Singing the Blues:
Taking Down an Insider Threat
"I had all of the advantages. I was already inside the network. No one suspected me. But they found my hack, kicked me off the network...
...and physically hunted me down."
This pentest started from the inside. My client wanted to assume they had already been breached, and, if breached, how far could an attacker go.
Could they stop me once I was inside?
The only person who knew who I really was was their CISO. Everyone else thought I was Jeremy in Marketing.
But I had to act quick. I only had a week onsite. I had to hack their network while not raising suspicion.
So I set about it.
Narrator: "But this time was different. This time, Tinker was in for a surprise."
I would use my work computer for research, for seeing how other workstations were configured, but I wouldn't use it to launch attacks from directly. I didn't want things to get back to me.
I plugged it into the network and got an IP address. Their Network Access Control (NAC) wasn't fully set up across their environment. Everyone at a cube was trusted.
Captured packets and analyzed them with wireshark, changed my rogue computer's MAC and hostname to blend into their environment and look like their standard equipment.
Poisoned the local subnet with Responder to trap hashes and crack passwords.
I started cracking these with my 8 GPU cracking rig, but...
I can go through an 8 character password, all combinations upper/lower/number/symbol, in a short amount of time (NetNTLMv2).
Most normal passwords (single word, capital first letter, ending with a number or symbol), I crack instantly.
But not here.
I navigated through the company's intranet and found their Security Requirements.
They were moving from passwords to pass phrases...
I changed my cracking rulesets to use a dictionary with longer words, capitalized the first letter, ended with num/symbol.
And got a few!
I immediately try to log in remotely to the user's workstation with their own password...
And am blocked.
What the...? This always works...
Password is correct. But access is denied.
I spent some time hunting the Domain Controller. The VoIP phones served up a web page config file and gave the DC's address.
I pulled Group Policy Preference, accessed AD through LDAP, looked through their group rights/privs.
I hadn't cracked any of those passwords.
They had implemented a Least Access Model...
Who does that?
I'll log into their email!
So I do. I search for "password" in their emails, in their Skype Conversations, check their Outlook Notes section and Drafts.
I find a lot of personal passwords: Bank, PTA, Amazon...
I *did* find a recent email sent out by Corporate Information Security stating that email was going to implement MultiFactor Authentication in a week's time.
Well then... got lucky, didn't I?
Every internal app, in one tidy space. A hacker's dream!
I click on one of the applications. It requires MultiFactor Authentication. So did the next one. And the next!
What sort of locked down prison is this?! A hacker's nightmare!
It's behind MFA, but fine. I'll deal with that.
Citrix will get me remote access to an internal server. I need to hop onto an internal box. Get away from my rogue device and actually start pivoting.
I click on it. It asks me to enter a 6 digit pin.
I bring up the email account (that didn't require MFA) and search for "5309". I find a signature of the user with their full phone number.
I call the phone number.
"Good afternoon, Pam. I'm Josh from IT. We're about to migrate your Citrix instance to a new server. I'm going to send you a 6 digit number. I'll need you to read that off to me. As a reminder, IT will never ask for your password."
I already had her password.
I clicked on the "Click for MFA token" button and stated, "Alright, I've sent you the number. You should get a text. Please read it to me."
She said, "Umm, alright. Got it. It's 9-0-5-2-1-2."
"Thanks! Please stay off Citrix for about two hours!"
And I log in.
Fuck you, MultiFactor Authentication!
Once in, I see... nothing. NOTHING!
This user didn't need Citrix, so her Citrix linked to NOTHING.
I had hacked into a broom closet.
I can maybe crack a long password, but only if I get lucky and capture the right hash. Even with a cracked password of a tiny group of people, I have to bypass MFA. Each attempt, especially with a secured group, runs the risk of detection.
I'm getting desparate.
Fuck it. I'm going to break into the IT shack. I'm going to steal laptops.
Tell my new coworkers that I'm going to finish the Annual Security Training for my onboarding.
They nod. Everyone leaves.
The cleaning crew comes through. And leaves.
I head to the IT/Helpdesk room. Find the door.
I look around and then go for it.
I had already tried various things to my own employee laptop, but I was not local admin and the disk was fully encrypted.
My goal was to find an old unencrypted laptop that had a common local admin hash on it.
I opened my mouth slightly and tilted my head to hear if anyone is coming from around the corner.
Nothing. I was clear to proceed.
Well there's a bit of good luck.
But someone left it pried open that night.
I cracked the door & peered in expecting to see someone inside.
