development environmentComputerLibrary (computing)Connected spaceSlide ruleInformationLibrary (computing)Variable (mathematics)Integrated development environmentoutputCartesian coordinate systemWrapper (data mining)Multiplication signService-oriented architectureLecture/Conference
26:03
Process (computing)Computer wormTape driveConnected spaceConnectivity (graph theory)Proxy serverService (economics)Service-oriented architectureCartesian coordinate systemComputer programmingLibrary (computing)Linker (computing)Structural loadSystem callOpen setFirewall (computing)Data miningSound effectRule of inferenceSocket-SchnittstelleLecture/Conference
27:13
MereologyProxy serverService (economics)Library (computing)System callClient (computing)Integrated development environmentUser-generated contentLibrary (computing)WindowFlow separationConnected spaceMultiplicationVirtual machineSpherical capFirewall (computing)Electronic mailing listEvent horizonWrapper (data mining)Network socketProxy serverMessage passingService-oriented architectureMeeting/Interview
28:26
Communications protocolWeb pageMedical imagingProxy serverOrder (biology)Type theoryIntegerConnected spaceCASE <Informatik>Process (computing)AdditionComputer fileClosed setLecture/ConferenceMeeting/Interview
29:17
CodeSocket-SchnittstelleFunction (mathematics)StatisticsCodeComputer programmingWindowBitMappingCodeChaos (cosmogony)WeightComputer-assisted translationValidity (statistics)Computer fileNetwork socketLecture/Conference
29:55
CodeSocket-SchnittstelleFunction (mathematics)Firewall (computing)Computer networkDemo (music)QuicksortCodeData structureImplementationInformationType theoryVideoconferencingProgrammer (hardware)Decision theoryForm (programming)Binary treeConnected spaceFunctional (mathematics)NumberDataflowSystem callInternetworkingStrategy gameRemote procedure callRoutingPrincipal ideal domainElectronic mailing listComputer fileOpen sourceWrapper (data mining)Network socketProxy serverSocket-SchnittstelleService-oriented architectureDemo (music)Game controller
32:03
Error messageDrop (liquid)Software testingMultilaterationSystem callServer (computing)Polar coordinate systemDirection (geometry)Computer fileMiniDiscLoginVulnerability (computing)SpacetimeWeb applicationComputer animation
33:13
Function (mathematics)Library (computing)Variable (mathematics)Drop (liquid)Integrated development environmentInjektivitätPower (physics)Standard errorGoodness of fitCASE <Informatik>Error messageGastropod shellReflection (mathematics)Computer fileTouchscreenFlagMultiplication signService-oriented architectureDemo (music)
34:44
VideoconferencingRight anglePoint (geometry)Open setFirewall (computing)Proxy server
35:25
Service-oriented architectureSoftwareIntegrated development environmentIP addressSource codeNeuroinformatikRule of inference2 (number)
36:29
VideoconferencingBinary codeBitInjektivitätPower (physics)Gastropod shellCuboidIP addressCartesian coordinate systemSource codeWebsiteNeuroinformatikWrapper (data mining)BlogProxy server
37:20
SoftwarePower (physics)Local ringRemote procedure callAsynchronous Transfer ModeCuboidCommunications protocolCartesian coordinate systemFirewall (computing)Bit ratePasswordWeb application
38:27
WindowLevel (video gaming)WindowConnected spaceMultiplicationTerm (mathematics)Goodness of fitWeightX-ray computed tomographyDirection (geometry)Proxy serverMultiplication signSocket-SchnittstelleRaw image formatComputer-assisted translation
39:38
DatabaseNatural numberVideoconferencingVirtual machineUtility softwareCuboidSet (mathematics)Direct numerical simulationTrailMultiplication signGraphics tabletWeb application
40:40
WindowDatabasePerspective (visual)SoftwareLocal ringAdditionCuboidPersonal identification numberAddress spaceDirect numerical simulationDifferent (Kate Ryan album)Image resolutionProxy serverSpacetimeWeb applicationComputer animation
41:55
Direct numerical simulationDatabaseIntegrated development environmentDisintegrationSet (mathematics)InjektivitätFunction (mathematics)InformationFunctional (mathematics)FamilyWindowDependent and independent variablesDirect numerical simulationBitLimit (category theory)Slide rule
42:32
Address spaceDirect numerical simulationSocket-SchnittstelleDatabaseTape driveInjektivitätIntegrated development environmentDisintegrationSet (mathematics)Function (mathematics)Direct numerical simulationLibrary (computing)Resolvent formalismDemo (music)Spherical capINTEGRALSoftware testingInterpreter (computing)MereologySystem callRevision controlPoint (geometry)TowerExplosionVideo game consoleMultiplication signComputer wormLecture/Conference
43:55
Module (mathematics)SummierbarkeitComputer fileCloningObject (grammar)Directory serviceHash functionInternetworkingSoftware frameworkTotal S.A.CountingTwitterPhysical systemCodeComputer networkHill differential equationOpen setInstallation artWireless LANSoftware testingComputer configurationConnected spaceGoodness of fitInternetworkingCASE <Informatik>Directory serviceDistribution (mathematics)Point (geometry)Software repositorySet (mathematics)Pivot elementModule (mathematics)Software frameworkMultiplication signExploit (computer security)Lecture/Conference
46:55
Module (mathematics)Computer fileBuildingIndependence (probability theory)InformationData structureDirectory serviceTerm (mathematics)Type theoryInternetworkingModule (mathematics)Software frameworkNP-hardComputer animation
47:33
SequenceDescriptive statisticsModule (mathematics)Computer fileUniform resource locatorSocial engineering (security)Repository (publishing)Software development kit
48:13
Information managementModule (mathematics)Total S.A.System programmingReal-time operating systemProcedural programmingGastropod shellModule (mathematics)Green computingCodeRoutingBlogEvoluteExploit (computer security)Computer animation
Transcript: English(auto-generated)
00:04
we're going to cover a lot in a short amount of time. Real quick anecdote, I'm a big fan of social engineer tool kit and all the stuff you guys do. When I'm back home I do a lot of security awareness talks for other attorneys and this spring
00:21
I did a live demo, it was crazy, and did a live demo of social engineer tool kit and who's in the audience but the powerful people for a long time and I'm excited to see the new stuff. Let's give them a big hand. It's Sunday and you're
00:46
all still here so a round of applause for you. I'm sure everybody's experiencing delayed reactions, headaches, so we have a lot of shrieking and loud noises throughout our presentation just to keep it fresh in content here. Just a
01:03
