This post is a collection of my favorite and interesting talks from DerbyCon 6 (2016). There were a lot of great talks and as I discover them, I’ll add them here. My goal is to collect and provide the talk videos and slides together for a single, easy reference. I’m sure I missed a few.
To read about the DerbyCon 6 presentations visit the DerbyCon 6 Schedule page and the DerbyCon 6 presentation videos are on YouTube.
Vulnerability disclosure, cloudy clouds, and million dollar shopping trips. This industry sucks. And is awesome. Our beloved security industry is a complicated beast. Companies are collaborating with researchers more now than they have ever, but it’s still easy to walk away feeling frustrated by an encounter with an otherwise seemingly responsive vendor. Microsoft’s Technical Fellow Jeffrey Snover and Security Architect Lee Holmes share their unique perspectives on this relationship and shed some light the corporate behaviors that might otherwise feel out of touch, and share their perspectives on getting on a solid path to more secure systems. This collaboration is making the world a safer place, however, and we now find ourselves at the cusp of another major industry shift. What does security look like in a world that’s becoming increasingly cloud-connected? With the vast majority of cloud capacity coming from two companies in Seattle, what chance do you possibly have to keep yourself secure? In addition to the torrid pace of change in our industry, there’s still a lot of regular ol’ security going on. New threats, new exploits, an ever changing attack surface. How do you keep YOUR companies secure in a world like this? It’s tempting to throw your hands up, get a money order for a million dollars, and just go shopping at RSA. That may eventually be part of the solution but it rarely the most effective path forward. So what is? Jeffrey Snover is a Technical Fellow and the Lead Architect for the Enterprise Cloud Group, covering Windows Server, Azure Stack, System Center, and Operations Management Suite. Snover is the inventor of Windows PowerShell, an object-based distributed automation engine, scripting language, and command line shell. Lee Holmes is the lead security architect of Microsoft’s Enterprise Cloud Group, covering Windows Server, Azure Stack, System Center, and Operations Management Suite. He is author of the Windows PowerShell Cookbook, and an original member of the PowerShell development team.
Thinking Purple Carlos Perez @carlos_perez Breaking with the adversarial approach of Red vs Blue, look at how the current system and approaches may be broken in some organizations and provide recommendation not only for the mature organization with a large structure but also how small businesses can take a more purple strategy in the way they operate their teams including how they acquire pentest services. Presentation will cover an approach beyond the red and blue team and more of a organizational and strategic approach to change the paradigm of thinking and action to more symbiotic approach to security. Carlos Perez is a Director at a Security Vendor working on reverse engineering, security research and integration projects. Carlos also works as a trainer providing training both to government and private organizations across the world in security technologies and also provides consulting in his spare time on infrastructure and security. His work and thoughts can be found on his webpage www.darkoperator.com. He has presented in several security conferences and is a co-host of the Security Weekly podcast.
Daniel Bohannon – Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D””e`Tec`T ‘Th’+’em’
Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D””e`Tec`T ‘Th’+’em’ Daniel Bohannon – @danielhbohannon The very best attackers hide their commands from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, network defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs. We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker. Next, I will introduce three new layers of obfuscation that can be applied to any PowerShell command. You can use each layer independently, or stack them together to prevent any one technique becoming an easy signature for defenders. The first layer directly manipulates PowerShell and .Net cmdlets, functions and arguments. The second string manipulation layer can then be applied to a single command or an entire script. Finally, I will demonstrate several techniques for content execution using PowerShell command input parameters that hide command line arguments from appearing for powershell.exe. Attempting to detect every possible obfuscated version of particular commands is not an efficient means of detection. Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging and rely primarily on command line logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will also highlight methods using C# within powershell.exe that enable the attacker to execute .Net functions without being recorded in PowerShell event logs. Attackers and popular frameworks like Metasploit, PowerSploit, and Empire use PowerShell’s remote download cradle to execute remote scripts on a target system entirely in memory. This capability is typically used to avoid A/V and many application whitelisting products. I will give particular focus to the numerous ways within PowerShell, .Net, and native Windows applications that this remote download functionality can be accomplished without using .Net’s popular Net.WebClient class. I will also explore a half dozen functions that attackers can use to encode and decode PowerShell commands, including .Net’s SecureString functions. I will conclude this talk by highlighting the public release of Invoke-Obfuscation.ps1. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms. These techniques are available as miniature plug-n-play versions to be easily added to existing PowerShell frameworks in an effort to promote more wide-scale adoption.
