Talkin' Bout [Infosec] News

This is a joint webcast between Black Hills Information Security and the Wild West Hackin’ Fest conference. We hate ransomware. Like a lot. This is because we feel this is the future of cyber attacks. If you look at the recent cases and the newish versions that involve extortion, there is nothing to like. Well, almost nothing. In this webcast, we cover what you can do to prepare (trust us, we have a newish twist on this) and what you can do to mitigate the damage. We also talk about working with brokers. There will be lots of memes to help this topic go down better. Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5 0:00 – Half-Witty Theme Music 0:53 – Welcome to the New Ransomware 9:44 – User Training 15:14 – ATT&CK Matrix 17:07 – We Should Be Emulating 21:36 – Open Source Tools 24:33 – (did we lose john?) 33:52 – Threat Emulation Warning 35:52 – Commercial Offerings 40:01 – PlumHound 45:33 – Don’t Focus On One Product 48:08 – Paying a Ransom? 49:26 – Key Takeaways 52:16 – Got Questions? (00:00) - Half-Witty Theme Music (00:53) - Welcome to the New Ransomeware (09:44) - User Training (15:14) - ATT&CK Matrix (17:07) - We Should Be Emulating (21:36) - Open Source Tools (24:33) - (did we loose john?) (33:52) - Threat Emulation Warning (35:52) - Commercial Offerings (40:01) - PlumHound (45:33) - Don't Focus On One Product (48:08) - Paying a Ransom? (49:26) - Key Takeaways (52:16) - Got Questions? (59:41) - SPONSOR BONUS: PlexTrac (01:15:30) - (did we loose john again?) (01:29:21) - Strings & Memory

So much information about testing webapps for security problems is old. Don’t get me wrong, the old stuff still works way more often than we’d like, but there’s more to webapp vulnerabilities than cross-site scripting and SQL injection. Take JWTs – JSON Web Tokens – for example. These are base64 encoded tokens that sometimes get written to your browser’s localStorage or sessionStorage and passed around in cookies or HTTP headers. They’re pretty common in authentication and authorization logic for web APIs. Because they’re encoded, they look like gibberish and it’s easy to skip over them during a test. For the same reason, they’re more complicated to attack. First, you have to notice them. Then you have to decode them. Then you need to interpret the decoded data inside them. THEN, you have to decide what to attack! Once you’ve done that, you still have to create your payload, make valid JSON out of it and rebuild the JWT before you can send it. It’s kind of a lot. In this Black Hills Information Security webcast – an excerpt from his upcoming 16-hour Modern Webapp Pentesting course – BB King talks about what JSON Web Tokens are, why they’re so controversial, and how to test for their major weaknesses. Then, using OWSAP’s Juice Shop as a target, he shows you a straightforward method for exploiting them that you can use on your own next webapp pentest. Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5 0:00 – Good Morning! 1:50 – What Are JSON Web Tokens? 4:43 – Base64 Vs Base64 URL Encoding 7:58 – The Construction of a JSON Token 10:07 – Use Cases 13:03 – RFCs of Interest 13:26 – Encoded, Not Encrypted 19:58 – The Red Slide 20:39 – OWASP Top Ten Issues (00:00) - Good Morning! (01:47) - What Are JSON Web Tokens? (04:36) - Base64 Vs Base64 URL Encoding (07:46) - The Construction of a JSON Token (09:50) - Use Cases (12:38) - RFCs of Interest (13:00) - Encoded, Not Encrypted (19:10) - The Red Slide (19:50) - OWASP Top Ten Issues (20:10) - Signature Al Gore Rhythms (24:30) - Stanced On Privacy (25:48) - Stanced On Security (27:45) - Craking (29:04) - Where To Practice (33:27) - Decoding the Payload – (Visual DEMO) (42:52) - Snooping ( Stealing Poorly-Protected Secrets ) (48:27) - For Further Study