quick intro, I'm Dave Kennedy, I started trust at second binary defense which is my company's and what's funny is I just saw somebody here that I used to work with in the military and it's funny how you kind of see all the people that you kind of go through in this industry with as well as a whole bunch of new people that are coming into the
01:22
industry and I got to get a hug yesterday, I'm a big hugger guy, but I got a hug yesterday from somebody that was just coming into the industry saying hey, I'm so passionate about what I'm doing, I'm learning from all of this and I'm learning from everybody else and that's the biggest thing that when I was coming into DEF CON, I think DEF CON 8 or 9 was my first DEF CON and the thing that I came into and I learned about was just learning from other people because
01:41
everybody's so damn smart in this industry and no one knows everything else that the other person knows, so it's all about that and that community and DEF CON is such a great place for that and I have to give a round of applause to everybody that makes DEF CON possible, the goons that clear up all the traffic flow after the first day giving their nights and nights and nights over and over again. Let's give a
02:02
round of applause for everybody at DEF CON. So I authored the social engineering tool kit, a couple of other tools, I'm actually going to be showing one today called the pen testers framework which I added a new module in for the pivotter that Jeff wrote that we're going to be releasing
02:21
today, but we'll get into that. Jeff? This is Jeff's first time presenting at DEF CON, so can we give him a round of applause for getting up here and having balls? As David has already introduced me, I'm Jeff Walton, I'm a senior security consultant at trusted sec, one of the things
02:43
I do like to do a little bit on the side when I get time is to actually write some tools and create some things. I've authored a tool called ships that's pretty popular, and recently I wrote a tool called pivotter. So that's kind of who I am. So Dave's going to talk a little more about
03:02
the history of pen testing and stuff like that and what we do at trusted sec. So real quick, when we come up with acronyms for tools, it's kind of funny. Ships was actually going to be chips because one of our guys ate seven bags of chips one time in one sitting, so in his honor, named ships after this specific tool, but unfortunately we couldn't come up with a good acronym for
03:20
chips, so it ended up changing it to ships, which kind of sounds piratey. So it sounded pretty good, but pivotter was one of those ones where, you know, it sounded kind of cool. And I think what was your original name for it? Proxy something or other? So this is kind of funny. Actually, Dave seems to have a habit. I come up with very boring rather destructive names for my tools that pretty much say what they actually do. I
03:42
originally called this thing proxy kit, and like every other thing I write, Dave immediately renamed it, which is awesome because Dave's names are really better. Sweet. All right. So we'll get into the talk here. Look a little bit about the history of how attackers kind of move and kind of our challenges as pen testers in the past. You know, if
04:01
you look at pen testing in general, right, you may hear a pen tester, a whole bunch of people, that's awesome. The first thing that we do as an attack is we go after an infrastructure. We try to find an exposure, whether that's social engineering or going after a specific attack on a web application or whatever it ends up being. We end up finding a flaw, we compromise that, and then we get access to one
04:21
system, right? We get access to that one system, and that one system, if we have elevated rights, we have the ability to kind of move over into other systems, right? And from there we try to go after a couple other things and get a little bit more information here, a little more information here. It's like a puzzle, right? We kind of put together a little puzzle until we get access to the stuff that we want access to. And so if you look at that, you know, the whole lateral movement thing is a big, you know,
04:41
talk right now. It's been difficult for us, I guess, in the industry, unless you're using something like pro versions, like Metasploit Pro, for example, has a VPN functionality where if you compromise, you can tunnel and pivot through a meterpreter session or, you know, like Cobalt Strike or those ones have the ability to tunnel if you have administrative overrights, right? So all of these different things are concepts that we use every
05:01
single day and then attackers use every single day to go after specific targets and then from there move across the network. So to kind of talk a little bit about that, we compromise one system, right? And there's like random Chuck Norris things throughout this whole presentation. There's no relevance to them whatsoever. But if you look at lateral movement in an organization, it's about compromising a
05:21
system, getting information, whether that's credentials or, you know, clear text credentials with MimiCats or something and then spreading across the network and going to other systems to get access to them. And so in that case, you know, we look at that and say, well, it's difficult in a lot of cases to escalate our permission sometimes. Like, for example, let's just say you have a, you know, organization that doesn't run administrative overrights or
05:41
you compromise, you know, a network service account, something that you have the ability to target and you have access to a system but maybe there's not enough information in that system to get you to another one to move laterally in the environment. So that's been experience of mine and Jeff's in almost every pen test that you run into that you target an individual organization that has very limited permissions to actually go about that. And so, you
06:03
know, when we look at that, when we look at what we do as pen testers, it's really about thinking outside of the box, right? We have to come up with creative ways to navigate security restrictions or mechanisms that are in place to stop us from attacking different things. And in most cases, we do. We get crafty. Maybe we find that our one exploitation method that we got into wasn't successful,
06:21
right? And then we go to another avenue that may have been successful. And then from there, we may go to other systems that may get us, you know, the types of information that we need. But it requires us to think outside the box. And unfortunately, today, the focus has really been around just getting domain admin rights, right? And I see someone taking a picture of that screen. I apologize.