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell-based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
Slides: https://www.usenix.org/sites/default/files/conference/protected-files/woot16_slides_drake.pdf (from August 2016)
Last year, Joshua disclosed multiple vulnerabilities in Android’s multimedia processing library libstagefright. This disclosure went viral under the moniker “Stagefright,” garnered national press, and ultimately helped spur widespread change throughout the mobile ecosystem. Since initial disclosure, a multitude of additional vulnerabilities have been disclosed affecting the library.In the course of his research, Joshua developed and shared multiple exploits for the issues he disclosed with Google. In response to Joshua and others’ findings, the Android Security Team made many security improvements. Some changes went effective immediately, some later, and others still are set to ship with the next version of Android—Nougat.Joshua will discuss the culmination of knowledge gained from the body of research that made these exploits possible despite exploit mitigations present in Android. He will divulge details of how his latest exploit, a Metasploit module for CVE-2015-3864, works and explore remaining challenges that leave the Android operating system vulnerable to attack. Joshua will release the Metasploit module to the public at DerbyConJoshua J. Drake is the VP of Platform Research and Exploitation at Zimperium Enterprise Mobile Security and lead author of the Android Hacker’s Handbook. Joshua has been doing vulnerability research on a wide range of applications and operating systems for over 20 years with a focus on Android since early 2012. His professional experience began in 2005 and includes roles at VeriSign/iDefense, Rapid7/Metasploit, and Accuvant LABS.
Mind Reading for Fun and Profit using DISC Christopher Hadnagy @humanhacker Learning to profile a target is a key element to social engineering. Learn how to use a quick and easy profiling tool to make targets feel as if you can read their minds. You will also learn how to release chemicals in your targets brains to make them more agreeable to your suggestions. When struck by lightning Chris Hadnagy was transformed into loganWHD and infused with the power of social engineering and the ability to identify the weak point in any physical security system. Countering the natural instinct to use his powers for self gain, Chris has spent his time teaching others in the lost arts of many security topics and spreading knowledge. Hidden among normal mortals as the Chief Human Hacker of Social-Engineer, Inc Chris currently lives a hidden life as the lead developer of Social-Engineer.Org and is the author of three books. If you are in trouble, and no one else can help, perhaps you can contact Chris online at www.social-engineer.com, social-engineer.org or twitter at @humanhacker.
The Information Security sector is a special place filled with special snowflakes. For a special snowflake, interviewing for a job can sometimes be a daunting or awkward task. There is a thin line when talking to humans between looking cocky and potato. On the other side, the interviewer must understand that there’s a limited pool of special snowflakes. There’s a sweet spot between auto-hiring someone and telling them you’ll need three months to make a decision. Each snowflake must be nurtured into a beautiful snowerfly, or whatever their final form may be. For this talk I plan to start a conversation about how to interview and be interviewed in the information security space. Good interviews combine a mix of targeted questions, appropriate information sharing, and a goal of what you’d like to learn from a person and vice versa. Bad interviews… don’t. This leads to bad hires, good snowflakes being pushed aside, stupid questions being asked, people being sad pandas, poor team cohesion, and a general overwhelming feeling of meh. Do not despair, this is a solvable situation. Come join me on the journey to being less meh at hiring!
Wartortell works as a reverse engineer and malware researcher for Palo Alto Networks. Previously he worked in Threat Intel, Binary Rewriting and Binary Transparency. He also casts a mean Ice Punch, and this is not even his final form.
Aaron Bayles (@alxrogan) has been doing the Infosec song and dance since ’95. He has seen a million endpoints and rocked them all. He lives outside Houston and currently dabbles with all things Infosec and ICS/SCADA security.