Fuck it. Seize the day. I opened the door & entered.
Only about 1% involves math...
I saw stacks of laptops in a corner. Various ages, makes, and models.
I weighed the risks of staying and getting caught in the the IT shack, or having a pile of laptops at my desk.
I chose my desk.
Once I have a solid pile, I methodically try to boot each one from USB. Hoping to find a single laptop that doesn't have Full Disk Encryption.
I stick the USB in one, boot it up, try to mount the harddrive.
And get more and more frustrated as each one has FDE enabled.
Finally, after 30 laptops, I find three that are half ripped apart with clear harddrives.
I find a nonstandard local admin account called "ladm" on those three machines. Each hash is the same.
Oh thank Eris... They aren't using LAPS. They're sharing the local admin across boxes.
Improper disposal of information assets. Gotta love it.
I used the creds to log into my own work laptop, and it worked!
It bypassed Full Disk Encryption! A master key!
Ok.. okay! I can use this!
I didn't have permissions to view the user area of the harddrive.
What? They limited access EVEN TO LOCAL ADMINS!?! Damn.
Finally I ran a check for Unquoted Service Path vulnerabilities and found some! But the output said that my local admin user did not have permissions to write to the needed folders. Come on!
This was yet another dead end. Another series of hard fought, successful hacks, only to end with no access.
I had to get home. Get some sleep. Start again the next day.
Small things here and there. Nothing worthwhile.
I call a colleague. A fellow member of the @Dallas_Hackers.
He asked, "Did you try to exploit it anyway?"
In my fatigue, I believed the output & hadn't tried.
I attempted to write to the folder. The same folder that Windows told me I didn't have privs to write to.
And I successfully wrote to the folder.
Damnit Windows... lying to me again.
But cool. Fucking awesome. A new lead.
I tested it on my box (a risk) and it seemed to work fine.
- Set up a listener on my rogue device.
- Gain physical access to a laptop in the office.
- Log in w/localadmin creds.
- Upload the two-stage malware to the "Unquoted Service Path"
- Log out.
- Wait for user to log in & trigger.
I planned first to target IT while they were at lunch and pop one of their boxes.
Don't they realize how unhealthy that is!? How lack of work/life separation and lack of breaks adds to stress?!
WHY DON'T THEY EAT LUNCH LIKE NORMAL PEOPLE?!?!
I walked around the office and finally found a set of desks that were empty. Accounts Payable / Accounts Receivable. Finance.
Okay. We're hacking into Finance.
Angerly, my face filled with spite and malice, I turned towards one of her team's computers & hacked it.
And sat. Staring at my listener.
Lunch ended at some point. I lacked the will to conversate.
> Meterpreter session 1 opened
> Meterpreter session 2 opened
> Meterpreter session 3 opened
> Meterpreter session 7 opened
I ran a quick GETUID and saw:
- NT AUTHORITY\SYSTEM
Oh Fuck Yeah!!!
Establish quick persistence, dump memory, and start rifling through their file system.
Some AP/AR finance info. Some clear text passwords. Sensitive information, but nothing major.
S'alright. It's a start. A foothold.
I try to hop sessions, but they're all closed. I ping the system, it's not responding. I port scan 445. Nothing. The system is offline.
Fuck. That. Noise.
I get up and begin a beeline towards to Finance department. What happened to my shells?!?!
I do a quick "Oh fuuu" & make to turn around when the old lady turns towards me, points a finger directly at me, and shouts "That's him! He was messing with our computers!"
My back turned from one mean looking blue team, I ran in the opposite direction.
Only to run into two other blue team members. Looking quite pissed off and making it clear that I was in the wrong neighborhood.
The head DFIR person stood in front of me, her knuckles raw, a small crew of Intrusion Detection Analysts behind her, grinning.
The DFIR lead leaned down next to my ear and whispered, "No one in Accounts Payable ever runs Powershell..."
But me running around the corner and into the little old lady reporting me to IT's Blue Team was real. They stopped me right there. Confiscated my machine and reported me.
CISO came in, validated my presence.
They got an alert that powershell was running on a system that did not belong to the small group of IT and Developers that ran powershell on a normal basis.
A solid, and simple, anomaly detection method.