06:41
Don't Google clock and forget the L. But when you look at a lot of the types of attacks that we do, the types of methods we do, it's mostly around getting domain administrative rights, right? If we get DA, that's it. And that's kind of how we, you know, target our tests. But that's not really what we're seeing out there as far as attackers. Attackers want access to information. They want access to things that make us unique in organizations. Like
07:02
for example, everybody's always worried about PII and credit card data. Well, that's great for like the retail space, right? But for manufacturing, that's less of a concern. I mean, customer information's always a concern. But manufacturing is focused more on, you know, how do we make the product, the chemical compounds, who are our suppliers and how much we pay for those types of products and the vendors between those. So those are the intellectual
07:22
property pieces that make that company unique as an organization. And we don't really target that as part of what we simulate as an attack. So we're kind of at a disadvantage and we're not really simulating how attackers go after an organization to really try to attack those different types of areas. So for me, looking at this, we have to evolve to a different type of framework or a
07:40
different type of way of attacking organizations. It's not to say that what we're doing is not right. It's just we need to think a little bit differently in our mind sense of going in. It's not about smashing and getting root and then, you know, using root to get access to another system and from there we own them and then we high five each other and then we give them a report of how awesome we own them, right? It's more so about how do we go after an organization and figure out what makes them tick, what makes them unique and how do we target them to go
08:02
after them in a way that is beneficial and how can we do that with the types of techniques that the attackers are using and what we can use in our own arsenal. That's where we'll talk a little bit here in just a second about Pivoter and the release of Pivoter and what that actually does. So for me, if I'm a sophisticated attacker,
08:20
right, I'm going to go after what makes a company unique. I'm going to go after what makes them, you know, unusual. And what's interesting today is that, you know, if you look at kind of the history of breaches and you saw and I hate to mention, you know, the specific breaches because we have all been hyped in the media but it's a specific point. When target happened, you had executives that were fired, right? If you look at the past, you know, maybe five breaches
08:41
in the past year and a half, you notice they've all blamed them on sophisticated hackers and it's like a crux of like, hey, you know, we got targeted by sophisticated hackers. Even though we've neglected security for the past 10 years and we haven't, you know, funded security for the past 10 years and we haven't given security any light of day, we still got targeted by sophisticated attacks and now that's okay, right? And by
09:03
the way, the sophisticated attacks are like four lines of bash. So does anybody know how to write a couple of lines of bash? You are all APTs. Congratulations. Sophisticated attacks are bullshit. It's all about everybody being targeted. We're all getting targeted. It's a matter of if we've got targeted or not and how often your security
09:22
program is up to date and refreshed as an organization. And so if you look at that, we now have an excuse in security to say, well, if I'm ever targeted by an attacker that I might attribute to North Korea, I might attribute to China, I might attribute to Russia, it's just a sophisticated attack so it's okay. It's not okay. And we need to be building defenses against those. And I'll talk a little bit about what a
09:40
targeted attack looks like in some of the areas that we struggle with sometimes when we're doing our pen test. So this one was a fun one. You know, we get to go on red team engagement. You know, you have the traditional pen testing, like hey, we want an internal, external pen test, hey, this is for PCI or hey, this is for whatever. But every once in a while you get a customer that's like, hey, I want you to do like a full scope red team engagement, right? And there's different maturity levels of that. Like
10:01
customers that really want a red team a lot of times are like, well, I want you to do a red team engagement but like literally you have to do it between like 3 and 4 p.m. on Tuesday and you can't break into anything and you can only talk to one person. And so, you know, in cases like that it's not really a red team, right? But in this case, this customer is actually pretty awesome and wanted us to do an attack against them, simulating a red team and any
10:21
method was available. Like whatever you wanted to do aside from like breaking windows and punching people in the face, right? You couldn't do that apparently. We asked. If we get busted can we punch people in the face and run away? No. Okay, cool. We don't really punch people in the face. We're not going to get anything from them. But the whole purpose was this. They spent a lot of time on R&D and protecting research development and property for the future
10:42
products. Why that's important, manufacturing companies, the sustainability of them really depends on their products and how they can refresh their products and get to market with those products. If someone gets a hold of them well ahead of them releasing, it's very disastrous especially if it's other countries competing against them or other different types of competitors. So the R&D piece where they do the
11:00
research on the next type, you'll use the word, next generation type of product line, right? A lot of times that's the most important piece of the sustainability long-term of an organization, whether or not they can still compete. I came from a company that really had a tough time diversifying themselves in the market that they're in and had a tough time in the next product lines and still suffering because they couldn't keep up with what they were trying to do. So in this case the customer wanted to target it
11:22
and actually go after them in a way that actually compromised them in any way I wanted to. So the first thing I'm like, well, I'll go after phishing, right? Because that's the easiest. Phishing is always great. And so with phishing, you know, obviously creating a scenario or something that's believable is one of the most important pieces. So creating a fantasy. What I started to do first is like looking at what I could do to compromise them. So I
11:42
started looking at their outside and I found a file upload vulnerability that allowed me to pop a web shell. Have you ever been in a web shell before under IIS, like I user account? Very limited, right? You don't have a squat to do anything with network service. Like you can't escalate permissions. You can't grab Kerberos tokens in a lot of cases. You're really restricted to usually like the directory or whatever the directory is running in.
