Ever steal a Boeing 777? How about transfer more than $400,000,000 from an account? Have you ever had one of those bad days where one wrong press of the “enter” key accidently broadcasts an emergency message to the radio station asking an entire city to evacuate? The real destruction of a business doesn’t come from a shell, a picked lock or a simple lie. The REAL threat is when all of the disciplines are combined and the only thing left in the crosshairs is the BUSINESS itself. Red Teaming is not a process of finding “A” vulnerability, but showing how flaws at EVERY level of the program combine to cause devastating effects to the company (or the tester =) ). After 15 years in the Red Teaming, Pen Testing and Security Testing Business, I have had some of the weirdest things happen. In this 50 min story time, I plan to go over our methodology, some of our BEST and WORST moments on the job, tips/tricks we picked up along the way and hopefully we can have a few laughs at our (mis)fortune(s).

1. Fi f t y ShadesFi f t y Shades
Of REDOf RED

2. hi. =)

3. Thanks

8. Trigger Warnings
• Cursing
• Racism
• Religious Prejudice
• Sex
• Drugs
• Daddy / Abandonment issues
• Socio Economic Hate crimes
• Thin Skin
• Lack of sense of humor
• Sexual orientation
• Sexism
• Violence
• Vomiting
• Abuse
• Truth
• Honesty
• Facts

13. Anyway...

14. I’m Chris
AKA
@indi303
cnickerson@laresconsulting.com
https://vimeo.com/laresconsulting
http://www.scribd.com/Lares_

21. LARES

28. Custom Services
OSINT
SIGINT
TSCM/ Bug Sweeping
Exploit Development
Tool Creation
Attack Planning
Offensive Consultation
Adversarial Intelligence
Competitive Intelligence
Attack Modeling
Business ChainVuln Assessments
Custom Physical Bypass Tool
Design
Reverse Engineering
Other stuff I can’t write down…

32. Cost per incident
2006 – $168,000
2007 – $320,424
2008 – $500,000
2009 – $710,000
2010 – ~$1.5M
2011 – ~$3.7M
2012 – ~$4.5M
2013 – ~$5.4M

37. Web Application Firewalls (That’s so 1991)
Polymorphic Self Defending Worms (since the 80’s or older if
you count xmastree 1971)
Buffer Overflows (1972)
Cloud Computing (aka Centralized computing, aka Mainframe,
aka…. Remember punch cards? 1960 for IBM’ers, 1832 for
informatics)
Wireless (Bell’s Photophone 1880)
Locks (about 4,000 yrs old)
Perimeters (Since the dawn of human existence)
APT (Since the dawn of human existence)

38. • Financial fraud: 49 percent, over 12 percent last year (avg:
$450,000)
• Malware Infection: UP 69 percent, over 50 percent last
year;
• Our heads are in “THE CLOUDS” and now under major
fire.
• 80% of directed attacks involved guessing, cracking, or
reusing valid credentials
• 45% of incidents included public releases of passwords
• DBIR: Over 80% of the intrusions were linked to
PHISHING!

39. ““Seventy-nine percent of respondents selected end-users asSeventy-nine percent of respondents selected end-users as
the number one group responsible for thethe number one group responsible for the
security of cloud service providers.” –Ponemon 2012security of cloud service providers.” –Ponemon 2012

44. POSTULATES vs. PROOF

47. Common
misconceptions
• No one is just gonna WALK IN
• We have a process (and it works)
• We have a badge system that
ONLY lets in who we approve
• No one has broken in before
• It’s a lock… you NEED a key
How it’s usually done
• Conduct full test of design
• Review Policy and process
• Site inspection
• Check Access control
procedures, lighting, camera
coverage, Ingress/egress
perimeters, CCTV, intrusion
detection, environmental
concerns and barriers

49. Common misconceptionsCommon misconceptions
• We will get owned, what's the
point
• It will offend our users
• Doesn’t provide enough value
• No one will leak info
How it’s usually doneHow it’s usually done
• Send a 419 scam style email
• Track clicks
• Write a report to show who
clicked