- Least Privilege Model
- Least Access Model
- MultiFactor Authentication
- Simple Anomaly Rule Fires
- Defense in Depth
- Keep Trying
- Never Assume
- Bring In Help
- Luck Favors the Prepared
- Adapt and Overcome
More from Tech
It's all in French, but if you're up for it you can read:
• Their blog post (lacks the most interesting details): https://t.co/PHkDcOT1hy
• Their high-level legal decision: https://t.co/hwpiEvjodt
• The full notification: https://t.co/QQB7rfynha
I've read it so you needn't!
Vectaury was collecting geolocation data in order to create profiles (eg. people who often go to this or that type of shop) so as to power ad targeting. They operate through embedded SDKs and ad bidding, making them invisible to users.
The @CNIL notes that profiling based off of geolocation presents particular risks since it reveals people's movements and habits. As risky, the processing requires consent — this will be the heart of their assessment.
Interesting point: they justify the decision in part because of how many people COULD be targeted in this way (rather than how many have — though they note that too). Because it's on a phone, and many have phones, it is considered large-scale processing no matter what.
Ok, here. Just one of the 236 mentions of Facebook in the under read but incredibly important interim report from Parliament. ht @CommonsCMS https://t.co/gfhHCrOLeU
Let’s do another, this one to Senate Intel. Question: “Were you or CEO Mark Zuckerberg aware of the hiring of Joseph Chancellor?"
Answer "Facebook has over 30,000 employees. Senior management does not participate in day-today hiring decisions."
Or to @CommonsCMS: Question: "When did Mark Zuckerberg know about Cambridge Analytica?"
Answer: "He did not become aware of allegations CA may not have deleted data about FB users obtained through Dr. Kogan's app until March of 2018, when
these issues were raised in the media."
If you prefer visuals, watch this short clip after @IanCLucas rightly expresses concern about a Facebook exec failing to disclose info.
A company as powerful as @facebook should be subject to proper scrutiny. Mike Schroepfer, its CTO, told us that the buck stops with Mark Zuckerberg on the Cambridge Analytica scandal, which is why he should come and answer our questions @DamianCollins @IanCLucas pic.twitter.com/0H4VMhtIFu— Digital, Culture, Media and Sport Committee (@CommonsCMS) May 23, 2018
Twitter: ok sure, we've changed the stars to hearts for likes
Users: no no, zero Nazis please
Twitter: yep we're getting rid of Vine
Users: nah hey, what about the Nazis
Twitter: ok ok fine, no more likes
Really though, if you had to ask any average user what were the main things leading to a bad "quality of debate" on this bad website, the tiny little heart symbols would not exactly be at the top of most people's lists
Let's talk about Google Translate, its current state in the professional translation industry, and why robots are terrible at interpreting culture and context.
Straight to the point: machine translation (MT) is an incredibly helpful tool for translation! But just like any tool, there are specific times and places for it.
You wouldn't use a jackhammer to nail a painting to the wall.
Two factors are at play when determining how useful MT is: language pair and context.
Certain language pairs are better suited for MT. Typically, the more similar the grammar structure, the better the MT will be. Think Spanish <> Portuguese vs. Spanish <> Japanese.
No two MT engines are the same, though! Check out how human professionals ranked their choice of MT engine in a Phrase survey:
When it comes to context, the first thing to look at is the type of text you want to translate. Typically, the more technical and straightforward the text, the better a machine will be at working on it.
Once these platforms build a habit, it's hard to leave
Lifetime value of customers is immense, which recover marketing costs and more
These very "loss-making" companies eventually become money-making machines
I love the assumptions people are making here to try to work out how this is possible, but I'll not share the math to just keep this fun.
Few hints: I have excellent cardiovascular fitness, love fine + healthy dining and order with my wife and brother
Guess AOV and order freq
You May Also Like
PEOPLE: "He can't eat babies, that's super illegal."
TRUMP, on TV, eating babies, not even cooking them first: "People are saying that I really am the best baby-eater, folks."
NYT: "Trump Vs. Babies: The Rhetoric On Both Sides Must Stop"
Jeff Flake tweets: "It is a sad day in America when this callous man can eat babies live on TV"
Jeff Flake, 10 seconds later, votes to help him install a series of 4,000 new judges that are very, very pro-babyphagia.
Judge Kavanaugh, found drunk in a Capitol Hill closet: "I LIKE BEER. OKAY? I LIKE BEER AND I LIKE BABIES AND THAT'S NOT SO WRONG. THAT'S RIGHT. I LIKE BABIES DIPPED IN BEER. I JUST DIP EM. IN THE BEER. THE BABIES. THE BABIES I EAT. OKAY? THAT'S AMERICA."