12:01
Sometimes you can find like a web doc config file. Sometimes you can find sensitive data that you can use to maybe tunnel and piggy back to a SQL server or something like that. But in a lot of cases, you're pigeonholed in that environment that you can't move in different directions. So I was kind of at a dead end at this point. We hadn't made Pivoter yet. So that would have been really nice, by the way, Jeff. Thank you. So anyways, I had to do a little hard work here. And what we ended up doing is
12:24
using that website and creating a sub-website of that website to be like a survey, you know, the password field and stuff like that in there. And then we started thinking, well, if I go and I can create a website that's on the customer's domain and I can send e-mails to a customer with that domain in there, it's probably pretty
12:40
legit. And so what we ended up doing is we sent it out to a couple of folks and we ended up compromising someone in the sales organization, which salespeople are like phenomenal. They're great. You can have salespeople do anything you want to. Especially if you're going to give them money, that's the best. They'll be like, hey, can you disable your antivirus so you can open up this Excel macro document that says virus.xls. And sure, no problem. Okay, cool. Am I still going to get the
13:02
sale? Yeah, cool. Okay. We used that and compromised them and got access to the OWA. I don't understand companies still. I would say predominantly 90% of the customers that we run into, VPN is two factor and OWA is not. So like you have access to full OWA access but you don't have access to VPN. OWA is like for a hacker is like the best
13:24
piece that could ever happen because you already have established lines of communication and trust. So if you have trust already and you already have communications where someone is already talking and sending e-mails back and forth, it's really easy to send them something and you click that and you click it and they're compromised. So a lot of times it's very easy to attack somebody through OWA
13:40
as a mechanism for those. And what's funny about two factor, for example, have you ever heard of phone factor? It's a two factor authentication solution. There's also a couple other ones too. Has anybody got the ones where it will actually call you and ask you if you're logging in or it will give you a push notification if you want to allow it to log you in or not? Do you know how bad that is from a security perspective? How many times have I done that? How many times have I done that? How many times have I done a pen test? The past 7 to 10
14:00
pen tests that have that type of functionality where it actually calls you or will say are you logging in right now, allow or deny? How many times they just hit allow because they think they're logging in somewhere? Like literally you just, I ran into a pen test one time, broke in, logged in with my username and password and it's like please wait while we call you and I'm like oh crap. And I'm like uh-oh, I'm busted. There goes my whole fish. There's two days worth of
14:22
work and all this other stuff. And all of a sudden you log in and you're sitting there and you're waiting at the screen so you're like okay, I'm screwed. I'm going to start building a new pre-text and all of a sudden you log in and you're like that was weird. So whenever you give the users the ability to error, what will they do? They will error, right? Unless you teach them, right? But
14:41
in most cases like two factor authentication if it's not implemented properly is also a problem. So just saying from a caveat. But anyways they didn't have two factor OBS so it didn't make a difference. So what was interesting is if you're familiar with a tool that I wrote called Unicorn, it does PowerShell injection and it does native x86 shell code injection through PowerShell and then it injects into memory and then it gives you a shell through
15:02
there, right? So the last version of Unicorn, you can get it from our GitHub site. It's literally just run this command and it gives you a one liner PowerShell command that you can push on any system that you have remote command execution on and it just gives you a shell. It's like magic. That's why it's called magic unicorn. It has ASCII art that has red unicorn. It's pretty awesome. But anyways, so
15:24
with Unicorn there's also another attack that has Excel injection for macros. And what's great about macros is they're kind of like the thing in the past because you'd always put like VBS scripts or binaries and things like that in there and those would usually get flagged. But in this case with a lot of the macros you can just do straight PowerShell injection, never touches disk. What's
15:41
great about PowerShell too is that it's usually a white listed application so things like bit 9, things like that aren't going to pick it up. So you have the ability to get remote code execution on a system that has application white listing that has next generation stuff because it's all in there. But in this case what we found out is that they're using a sandbox technology. So they had some sort of virtualization technology.