A Year in the Empire Will Schroeder, Matt Nelson Will – @harmj0y, Matt – @enigma0x3 PowerShell is an ideal platform for building a new class of offensive toolsets and parties on both sides of the red and blue divide have begun to take notice. Driving some of this newfound awareness is the Empire project – a pure PowerShell post-exploitation agent that packages together the wealth of new and existing offensive PowerShell tech into a single weaponized framework. Since its release a year ago, the Empire project has garnered dozens of additional modules from the offensive community in addition to signatures and mitigations on the defensive side. This presentation will take you through the design considerations for Empire, the community contributions, its enhanced capabilities, its redesigned C2 system, and the new RESTful API. Welcome to the Empire. Will Schroeder (@harmj0y) is security researcher and red teamer. He has presented at a number of conferences including ShmooCon, DEF CON, DerbyCon and several Security BSides conferences on topics spanning AV-evasion, post-exploitation, red teaming tradecraft, and offensive PowerShell. Will is a co-founder of the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a co-founder and core developer of Empire. Matt Nelson (@enigma0x3) is a red teamer and penetration tester. He performs a variety of offensive services for a number of government and private sector clients, including advanced red team assessments. Matt has a passion for offensive PowerShell, is an active developer on the Empire project, and helps build offensive toolsets to facilitate red team engagements.
“Is that a penguin in my Windows? Spencer McIntyre @zeroSteiner One of the latest features coming out in Windows is the new Windows Subsystem for Linux. This brand new system provides translations for Linux syscalls via a new kernel interface. This talk will go over the technical details of this brand new interface with a focus on it’s security implications. We’ll go over features that might be beneficial to be leveraged by pentesters as well as what how the new subsystem can be abused by local exploits targeting Windows. As a member of the Research and Development team at SecureState, Spencer McIntyre works to discover vulnerabilities within organizations systems and understand the underlying risks. Mr. McIntyre balances his focus between vulnerability and in-house tool development. During his time with SecureState, Mr. McIntyre has worked with a variety of clients across multiple industries, giving him experience in how each secures their data and the threats that they encounter. Mr. McIntyre uses his background in software development to help him to understand and exploit the underlying logic in the software he encounters. He is active in the open source community, making multiple contributions to a variety of projects such as the Metasploit Framework.兄”
PowerShell Secrets and Tactics Ben0xA @ben0xa It used to be that most people were just starting to hear about PowerShell. Over the last 3 years, this has changed dramatically. We now see Offensive and Defensive PowerShell tools, exploits specifically leveraging PowerShell and WMI, and more organizations are starting to be intentional for detection and monitoring of PowerShell scripts and commands. With this visibility, it is becoming a game of cat and mouse to leverage and detect PowerShell. In this talk, I will highlight some secrets I use to ensure my PowerShell exploits are successful and some unique tactics which will bypass common defensive controls. I will also walk you through the creation of a custom PowerShell C# DLL which you can use to compromise your target. If you want to code with me, be sure to bring a laptop with Visual Studio 2013 or later installed. Ben Ten is a Senior Security Consultant with TrustedSec doing penetration testing and consulting. He has spent over 15 years doing Application & Web Development; Security Implementation, Consulting, & Training; Federal Regulation and Compliance oversight in relation to Information Technology (HIPAA, HITECH, PCI); and managing a team of developers and IT professionals. He is creator of the PoshSec Framework and works with the PoshSec development team. He has spoken at several conferences over the past 4 years including ShowMeCon, DerbyCon, BSides Chicago/Raleigh/Dallas Fort Worth, HackCon Norway, and more.
“No Easy Breach: Challenges and Lessons from an Epic Investigation Matthew Dunwoody, Nick Carr @matthewdunwoody, @itsreallynick Every IR presents unique challenges. But — when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day — the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it. Matthew Dunwoody and Nick Carr are incident responders at Mandiant, specializing in digital forensics and network analysis. Matt has several years of experience as a technical lead for large-scale IR engagements and high-tech crime investigations. Nick has experience in computer security and intelligence roles and previously served as Chief Technical Analyst and incident response team lead for DHS ICS-CERT, focusing on SCADA systems and critical infrastructure cyber attack readiness and response.”