Joff Thyer has dove into everything that is IPv6 and has so much to share about it. He gets really technical but in a way you’ll be able to understand. Google reports that over 30% of their systems access comes via the IPv6 protocol coming into 2020. Many Internet Service Providers have no remaining choice but to deploy IPv6 for simple lack of v4 address resources. The global Internet can already be thought of as balkanized into a split IPv4/IPv6 world based on historical v4 allocation. There will soon come a time whereby accessing IPv4 deployed resources will be considered legacy. Join Joff and the BHIS team to discuss security principles surrounding an Internet facing IPv6 deployment. Learn about fundamentals, known security issues, and appropriate infrastructure defenses which must be implemented. Enjoy a spirited discussion on how the v4 life support mechanisms of classless interdomain routing and network address translation are not required in a v6 world. It’s past time for IPv6 to become the norm. Fear not as we can do this! Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5 0:00 – Inaudible, But Good Looking Banter 0:18 – Here We Are Now. Educate Us 0:56 – IPv4 And After 5:45 – What’s the Address For IPv6? 7:40 – What About IPv5? 8:31 – IPv6 Allocation 9:27 – IPv6 Packets 10:28 – IPv6 Address Types 13:26 – IPv6 Address Typecasting 14:55 – IPv6 Address Assignment 16:21 – IPv6 Multiple Interface Addresses 18:25 – IPv6 EUI-64 (00:01) - Inaudible, But Good Looking Banter (00:06) - PenTest Puppy Mill (Commercial) (00:37) - Here We Are Now. Educate Us (01:14) - IPv4 And After (05:42) - What’s the Address For IPv6? (07:32) - What About IPv5? (08:20) - IPv6 Allocation (09:16) - IPv6 Packets (10:16) - IPv6 Address Typecasting (13:09) - IPv6 Address Assignment (14:35) - IPv6 Multiple Interface Addresses (15:59) - IPv6 EUI-64 (18:00) - ICMPv6 (23:27) - ICMPv6 Neighbor Discovery (27:07) - Securing the v6 (27:58) - IPv6 Address Filtering (30:07) - ICMPv6 Perimeter Filtering (31:21) - ICMPv6 Transit Traffic (32:42) - ICMPv6 Non-Transit (35:29) - IPv6 Multicast Filtering (37:47) - IPv6 Protocol Normalization (38:45) - IPv6 Extension Headers (39:30) - IPv6 Enforcing EH Rules (40:27) - IPv6 Header Normalization (41:57) - IPv6 Protocol Normalization Reprise (43:22) - Address Privacy / Obscuity (45:58) - RFC4941 Privacy Extensions (46:34) - Endpoint Route Table (47:50) - Summary Recomdendations (49:35) - To Be Continued...

Join us in the Black Hills InfoSec Discord server to keep the security conversation going!https://discord.gg/bhisReach out to Black Hills Infosec if you need pentesting, threat hunting, ACTIVE SOC, incident response, or blue team services:https://www.blackhillsinfosec.comIn this Black Hills Information Security webcast John breakdowns why he hates threat intelligence... Again...But, he breaks down some of the cool new projects that are focusing on durable threat intelligence. This is key, because many intel feeds are nothing more than domains, hashes and IP addresses. However, with durable threat intel we see attack techniques that are highly effective, yet are not as easy to block. For example, application allow listing abuse, connection profiles (RITA!), PowerShell encoding are all examples of detects you can use that are not specific to a point in time attack methodology.John also shares some very cool open source projects that are approaching attacks in this way using ELK.Slides for this webcast can be found here:https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_Durable_Ephemeral_Threat_Intel_Strand.pdf (00:00) - Intro (00:47) - Threat Intel: A Useless Rant (07:20) - Pyramid of Pain (10:37) - You Got Another String Coming (14:34) - Conversation With a Pompous John (18:42) - Hacking Ain't Easy (21:51) - ATT&CK Bingo™ (24:02) - Emulation for Iteration (27:00) - Some Open Source Tools (31:28) - Threat Emulation Warning (32:03) - Commercial Tools (36:03) - MITRE Scorecard (44:47) - A Bit of Perspective (47:00) - DeTT&CT (47:46) - Sigma (51:24) - Atomic Threat Coverage (53:58) - PlumHound (54:35) - RITA (55:46) - Honeypots (57:16) - Question Time (01:06:04) - Breaking Down the Gates