16:00
Does everybody know how virtualization technology works? So something comes in via an e-mail, whether it's incoming or a web gateway, and if it doesn't look right or it's a certain type of file pattern, it will actually virtualize it in a sandbox and then it will look to see all of the registry calls, if it's doing a C2 communications, anything like that. In this case they had something like that in place so when I sent the macro, I got the initial stage but then
16:22
just stopped and it wasn't coming from the initial host that it was coming from so I'm like uh-oh, they're using some sort of virtualization technology. I'm not going to say which one it was but they all pretty much suck. But anyways, so we ended up writing some bypass sandbox technology and it's extremely complex. It took us multiple months of exploit research and development to get
16:41
around it but we're going to be releasing it today which is awesome. Just kidding, it wasn't hard at all. It's like three lines of python code. It took about 14 minutes. Most virtualization technology the way that it works is that they virtualize in a very predictable sandbox environment. So if you can detect that you're in a sandbox environment all you need to do is say if I'm in
17:01
something that is this pattern then don't do anything, right? In this case this specific sandbox technology which actually works for like two of the main three I think, if they're using less than one CPU or less than two CPU cores so they use one CPU core. Does anybody here have a computer that has one CPU core? Sir, I'd like to talk to you probably couldn't hack you. I can't see
17:23
you that far. Oh, no. Is this ice? No, don't tell me it's ice. Not ice. It's not ice. Thank God. I thought it was ice for a second there. You got to do it. Deep Kentucky. I got to do
17:40
it? I got to do it. All right. That was easy. I thought it was going to be a warm ice. That would have been terrible. So in most cases they're using less than one CPU core or less than two CPU cores. What you say
18:02
is if I'm using in this environment then don't do anything. If I'm running in one CPU core then just shut itself down and quit. Oh, it's all good. It's cool. Then it passes it off to the end user. I just built that into power shell. When it actually executed it checked to see if it was in a specific CPU core and shut itself down. It got
18:21
passed the virtualization technology which is great. About 14 minutes. So stupid. God. Anyways. So we end up compromising one of the boxes one of the people. I spent probably a good 20 minutes going through a lot of those boxes. I ended up compromising this one. It took time. I already had an established communication path into the environment. I had a shell which
18:40
is great. The customer did a great job at network segmentation. We spent a long time trying to get to the R&D information which was difficult to do. I couldn't find a way to get access to it. I did find the physical access system that allows you to print badges. We ended up finding the Internet site. Step 1, do this. Step 2, do this. Step 3, do this. Step 4.
19:00
Did all of that. Created a badge and walked up to the front desk. This is live footage on the right. Walked into the building. Picked up a badge and walked into the facility. I dressed the part. You go to this company and it's like a suit and tie type thing. I wore a suit and everything. I walk in and I go to this R&D
19:21
conference. Big area with smoke glass windows. Spent a lot of time and money on this. I badge in and hit a pin to walk into the place. I walk in and it's one of those moments where you're like I walked into the wrong place. You have all these people in jeans and T-shirts and here I am in a suit. I walk into this R&D thing and they're having this massive meeting of 50 people
19:40
and everybody stops talking and looks at me. Do I walk in and back out and pretend wrong room guys. Sorry. One of those things. I walk in. I walk around the side and start talking. The worst thing happened. I wasn't paying attention. I was nervous because people were looking at me like who's
20:00
this dude in the suit. I fall over a trash can. A metal trash can. Mustard everywhere all over my suit. People were picking me up off the ground. Sprained my ankle. It was terrible. One of those things you never want to happen in real life. That was really me that did that. They're picking me off the ground.
20:21
Are you okay? I was able to plant this device in. I'm going to be open sourcing this next week. It's called the implant device, a tap device. I've been working on it for about a year. If you're doing physicals or you have a place to drop something, if you use an Intel
20:40
nook, you can put an LTE card in it. Usually I put 128 gigs of solid state memory in it. I put 8 gigs of ram. What tap does is it's software that basically uses the LTE network to do a reverse SSH instance out of the network and tries to find different ways out. You use
21:00
the LTE network first and then it uses the regular network second. Jeff wrote some software that we'll be releasing that does a full transparent reverse SSH VPN into the environment. You can create a tap interface through an SSH tunnel and then you have a full VPN tunnel into it. If anybody has ever used SSH tunnel, it's more stable.
21:23
If you've ever tried to do a port scan, it doesn't work. This is a full tap interface that you can VPN into the environment through an SSH machine itself. It doesn't need to be a tap device to implant. If you compromise a Linux box, you deploy a tap, it'll find a port out, it'll establish that reverse SSH connection and then
21:41
you SSH VPN into that environment itself. What's nice about it is it's self-healing. If there's an issue with the operating system or an issue with the tunnel, it automatically reconstructs and rebuilds it. Make sure the health of the operating system there keeps all of your tools up to date. If you want to keep all of your tools local on itself, it'll use the reverse SSH tunnel out of the network to update the tools for you. You don't have to worry
22:01
about outbound filters on the network itself for tools and updates. I'll go ahead and release that this coming week here shortly. That's a new tool that you should see in the GitHub repos on trusted sec this week. On that, I could have skipped all of these steps, tripping over the trash can, the
22:21
mustard, if Jeff had ridden Pivoter earlier. We can blame Jeff for this one and me having a sprained ankle. Still I think it's bothered me a little bit. It's flirted up yesterday. We'll introduce Pivoter. It all started around this time last year when Dave was talking to me about some of
22:41
these engagements he'd been on and some of the trials he had. Specifically, is there anything like SSH for windows that wouldn't need privileges so we could port forward. I thought about it a little bit. I said yeah, that seems doable. What you're describing is a SOX proxy but a reverse proxy. We could implement that. Of course
23:02
I didn't get around to doing it until I started doing my own external pin test engagements and needed it myself and suddenly it was a lot more important to me. Yeah, like Dave said. What I've been finding on a lot of pin tests is that mostly bigger companies now
23:20
have a security team. They're doing good things. They've got platform baseline security configurations in place. It's not like 1990 anymore where you installed all of the SQL server management tools on every web server and stuff like that so you could count an enterprise manager being there once you got on a box. What I tend to find is I'll get on a fully
23:42
patched server 2008 R2 box with nothing but the minimal support libraries for whatever web application they're running. Typically though that web application is still their five or seven-year-old ASP app that they wrote in house and usually I can take advantage of that. Certainly as I mentioned there are tools on the Linux
24:02
Unix side like SSH, dynamic port forwarding that can do this and certainly as Dave mentioned in Metasploit Pro, you've got the VPN functionality. That's not available to everybody so I wanted to get something out there that others could use and also I find there's a lot of times when I don't
24:20
necessarily want to use Metasploit for one reason or another. So I kind of came up with some basic objectives. I wanted to have something that would be relatively small payload. As long as I'm dropping on a server that's got the visual C run time installed I can get it down currently to about 13K today. It's a little bigger it's about 70K if I have to put
24:42
a statically linked binary out there. I do believe that we can get that a little bit smaller as we work on it some more. I definitely wanted something that didn't need any elevated privileges because it tended to be the case that I'd end up as IIS user or maybe I'm a local user on the machine. I usually don't have any good escalation path. I may
25:00
not even have a good shell. I might be working with some lousy web shell or something like that that's not very interactive. And finally I wanted to make sure I could support simultaneous connections and stuff so that I would be happy to share a few slides here that show how you use the tool.