Hunting for Exploit Kits Joe Desimone Joe – @dez_ Open any security blog and you are likely to find some information on the latest 0day being exploited in the wild by one or more of the popular exploit kits. Knowing how exploit kits are evolving over time allows researchers to validate a security stack against the latest capabilities, enables red teams to repurpose the latest in-the-wild threats, and assists vulnerability researchers to stay current on the latest exploits. However, getting samples or other specific insight into these changes is hard because direct access to tools is guarded and signatures are constantly changing. How can researchers identify and collect their own samples without any static signatures? This talk will reveal an automated system that relies on behavioral exploit detection rolled into a sandbox that continually crawls popular websites for infection. The system captures a steady stream of exploit kit samples which can support a wide range of research initiatives. We will also discuss samples from popular exploit kits that have been captured with this system such as Neutrino, RIG, and Magnitude. Joe Desimone is a Malware Researcher at Endgame. He has over 5 years of experience in the information security industry; primarily tracking and countering APTs, reverse engineering malware, and developing novel techniques and tools to empower hunt teams. Joe holds a BS and MS in Computer Security from RIT.
“Better Network Defense Through Threat Injection and Hunting Zach Grace, Brian Genz Zach – @ztgrace, Brian – @briangenz Traditional penetration testing and red team engagements typically focus on identifying single attack paths and how organizations can fix vulnerabilities to shut those paths down. The results of these engagements are a reduced risk from eliminating a single attack path, but rarely lead to an improved defensive skill set. This talk will introduce the Threat Detection Maturity Model, a security detection and testing framework to more closely integrate red and blue team operations with the goal of measurably improving defensive capabilities. The framework is designed to measure the effectiveness of the blue team’s defensive capabilities using a capability maturity model across the attack lifecycle. We’ll demonstrate how “”””threats”””” are injected into an environment to enable a hunt team or SOC to improve their skill sets and validate the effectiveness of their security tooling. Zach has worked in offensive security for the last six years focusing on securing financial institutions. He is active in the Milwaukee security community in which he organizes @MilSec, is an OWASP Milwaukee chapter leader and is a member of the Wisconsin Collegiate Cyber Defense Challenge (CCDC) Red Team. He’s also the creator of the open source security projects Sticky Keys Hunter and changeme. Brian Genz is an information security professional with experience in the insurance, manufacturing, and defense intelligence sectors. He has worked in the areas of incident response, forensic analysis, vulnerability management, and security risk consulting.”
Outlook and Exchange for the Bad Guys Nick Landers Nick – @monoxgas External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
Attacking EvilCorp: Anatomy of a Corporate Hack Sean Metcalf & Will Schroeder Sean Metcalf – @PyroTek3, Will Schroeder- @harmj0y With the millions of dollars invested in defensive solutions, how are attackers still effective? Why do defensive techniques seem to rarely stop or slow down even mid-tier adversaries? And is there anything the underfunded admin can do to stop the carnage? Join us in a shift to ?assume breach? and see how an attacker can easily move from a single machine compromise to a complete domain take over. Instead of “death by PowerPoint,” see first-hand how a fictional corporation suffers “death by a thousand cuts?. The fictional EvilCorp presents their top defensive tools and practically dares someone to attack the network. The battle of Red vs. Blue unfolds showing EvilCorp’s network submit to the unrelenting attacks by an experienced adversary. When the dust settles, the Red Team looks victorious. But what, if anything, could have tipped the scales in the other direction? In this demo-heavy session (several demos are shown to demonstrate modern attack effectiveness), we showcase the latest attack techniques and ineffective defenses still used to protect companies. Defense evasion tools and techniques are detailed as well as attack detection methods. Effective mitigation strategies are highlighted and the Blue Team is provided a roadmap to properly shore up defenses that can stop all but the most determined attacker. Sean Metcalf (@PyroTek3) is founder & principal security consultant of Trimarc and is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification. He is also a Microsoft MVP and has presented on Active Directory attack and defense at BSides, Shakacon, Black Hat, DEF CON, and DerbyCon security conferences. Will Schroeder (@harmj0y) is an Information Security Researcher and red teamer for Veris Group?s Adaptive Threat Division. He is the co-founder the Veil-Framework, PowerTools, and PowerShell Empire, and has presented at ShmooCon, Defcon, Derbycon, and various Security BSides on topics spanning AV-evasion, post-exploitation, red teaming, offensive PowerShell, and more.