Kent and Jordan are back to continue their journey to make the world a better place. This time around, they will be reviewing a series of tools commonly used on pentests to identify flaws in Active Directory and general network design and implementation. You’ve probably heard of most of them, like BloodHound, ADExplorer, mimikatz…, wait, Mimikatz as a Blue Team? Yeah, it might be a bit of a stretch, but they’ll get there. Even better, with an introduction to various adversarial simulation frameworks, you can start your own journey of constant improvement. Nmap, CrackMap, BingMaps, and Domain Password Spray. (Re: BingMaps — just checking to see if you’re actually reading these, at this point, our response rate records keep getting shattered, and we just want someone to call us out – the BingMaps API is really cool though). In a world seemingly gone mad, come find some solace with these two as they share new discoveries, a tool drop from Kent (which will potentially change the BloodHound game), and more. Let’s help the world detect attacks at a higher rate! Let’s skew the Verizon DBR’s reported numbers! Let’s get better together! Thanks, as always, and we look forward to spending time with those of you who can join us 0:00 – Big Fish 0:28 – Question & Enhance 2:51 – Executive Summary 3:58 – Executive Problem Statement 8:48 – Red Team Tools are Red Team Tools 13:39 – Optics(3) 16:22 – SIGMA and SIGMAC 22:13 – Red Team Tool : Responder 25:35 – Red Team Tool : CrackMapExec 29:57 – Red Team Tool : DomainPasswordSpray 38:48 – Red Team Tool : Mimikatz 46:41 – Red Team Tool : BloodHound (00:00) - Big Fish (00:28) - Question & Enhance (02:51) - Executive Summary (03:58) - Executive Problem Statement (08:48) - Red Team Tools are Red Team Tools (13:39) - Optics(3) (16:22) - SIGMA and SIGMAC (22:13) - Red Team Tool : Responder (25:35) - Red Team Tool : CrackMapExec (29:57) - Red Team Tool : DomainPasswordSpray (38:48) - Red Team Tool : Mimikatz (46:41) - Red Team Tool : BloodHound (50:59) - Blue Team Tool : Plumbhoud (58:38) - Final Thoughts

Job hunting? Looking for a career change? Still in college and want to know how to get started now in your career? If you answered yes to any of these questions, this might be the BHIS webcast for you. This webcast is an update to Jason’s popular recorded DerbyCon 2016 talk — How to Social Engineer Your Way Into Your Dream Job. If you don’t want to wait, you can watch that now. https://youtu.be/__lvS2pjuSg What is covered? * How to combine OSINT, marketing technology, and a hacker/social engineer mindset to job hunting * How to be a hunter of jobs… not just a seeker of jobs * How to write your resume during the job hunt * You might already have your dream job The hope of this webcast is that you’ll look at job hunting differently and apply the skills and techniques in an effective way to help you get the career of your dreams… or at least a job for now that will help you get to the career of your dreams in the next 5 years. Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5 0:00 – Infosec Sad Plant’s Last Day 0:30 – Pandemic Prologue 2:34 – Time to Meet the Bobs 4:20 – Be Prepared 5:50 – Climbing the Walls of Awful 8:35 – Another Crack In The Wall 9:49 – whoami? 11:58 – Pitch Perfect 12:53 – Step 1: I Mean Set Your Requirements 15:10 – Engineering Reverse 15:44 – “Enough” is Enough, or is it? 17:30 – Step 2: Top Ten Companies 18:45... (00:00) - Infosec Sad Plant's Last Day (00:30) - Pandemic Prologue (02:34) - Time to Meet the Bobs (04:20) - Be Prepared: Kings and Succession (05:50) - Climbing the Walls of Awful (08:35) - Another Crack In The Wall (09:49) - whoami? (11:58) - Pitch Perfect (12:53) - Step 1: Cut a hole in the bo... I Mean Set Your Requirements (15:10) - Engineering Reverse (15:44) - Enough is Enough, or is it? (17:30) - Step 2: Top Ten Companies (18:45) - Hunt V1, Hunt V2, Hunt V3 (20:17) - Document For the People (24:43) - Step 3: HUNT! - TOP TEN (39:20) - Jobs Don't Hire People, People Hire People (39:58) - Step 3: HUNT! - Discovery (48:23) - Step 3: HUNT! - Internal (50:22) - Step 4: Make Contact (53:29) - Step 5: Interview (54:21) - I'm Sorry, But Your Princess Is In Another Castle (55:23) - Step 6: Decide (57:16) - Be Prepared! (reprise) (59:54) - A Bunch of Requestions