25:21
First thing is I went with environment variables to set things up. If you've ever used something like T socks you know that it basically acts as a library wrapper around whatever command line tool or whatever application you want to execute. Of course those tools aren't designed to take some of these inputs. Dave I don't think we
25:41
have the picture. That's all right. So anyway a lot of times those tools don't have any ability to take the input information that I needed so I thought the easiest way would be to go ahead and communicate with environment variables. I went ahead and also the other piece to this that we'll introduce in a minute the connection broker uses those same environment variables
26:00
just so that setup is a little bit easier. The next step of course is actually to start that broker. And what that broker does is it will be listening for the incoming connections from both the service proxy component that you drop and any application that you run when it makes connections outbound. The next step is somehow on our victim we need to go ahead and
26:22
start the service proxy. Again it doesn't need any special permissions. It's not doing anything like trying to bind low ports. It doesn't need to usually have any firewall rules open because we're going to go out on something that we know is going to be open like 80 and all the connections are going to be outbound so we're not listening. And finally our last
26:42
step is we go ahead and start our application. Anybody who's used Linux is probably somewhat familiar with using LD preload. What that does is basically it says load this library first so when the dynamic linker comes along and gets a call to a function like connect that would normally be in the sockets library it comes across mine
27:01
first and runs that which does a few things mainly re-steers the traffic over to the broker and basically performs the connection and side effects that connect would normally perform within the program. So if you've ever seen a socks proxy before maybe you've used socks cap or something like that
27:21
on windows or t socks on Linux usually there's two pieces there's a socks proxy out there someplace and then you have your socksification wrapper basically I cut a third piece out and move the connection broker away from the proxy server itself so that it can do all the listing locally on your
27:40
machine and we can have a single connection back from the proxy server to that connection broker which will allow us to connect into that single socket so we don't see multiple firewall events and stuff that would typically give us away if we were opening a lot of separate connections out. So
28:00
once we have the proxy connected up our library wrapper will read the environment and make sure those connect events get host by name and a few other things like that actually go over to our broker. Our broker essentially listens to those messages accepts those proxy connections and then
28:20
creates a simple message that it can send down its existing socket over to the proxy and finally it uses a fairly simple protocol to do that it's basically a fixed size protocol which I'll show you on the next page here. You'll see actually I've got oh boy we're losing the image again anyway typically in a socks proxy what
28:41
we had in the past was one connection to the proxy server meant one connection to the remote host. Obviously that wasn't going to work in this case so I had to come up with some other method of letting the proxy server keep order as far as where replies needed to go and things like that so I decided that basically process ID
29:00
and the file descriptor within that process should be unique enough and in addition to that we have a simple command and it's just an integer type value that's enumerated and usually those are something like connect close get host by name. So as I was implementing it I did run
29:20
into a few surprises even though we know windsock basically evolved from BSD sockets the status codes and return values were different so I discovered I had to do a little bit of mapping on the windows side before I fed those values right back to the Linux programs I was running. As I was debugging and trying to figure all this out at first it led to
29:42
some interesting chaos that I think exercised some code paths and some things like net cat that never were intended to be hit mainly because things would happen like you'd get a valid file descriptor for a connected socket but yet you'd be getting some return code that meant some sort of failure and
30:02
I really didn't need to implement too many functions because it was a relatively thin wrapper around the connect call most of the time or around the get host by name or get add or info type functions and those actually then just performed the connect to the broker piece otherwise in the
30:21
usual way so I didn't have to reimplement the actual socket function or anything like that I didn't have to necessarily get into all the flow control and pieces that would have been more complicated. Just a few other things before I launch into our demo here. I did look around for some code on the internet before
30:40
I wrote anything of course because you never want to reinvent the wheel and most people are better programmers than I am even though I did it for a number of years. What I found typically with most of the open source SOX proxies out there was they were implemented again with that idea of one connection in would be one connection out kind of at their very core so they didn't have a lot of internal housekeeping
31:01
that I could leverage when I was going to have to route things back based on file descriptor and PID number and things of that nature or come up with some other strategy so I couldn't use a lot of that code or at least couldn't use it easily so I decided to go ahead and write my own thing which is maybe good and bad. I
31:20
don't know. Of course I made decisions along the way that every C programmer is familiar with. I decided of course to use linked list so I could keep the traffic flowing in basically always ready to read on the wire and also as far as connected sockets on the outside to remote hosts, sort in p-tree form. In retrospect I
31:44
thought that it would have been a much simpler data structure and probably would have led to a simpler implementation although ultimately it does seem like the binary tree and stuff performs pretty well so I decided to continue to live with that for a while. We'll see how things evolve. I did go ahead and decide to video the demo for
32:01
you guys today mainly because I'm a terrible typist and you don't really want to sit here while I make a bunch of typographical errors and things like that. So we're going to do a little bit of pretending. I've got a vulnerable web application here. You may be familiar with this. It's a software testing tool from a little while ago. It's running on a public 172 IP. There's some other stuff on this DMZ that