Mike Pence, wringing his hands about the baby-eating: "We must take care of our children. Our youngest must be protected on this troubling day."
Mike Pence then invites a Baby Chef to say a prayer.
Twitter Users: "It's a distraction technique! Trump eating babies is trying to DISTRACT YOU from ALL THE OTHER HORRORS, which are themselves distractions from the BABY-EATING. It's DISTRACTIONS ALL THE WAY DOWN."
Trump: *eats tons of babies at a rally*
*literal tons of babies*
The most essential rite (Sanskrit: rītī) of a Hindu marriage ceremony is Saptapadi (English: seven steps, saptapadī). Saptapadi is a Sanskrit term that means "seven steps." The wedded couple walks seven steps after tying the Mangalsutra, which is known as Saptapadi.
The couple legally becomes husband and wife after the seventh step.
Hindu wedding rituals: During Saath Phere, the bride and groom exchange their marital vows while circumambulating (walking around) the sacred fire seven times.
This is because the bride and groom exchange marriage vows and hope for a happy married life together.
1. The first marriage vow, out of seven, is a petition to the Lord for nutrition and nourishment for the Hindu bride and groom.
2. Hindu Bride and Groom: The second marriage promise is for strength in sickness, health, good times, and terrible times.
3. For the Hindu Bride and Groom - The third marriage promise is for the Hindu bride and groom's prosperity.
4. For Hindu Bride and Groom - The fourth pledge is to stand by their families in good times and bad.
Ahilyabai Holkar was one of India's
greatest women rulers of all time.
Ahilyabai was Born on May 31,1725 in the village of Chondi,Jamkhed distt,Maharashtra to a man named Mankoji Shinde,who was the Patil(Chief) of a village and a member of proud Dhangar Community.
Despite the fact that girls' education was a farther dream in those days, Ahilyabai was homeschooled by her father.
Ahilya didn't belong to any royal family but in a twist of fate she is still remembered as one of the most revered Queen in the history.
While they were living their humdrum lives, one day Malhar Rao Holkar, commander of the Peshwa Bajirao & Lord of the Malwa stopped in Chondi on his way to Pune, where he couldn't help but notice a young 8yrs old Ahilyabai in the temple service feeding the poor & hungry.
He was so impressed by the sheer innocence&beauty with simplicity character of Ahilyabai dat he asked her hand in marriage for his son Khanderao Holkar.Just like that she got married to Khanderao in 1733 at a tender age of 8&became a bride of esteemed Maratha community of Holkars
But destiny had something else in store for her as her husband died in the Battle of Kumbher in 1754 leaving her widow at 29.Distressed Ahilyabai was to commit Sati when her father-in-law Malhar Rao refused to let it happen.
For three years I have wanted to write an article on moral panics. I have collected anecdotes and similarities between today\u2019s moral panic and those of the past - particularly the Satanic Panic of the 80s.— Ashe Schow (@AsheSchow) September 29, 2018
This is my finished product: https://t.co/otcM1uuUDk
The 3 big things that made the 1980's/early 1990's surreal for me.
1) Satanic Panic - satanism in the day cares ahhhh!
2) "Repressed memory" syndrome
3) Facilitated Communication [FC]
All 3 led to massive abuse.
"Therapists" -and I use the term to describe these quacks loosely - would hypnotize people & convince they they were 'reliving' past memories of Mom & Dad killing babies in Satanic rituals in the basement while they were growing up.
Other 'therapists' would badger kids until they invented stories about watching alligators eat babies dropped into a lake from a hot air balloon. Kids would deny anything happened for hours until the therapist 'broke through' and 'found' the 'truth'.
FC was a movement that started with the claim severely handicapped individuals were able to 'type' legible sentences & communicate if a 'helper' guided their hands over a keyboard.
Andrew McCabe was reported to the FBI’s Office of Public Affairs for making an unauthorized leak of classified info to the media about @GenFlynn in early February 2017.
If you’ve wondered exactly who it was who leaked the classified info from that intelligence report on @GenFlynn’s phone calls with then-Russian ambassador Kislyak to the media, you are right now seeing a huge honking clue who it was.
To those responding to this info by sneering "Nothing's gonna happen":
You just might be too stupid to be following me.
The then-Deputy Director of the FBI get's caught targeting @GenFlynn with an illegal leak so he can 'investigated' by Peter Strzok?
Now that we know it was McCabe who set up Flynn for a fake 'perjury' investigation by his pet attack dog, Peter Strzok, the next name that's going to surface is...Joseph Pientka.