Living Off the Land 2: A Minimalist’s Guide to Windows Defense Matt Graeber and Jared Atkinson – @mattifestation The ?living off the land? philosophy, as applied to InfoSec, is the idea that one can thrive using mostly the tools present in a target environment in an effort to remain hidden from an adversary. While historically this philosophy has been applied to offense, it is equally applicable to defense. A capable defender, ideally, should introduce a minimal forensic footprint into an environment suspected to be compromised. Additionally, informed defenders should have an awareness of attacker objectives which includes performing reconnaissance against common security products, most of which consume a substantial OS fingerprint. This talk aims to introduce defenders to defensive capabilities built-in to all versions of Windows which are likely to leave adversaries in dark as to what defensive mechanisms are in place. Expensive defensive products are not always the solution when you?re already sitting on a goldmine of free, unexploited capabilities. Matt Graeber is a reverse engineer and security professional who knows some things about things but is otherwise a complete noob in many facets of life. Matt is commonly known as that guy who took Dave Kennedy and Josh Kelley?s original PowerShell talk and turned it into an unhealthy obsession for which he still hasn?t broken himself of. Matt prides himself not on his industry speaking engagements, certifications, or experience but rather the journey that took him to his present situation – surrounded by motivated, brilliant, and genuinely good people.
Penetration Testing Trends John Strand @strandjs We all know and love the yearly reports from Verizon and Mandiant. They break down the various Incident Response gigs they worked on during the previous year.ÿBut what about the other side of the coin?ÿ What about penetration testing companies?ÿ What are they seeing?ÿIn this presentation, John will share a breakdown of the penetration tests BHIS performed over the last year.ÿ He will discuss how most organizations are improving – and where they are still failing.ÿ More importantly, he will share a frightening trend ? a trend that could have earth-shattering repercussions for the entire security industry. Dum, dum, DUMMMMMMM!!! John Strand is the owner of Black Hills Information Security, a firm specializing in penetration testing, Active Defense and Hunt Teaming services. He is the also the CTO of Offensive Countermeasures, a firm dedicated to tracking advanced attackers inside and outside your network.
Introducing DeepBlueCLI, a PowerShell module for hunt teaming via Windows event logs Eric Conrad @eric_conrad A number of events are triggered in Windows environments during virtually every successful breach, these include: service creation events and errors, user creation events, extremely long command lines, compressed and base64 encoded PowerShell functions, and more. Microsoft has added a wealth of blue team tools to its operating systems, including native support of logging the full command line used to launch all processes, without requiring 3rd party tools (or Sysmon). KB3004375 adds this feature to Windows 7 and Server 2008R2. DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell. Eric Conrad’s career began in 1991 as a UNIX systems administrator for a small oceanographic communications company. He gained information security experience in a variety of industries, including research, education, power, Internet, and health care. He is now CTO of Backshore Communications, a company focusing on hunt teaming, intrusion detection, incident handling, and penetration testing. Eric is a SANS Senior Instructor and the lead author of SANS MGT414: SANS Training Program for CISSP? Certification, as well as coauthor of both SANS SEC511: Continuous Monitoring and Security Operations and SANS SEC542: Web App Penetration Testing and Ethical Hacking. He is also the lead author of the books the CISSP Study Guide, and the Eleventh Hour CISSP: Study Guide. He is a graduate of the SANS Technology Institute with a master of science degree in information security engineering. In addition to the CISSP, he holds the prestigious GIAC Security Expert (GSE) certification as well as the GIAC GPEN, GCIH, GCIA, GCFA, GAWN, and GSEC certifications. Eric also blogs about information security at www.ericconrad.com.