32:21
we're going to get to that's on another 172 space that my attacking PCs can't see directly. First thing I'm doing here is taking advantage of this testing tool a little bit. I'm essentially setting up a test that's going to call Powershell and rig up a file drop. It will make the request back to an Apache server I have running. So it's run or it's
32:42
continuing to run here. And we're going to see in a second that I actually get an error back from Powershell. That will be important later. It tells me that some extra stuff is being tacked on the end of the command line. You'll see me use something that happens as I go over. I'm going to look at my Apache
33:00
log. I know my file drop was partially successful. The request happened and hopefully it got written to the disk. So the next thing we need to do is start getting stuff set up on our attacking box. You'll see me
33:20
actually go ahead twice here and set up the environment in two different tabs. Certainly I can set up the environment once and background the broker. In this case I'm going to set up flags enabled and probably run my library without them. Main reason not to run the library with them is it does introduce a lot of extra stuff on standard
33:40
error that sometimes kind of confuses the output of whatever tool I'm using. Makes it difficult to work with. It's there so you can debug what's going on if something is not working the way you think it should. However you do get a lot of good debug output from the broker itself that usually lets me know what's going on. I'll typically run the broker in a separate tab. It is possible to
34:03
do this tool with some shell injection via power shell reflective DLL injection loading and stuff like that. In this case I went with a simple file drop just for the sake of the demo. It's a lot easier to do that obviously. Most of the time it works. Typically in terms of
34:22
error. So not too many issues there. So we're getting ready here with the rest of the environment variables. And I hope that's big enough that people can see it. I don't know. We can do full screen. I
34:43
got it. I may have deleted the videos. I hope you didn't delete the videos. Nope. Right here. Excellent. Which one is it to? I think we were on two. I guess we'll know in a minute. Is that a little better?
35:02
I'm going to start interpretive dances. You'll notice I don't know if we mentioned this before. I'm going ahead and stopping Apache. I'm going to instruct my proxy to come back out on port 80. Why? Because I already know it's open so I don't need to fool with any more guessing whether the firewall is going to let me out. At this point we're
35:40
ready to start the broker. We will get the second tab going. Once I get this environment set up, I'm going to pivot to a network that's surprisingly interesting to pivot to that I didn't imagine would be so interesting at first. The 127 network. Turns out a lot of
36:00
people tend to write firewall rules that trust local host a lot. Certainly when you open a new socket, usually the source IP address will take the adapter that that network is native on. So traffic will look like it's coming from local host and it will end up going to local host once we do this. So now the next step
36:24
here I think and I guess we got to go to the next video, Dave. Can you do that for me? Thank you. Computers are hard. Computers are hard. I'm going to use the same injection technique to invoke my proxy.
36:40
Basically I'm setting up another test here. By all these commands we have at the end of this, we have a blog post we did and all the source and all that good stuff. We have all the commands on our website that we put a blog post on. Once again I just did a really simple power shell wrapper
37:01
there just to swallow the extra stuff that's going to come on the end of it so it doesn't confuse my application. I do have something in the tool box that we'll talk about later that can substitute some IP addresses into the binary without having to recompile it just to simplify things a little bit. I think we're into the next video here, Dave. So now
37:30
I'm using LD preload. I'm going to go ahead and use our desktop. I'm going to hit the box on local host. Again reason for that, essentially now even though I'm sure the firewall isn't going to let 3389 in,
37:42
now I'm going through my tunnel and coming from local host as far as that box is concerned. Even if they are running a local software firewall on that box, I'm going to likely be able to do that and I have power shell, not power shell, remote desktop. The other reason I wanted to run remote desktop for you guys is just to show you that we can
38:01
support more than just text mode protocols and actually feed a fair amount of data through this thing at a reasonable rate. So this is just me playing around. I'm guessing that maybe the application or the password that worked on that web application will also work on the desktop. It doesn't look like I'm being real successful. Just showing you again that I don't need to necessarily get
38:20
any additional access to that box. We're going to be able to continue this attack on other network hosts behind it. So at
38:45
play the wrong video, but that's fine. We'll go with it. This is just an example of scanning with net cat. I can't scan with in map directly. In map wants to use raw sockets and things like that which are a little hard to work with
39:01
unfortunately and we wouldn't be able to implement on the Windows side without some privileges. So you'll see what I did here is I'm just using the V and Z switches on net cat and scanning for 445. Pretty good way to find Windows hosts. I would like to point out the proxy of course can handle multithreading in terms of making outbound connections
39:20
on the remote side. So if you want to speed up your scan instead of linearly stepping through every IP address, you could certainly run multiple net cat scans in parallel. Just break up that 24 you want to pull wide at a time is what I usually do. I'm going to continue to let you drive, Dave, rather than try to figure
39:42
out how to use your track pad settings. So I did find a box. We were testing a web application here so chances are there's a database somewhere. I'm just going to go ahead and see if my SQL is going to work. So you can see me editing my command there. Again, you know,
40:02
in an actual attack scenario without having compromised that box, I'd have to put a lot more footprint on it. I'd have to be dropping down tools to interact with that database. Any other tools I wanted to use, any kind of DNS recon I wanted to do, things of that nature because those utilities probably aren't on that box for me. So what Pivoter is really allowing
40:20
me to do here for the first time is go ahead and use tools that I natively have installed on those other machines on that DMZ that are behind that victim box. Turns out apparently that this database won't actually talk to me, which is interesting. I guess we'll go to the next video. So there's a little