50. What ARE we doing?

52. Common misconceptionsCommon misconceptions
• A Penetration Test will find
ALL the holes But… you
don’t have to test
EVERYTHING, just what's in
scope
• Identify potential impact to
the business
• Confirm vulnerabilities
identified
• Gain a “Real World” View of
an attackers ability to “hack”
the environment and resolve
issues identified
How it’s usually doneHow it’s usually done
• Do all the steps in
Vulnerability Assessment
listed previously
• Run metasploit/Core/Canvas
against hosts
• Try a few other automated
tools
• Call it “SECURE” If those
don’t work

53. • Do not allow the exploitation
• Restrict the hours of testing
• Restrict the length of testing
• Improperly scope / fail to include ALL assets
• Only perform externally
• Only observe
• Patch/fix/train BEFORE the test
• Only allow directed attacks ( no SE/ Phishing)
• Lack of focus on BUSINESS risk and increased focus on technical
issue

56. What is convergence
“The merging of distinct technologies,
industries, or devices into a unified whole.”
http://www.merriam-webster.com/dictionary/convergence
“The combining of different forms of electronic
technology, such as data processing and word
processing converging into information processing.”
http://www.thefreedictionary.com/convergence

57. ElectronicPhysical
EP Convergence
•Attacks on physical systems that are
network enabled

59. But what do I do?
Badge systems?Badge systems?
Don’t over complicate it.Don’t over complicate it.
Pacom (paycom/pacom and viewer/admin) **VideoPacom (paycom/pacom and viewer/admin) **Video
and Badgeand Badge
Pro Watch (auto login from local user by default)Pro Watch (auto login from local user by default)

60. WINDSX
Auth can be local OR AD creds
default username
admin:(blank)
-------------------
Ports to scan for
10002 for server
3001 and 2101
-------------------
DSX Database
port 5555 AND 5556
DB defaults as SA (blank)

61. Ports for management:
8888 –for activation
9999- for license
8189 – DB listening port
Url’s for management:
http://<servername>/lnl.og.web/lnl_og_aam.aspx
http://<servername>/lnl.og.web/lnl_og_videoviewer.aspx
http://<servername>/IdvmHost
Or, if they are using manual sign-on
http://<servername>/ldvmhost/?useAutomaticSSO=false
http://<servername>/AdminApp
Accounts:
SA/SA
LENEL/MULTIMEDIA
ADMIN/ADMIN

62. Remember
• Replace
• Add
• Promote
• Exploit

63. REPLACE

65. ADD

66. Promote

67. Exploit

68. SocialPhysical
PS
Convergence
•Tailgating
•Impersonation

75. Electronic Social
ES Convergence
•Blackmail
•Phishing
•Profiling
•Creating moles
•Being an employee

78. Finding Boxes
• dsquery computer domainroot -desc *xxx*
• DSQUERY Server -o rdn
• nltest /dsgetdc:<domain> /PDC or /BDC or /KDC
• Windows network search

79. ldifde -d "dc=corp,dc=COMPANY,dc=com" -r "(&(objectCategory=computer)
(operatingSystem=Windows 2000*))" -f out.lde
dsquery * dc=COMPANY,dc=com -filter "(&(objectCategory=computer)
(operatingSystem=Windows 2000*))"

80. Tips for finding users
• DSQUERY USER -name *lastname* | DSGET USER
-samid -display
• net share [sharename]
• Use the Domain search service ** look for computers and
users**
• https://github.com/mubix/netview
• Own the DC and turn on auditing fot the accounts you
are looking for

81. Manage->SharedFolders->sessions
NetShare
Monitor

83. Electronic
Physical Social
• Network Penetration Testing
• Surveillance & Implants
• Direct attack on facilities
and systems
• In person Social Engineering
• Phone conversations
• Social profiling
• Baiting
RED
TEAM
EP
Convergence
Attacks on physical systems that are network
enabled
ES Convergence
Phishing
Profiling
Creating moles
Blackmail
PS Convergence
Tailgating
Impersonation

85. I’m Chris
AKA
@indi303
cnickerson@laresconsulting.com
https://vimeo.com/laresconsulting
http://www.scribd.com/Lares_