How to Social Engineer your way into your dream job! Jason Blanchard @BanjoCrashland Does anyone read these descriptions? Yeah… you? That’s awesome! Want to come to an incredible talk given by a professional social engineer? No… oh, ok… Wait! Come back! Alright, this talk is about how you can use the skills, concepts, and tools of social engineers and marketers to put yourself into the right place, with the right skills, for the job you’ve always wanted. After 40 minutes of this talk, you’ll either hate Jason Blanchard because he’s given you so many possible ways to get “unstuck” or you’ll… nah, you’ll probably just hate him. This talk will be unforgettable (and hilarious). #chickenwing Jason Blanchard doesn’t computer (much), but what he does do, is use an overwhelming arsenal of marketing and social engineering skills to positively persuade the populace to do as he requests. He has an eclectic background as an educator, marketer, business owner, public speaker, comedian, father, and husband. He is currently the community outreach director for the SANS Institute. He is and has been since the day he was born… a professional Social Engineer.
Attackers Hunt Sysadmins – It’s time to fight back Lee Holmes – @Lee_Holmes What do the NSA, APT groups, and run-of-the-mill attackers have in common? They. Hunt. Sysadmins. After all, what?s a better way to compromise an entire infrastructure than to target the folks with complete and unconstrained access to it? It?s time to fight back. In this talk, we introduce PowerShell Just Enough Administration, a powerful platform capability that lets you add role-based access controls to your existing PowerShell-based remote management infrastructure. Lee Holmes is the lead security architect of Microsoft’s Enterprise Cloud Group, covering Windows Server, Azure Stack, System Center, and Operations Management Suite. He is author of the Windows PowerShell Cookbook, and an original member of the PowerShell development team.
Scripting Myself Out of a Job – Automating the Penetration Test with APT2 – Adam Compton, Austin Lane
Scripting Myself Out of a Job – Automating the Penetration Test with APT2 Adam Compton, Austin Lane Adam – @tatanus , Austin – @capndan Nearly every penetration test begins the same way; run a NMAP scan, review the results, choose interesting services to enumerate and attack, and perform post-exploitation activities. What was once a fairly time consuming manual process, is now automated! Automated Penetration Testing Toolkit (APT2) is an extendable modular framework designed to automate common tasks performed during penetration testing. APT2 can chain data gathered from different modules together to build dynamic attack paths. Starting with a NMAP scan of the target environment, discovered ports and services become triggers for the various modules which in turn can fire additional triggers. Have FTP, Telnet, or SSH? APT2 will attempt common authentication. Have SMB? APT2 determines what OS and looks for shares and other information. Modules include everything from enumeration, scanning, brute forcing, and even integration with Metasploit. Come check out how APT2 will save you time on every engagement. “dam Compton has been a programmer, researcher, professional pentester, and farmer. Adam has over 15 years of programming, network security, incident response, security assessment, and penetration testing experience. Throughout Adam’s career, he has worked for both federal and international government agencies as well as within various aspects of the private sector. Austin Lane spent 7 years working in development before jumping over to security, which he has now been doing for 3 years. In that time, he has worked on web apps, Android apps, network security, and completed the OSCP certification. He is currently a Security Consultant at Rapid7.
DNS in Enterprise IR: Collection, Analysis and Response Philip Martin @SecurityGuyPhil DNS is an often-overlooked and under-tooled area of security data collection, analysis and response. We will first review existing tools and deployment choices for collecting DNS data and release the 1.0 version of my own network DNS capture tool, gopassivedns. We will then explore several example analytical approaches to large scale DNS data, including approaches to finding DNS tunneling and discovering attacker infrastructure. Finally, we take a look at how DNS can play a part in remediation and release a second tool, a RESTful interface to RPZ, goRPZ. Attendees will walk away able to implement or improve DNS collection and analysis in their environments. Philip leads security at Coinbase, where he is continually amazed at the amount of attacker effort and creativity inspired by half a billion dollars of cryptocurrency. Philip also enjoys spending time with his family and making delicious smoked meats.