40:46
situation with DNS that doesn't always work the way we would have hoped to. To that end I wrote another tool that just helps me do some additional DNS recon while I'm using Pivoter. And you can see since we still have that one host that I know about, I'm going to do some
41:01
things that typically work on a pin test. Typically a company of any size. There's always an intranet. So I'm going to look for that address. And sure enough I got back that same address I had before, which probably tells me that maybe that database there is actually to support another web app or something like that. And finally I went ahead and looked up an outside
41:21
address. That's another thing I always do. Here to show you that I can get back all the addresses with this tool. But certainly if we see different DNS resolution inside versus outside, we know some things about how their network is set up as well. Again just to point out what's going on with the DNS here is I'm actually performing
41:41
those DNS resolutions by the proxy. So DNS is happening from the perspective of the victim box, not my local Cali box here. So I can see their internal DNS space. The other thing I decided to do with DNS resolution is I went ahead and even if you use the get host
42:00
adder info family of functions on the Linux side, they map back to the old get host by name function on the windows side. The reason for that is that falls back to wins. I actually end up getting wins information as well even when there's no DNS response. Anyway
42:22
more to come. Certainly there's a lot more work to do. There are some limitations with the tools. I talked about DNS a little bit. I think we're a few slides back. Some work around DNS recon. I know you can't read it so we won't dwell on the slide. It's a really
42:41
simple DNS resolver. All it does is call get adder info and look it up. It's not in the demo. You actually just wrap it with the library the way you would anything else. We talked quickly about how to speed up some of that scanning with net cap. And
43:02
yes, there's definitely more work to do. We certainly want to wrap some more SOX calls. It would be nice to maybe do some integration just to make things easy. I'd say overall the tools at that point where we had that lump of enriched uranium on top of the tower in the desert with a bunch of explosives around it. We can make it go boom. It's not
43:20
fully weaponized yet. I'm still altering it and doing a custom compile all the time. It does work and let us continue on. I guess I'll hand it back to Dave here. I've been working on the set integration. The new version of set 57 should be out in the next week or so.
43:41
When you're going into interpreter and doing your payloads it will automatically run on top of it so you can still do your pen testing work inside of MSF console and most of your tools you typically use on a pen test as part of it. Additionally I don't know if anybody has had a chance to see the pen testers framework. This is a
44:00
tool that I released about two weeks ago. And the biggest issue that you have with most pen test distributions. We all love Cali and Cali is near to dear to our heart. We also roll our own in a lot of cases. We roll our own tools and pen testing distributions. The
44:22
biggest thing I found as being a tester all the time is making sure I had all the latest and greatest tools out there. I released the pen testers framework two weeks ago which is a modular framework around keeping all of your tools up to date. And right now there's over 46 modules that have been written for tools. What it does is simple use. You get clone it from get hub.
44:44
I like it in my armpit. It's good in my armpit. Get clone it from get hub. It will grab the latest distribution for it. Every
45:02
time you run it it will automatically update itself. Whenever there's a new module added it will automatically go into there. For example, just to show how easy it is. I don't know if you saw the empire tool. Really great talk. Within about an hour someone written a module for that and pushed the PTF framework.
45:22
Same thing with this. I just pushed while Jeff was talking and pushed the get hub repo for pivoter. The module has been added as well. Show you how easy it is. Just run PTF. It checks for internet connection first. Tries to update itself. If it's running latest and greatest it's all set. Any tool has to have ASCII art.
45:42
Metasploit syntax. Go ahead and show modules. You can see here all the different tools that are available. It's broken up. You can see air crack, comics, SQL map, all of those are there. If you want to install it hit use modules. I'll do exploitation
46:00
set. Hit run. It automatically installs the tool for you. If you want to keep it up to date it'll automatically detect it's been installed and updated for you. Let's say you want to do all tools. There's an option here that will hit
46:21
modules slash install underscore update all. You have a common distribution point for all your tools. I missed the slash pentest directory. I structured everything around the pentest directory. It's broken into the penetration testing methodologies.
46:43
Those are all structured in that type of framework. I've also added piviter. You can search for piviter. Go and use this module.
47:01
Run it. Internet's slow. It's hard. It's done. You have piviter. Easy to go. A really easy framework. The way that you add a module real quick is if you go into modules
47:20
I've created a whole framework around building modules that you don't have to require any type of coding background. You can create a module in three minutes. Let's go to exploitation and the description of the module. The description will be the social engineer tool kit.
47:41
It supports get, SVN and file. If it's a zip file you need to pull it will grab it and extract it. The repository location needs to go to pull it. Any Debian dependencies. Right now I have Debian as the main support but I'm working on Red Hat as well.
48:03
After commands are things that might occur after you've installed something. After commands will sequence through all the commands. A complex one metasploit. It does all of the installation procedures for you
48:21
to install metasploit for you automatically after it's done getting everything out and installs all the dependencies. It's efficient. If you're doing the update install the modules real time and do everything in a threaded shell. It will install it for you automatically.
48:47
You can go to github.com. It has the latest code base into it. It links to a blog that walks you through how to set it up. What you need to do to route your traffic through the
49:03
exploitation. Hopefully it's going to be an evolution. One of the things Jeff is doing is updating it as it goes along. If you go to github.com all the code is there.
49:20
Hopefully you get some sleep in the next three weeks.