Attacking ADFS Endpoints with PowerShell Karl Fosaaen – @kfosaaen Active Directory Federation Services (ADFS) has become increasingly popular in the last few years. As a penetration tester, I’m seeing organizations opening themselves up to attacks on ADFS endpoints across the Internet. Manually completing attacks against these endpoints can be tedious. The current native Microsoft management tools are handy, but what if we weaponized them. During this talk, I will show you how to identify domains that support ADFS, confirm email addresses for users of the domain, and help you guess passwords for those users. We’ll cover how you can set up your own hosted ADFS domain (on the cheap), and use it to attack other federated domains. On top of that, we’ll show you how you can wrap all of the native functionality with PowerShell to automate your attacks. This talk should give penetration testers an overview on how they can start leveraging ADFS endpoints during a penetration test. Karl is a Managing Consultant with NetSPI who specializes in network and web application penetration testing. With over eight years of consulting experience in the computer security industry, he has worked in a variety of industries and has made his way through many Active Directory domains. Karl also holds a BS in Computer Science from the University of Minnesota. This year, he has spent a fair amount of time digging into the Skype for Business APIs. Prior to that, Karl has helped build out and maintain NetSPI’s GPU cracking boxes. Karl holds a couple of certifications, that is neat. Karl has previously spoken at THOTCON, BSidesMSP, Secure360, and AppSec California. In his spare time, you may see him trying to sell you a t-shirt as a swag goon at DEF CON.
SQL Server Hacking on Scale using PowerShell Scott Sutherland @_nullbind This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally we?ll show how PowerShell automation can be used to execute the SQL Server attacks on scale. All scripts created and demonstrated during the presentation will be open sourced. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited. Scott is a security consultant that performs application and network penetration testing for NetSPI.
Introducing PowerShell into your Arsenal with PS>Attack Jared Haight – @jaredhaight PS>Attack is a custom tool that was created to make it easier for Penetration Testers to incorporate PowerShell into their bag of tricks. It combines a lot of the best offensive tools from the offensive PowerShell community into a custom, encrypted console that emulates a PowerShell environment. It also includes a custom command, “Get-Attack” to act a search engine for attacks making it easy to find the right attack for any situation. In this presentation we will cover how PowerShell can be used during every part of a penetration test and how PS>Attack can help make the whole process a lot easier. Jared Haight (@jaredhaight) spent 10 years as a Systems Administrator where (once it came out) he used PowerShell to handle any task that he had to do more than once. Now as a Penetration Tester for Gotham Digital Science, he uses his knowledge of PowerShell on engagements to help companies improve their security posture. He has spent the last four years teaching people how to use PowerShell and created the PS>Attack platform to help Penetration Testers easily add PowerShell to their toolkit.
Hack Yourself: Building A Pentesting Lab David Boyd – @fir3d0g We all want to improve our skill sets, right? Reading is great, but there is no experience like actually ‘doing it’. In this module, we will discuss how to build your own hacking lab from the ground up, for next to no cost. We will also discuss the various free penetration testing distributions, as well as the intentionally vulnerable virtual machines you can practice anything on from phishing, to web app testing, to exploits, and more. David Boyd (@fir3d0g) is a penetration tester for Contextual Security Solutions in Knoxville, TN. He is a Christian, new father, and lover of Mt. Dew, video games and geek culture. He is a breaker of things for over 10 years IT related in everything from education, military, retail, government, media, to law firms and hospitals. He has also found Waldo and Carmen Sandiago.
Hardening AWS Environments and Automating Incident Response for AWS Compromises Andrew Krug & Alex McCormack @andrewkrug @amccormack Incident Response procedures differ in the cloud versus when performed in traditional, on-premise, environments. The cloud offers the ability to respond to an incident by programmatically collecting evidence and quarantining instances but with this programmatic ability comes the risk of a compromised API key. The risk of a compromised key can be mitigated but proper configuration and monitoring must be in place. The talk discusses the paradigm of Incident Response in the cloud and introduces tools to automate the collection of forensic evidence of a compromised host. It highlights the need to properly configure an AWS environment and provides a tool to aid the configuration process. Andrew Krug is a Senior Software Engineer at a large cyber security company. Krug has been Consultant, Network Architect, Systems Administrator, Operations Manager, Technical Trainer, and Software Engineer. Currently Krug works to develop gamified security education through security simulation scenarios and rich interactive content. Alex McCormack is a Principal Software Developer at a large cyber security company. Alex assists in the design and implementation of Capture the Flag competitions and training events. Alex has designed CTF challenges since 2013 and given training since 2012. Prior to developing CTFs, Alex worked in Incident Response and Malware Analysis.
The Advanced Persistent Pentester (All Your Networks Are Belong 2 Us) – Beau Bullock, Derek Banks, Joff Thyer
The Advanced Persistent Pentester (All Your Networks Are Belong 2 Us) Beau Bullock, Derek Banks, Joff Thyer Beau: @dafthack, Derek: @0xderuke, Joff: @joff_thyer An Advanced Persistent Pentester is always willing to go the extra mile, working smarter, and harder to achieve success. An Advanced Persistent Pentester is always willing to go off script, creatively inventing new concepts, new tools, and techniques to get the job done. We all use automated tools and techniques to construct advanced malware which allows for expeditious entry, escalation, persistence and post exploitation during engagements. What happens when the standard tools, and techniques are just not good enough? This talk will examine several different escalation, lateral movement, and post exploitation case studies talking about the various creative approaches in solving problems along the way, capturing the flag(s), and pushing to the extremes of threat modeling the real world information security environment. It was reported that in 2015 it took an average of 146 days to detect an attacker. How can successfully mimic the impact of having that much time to pillage a network in less than a week? Beau Bullock: Beau has held positions in the financial and health industries and has experience with all aspects of enterprise network security including penetration testing, vulnerability analysis, data loss prevention, wireless security, firewall management, and employee security training. Beau is a Hack Naked TV host, and frequent speaker at industry events. Derek Banks: Derek has over 20 years of experience in the IT industry as a systems administrator for multiple operating system platforms, and monitoring and defending those systems from potential intruders. He has worked in the aerospace, defense, banking, manufacturing, and software development industries. Derek has experience with creating custom host and network based monitoring solutions. Joff Thyer: Joff has over 15 years of experience in the IT industry in roles such as enterprise network architect and network security defender. He has experience with intrusion detection and prevention systems, penetration testing, engineering network infrastructure defense, and software development. Joff also co-hosts the Security Weekly podcast.
Blog Post: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
At Shmoocon early this year, we released Potato, a new method and tool that took advantage of neglected 15 year old issues in all versions of Windows to elevate any user’s privilege to SYSTEM in default configurations. We had planned on releasing a much improved version of said tool here at Derbycon, but Microsoft had other plans. On June 14, 2016 we were surprised to find that Microsoft released MS16-075 which seems to break Potato. Luckily we still have one more trick up our sleeves that has proved useful in real-life scenarios. We will be discussing a technique based on the Potato exploit that allows for elevation from many Windows service accounts (such as those used by IIS and SQL Server) to SYSTEM in default configurations on all Windows versions.
Fire Away! Sinking the Next Gen Firewall Russell Butturini @tcstoolhax0r Recently, the next generation or “application aware” firewall has come onto the scene as the next logical progression of firewall technology and the platform of choice for enterprise traffic filtering needs. However, many vendors have overstated the capabilities of these firewalls and how the underlying technology really works. This talk will examine how next generation firewalls make decisions and how application awareness works, and then dive into the security tradeoffs they make in the name of performance. A new tool, Fireaway, will be demoed to show how the techniques covered in this talk can be automated to completely bypass firewall rules, exfiltrate data and establish obfuscated command and control channels through the firewall, all while looking like normal user activity. Russell Butturini is the senior enterprise security architect at a large healthcare company in Franklin TN. He occasionally has good ideas and he presents on them at places such as DEFCON, Derbycon, and various BSides. In his free time, he has a compulsive gambling problem when it comes to betting on horse races, so he’s hoping the Derbycon goons make sure he shows up for this talk and isn’t on a multi day gambling bender at Churchill Downs.
This post is a collection of my favorite and interesting talks from DerbyCon 6 (2016). There were a lot of great talks and as I discover them, I’ll add them here. My goal is to collect and provide the talk videos and slides together for a single, easy reference. I’m sure I missed a few.
To read about the DerbyCon 6 presentations visit the DerbyCon 6 Schedule page and the DerbyCon 6 presentation videos are on YouTube.