Join the BHIS Discord discussion server: https://discord.gg/aHHh3u5 We’re really excited to have a close member of our BHIS extended family, Tim Medin from Red Siege InfoSec, here for a webcast on Kerberos & Attacks 101. Tim is the creator of Kerberoasting. Want to understand how Kerberos works? Would you like to understand modern Kerberos attacks? If so, then join Tim Medin as he walks you through how to attack Kerberos with ticket attacks and Kerberoasting. We’ll cover the basics of Kerberos authentication and then show you how the trust model can be exploited for persistence, pivoting, and privilege escalation. 0:00 – 45 Seconds of Banter 0:45 – The Creator Of Kerberosting 1:48 – What Is Kerberos? 4:49 – How It Works 9:23 – PAC: Privilege Attribute Certificate 12:27 – Service Ticket 14:12 – SPN : Service Principal Name 16:22 – Three Long Term Keys 23:39 – I Got A Golden Ticket 24:57 – Ticket Flow 27:49 – Skeleton Key 30:42 – Kerberoasting On an Open Firewall 33:23 – Extract and Crack (00:00) - 45 Seconds of Banter (01:16) - The Creator Of Kerberosting (02:19) - What Is Kerberos? (05:21) - How It Works (09:54) - PAC: Privilege Attribute Certificate (12:58) - Service Ticket (14:43) - SPN : Service Principal Name (16:53) - Three Long Term Keys (24:10) - I Got A Golden Ticket (25:28) - Ticket Flow (28:20) - Skeleton Key (31:13) - Kerberoasting On an Open Firewall (33:54) - Extract and Crack (34:35) - Silver Ticket (35:56) - Insert Demo Here (37:55) - Cracking Tickets To Get You Out Of Server Jail (44:23) - Trollmode Engaged (45:56) - Pass-The-Ticket (46:36) - Over-Pass-The-Hash (47:08) - Wrap-Up (53:07) - We Have Some Questions (59:56) - 45 More Seconds of Banter

I like webapps, don’t you? Webapps have got to be the best way to learn about security. Why? Because they’re self-contained and so very transparent. You don’t need a big ol’ lab before you can play with them. You can run them in a single tiny VM or even tiny-er Docker image on your laptop. And so long as you’re attacking your own stuff, it’s easy to stay out of trouble. You’re up and running in the time it takes for a single download. And the transparent part? Ever since “view source” in the earliest web browsers, it’s been easy to see exactly what’s going on in a webapp and in the browser. Every webapp you ever use has no choice but to give you the (client-side) source code! It’s almost like there’s no such thing as a “black box” webapp pentest if you think about it… Anyhow – the Developer Tools in Firefox (and Chrome) are what happens when you take “view source” and add 25 years or so of creativity and power. We’ll look at the Developer Tools in the latest Firefox with a pentester’s eye. Inspect and change the DOM (Document Object Model), take screenshots, find and extract key bits of data, use the console to run Javascript in the site’s origin context, and even pause script execution in the debugger if things go too fast… Maybe we’ll convince you that you can realistically do a big chunk of a webapp pentest without ever leaving the browser. Join the BHIS Discord channel — https://discord.gg/aHHh3u5 Download the slides: https://www.activecountermeasures.com/presentations/ (BHIS_Webcasts) 0:00 – A Shady-White Slideshow with “FREE TOOLS!” On the Sign 0:38 – The Way Back Machine 11:00 – Always Be Learning 18:01 – The Path to the Developer Tools 24:37 – Console Separately From a Window 30:40 – The Network Tab 36:23 – Storage Tab (00:00) - A Shady-White Slideshow with "FREE TOOLS!" On the Sign (00:35) - The Way Back Machine (10:16) - Always Be Learning (16:55) - The Path to the Developer Tools (23:14) - Console Separately From a Window (28:44) - The Network Tab (33:57) - Storage Tab (35:45) - All The Cookies (37:42) - The Inspector Gadget Thingy (41:46) - Debugger (42:08) - Customize the Tools (42:18) - Console Tricks

This is a joint webcast from Black Hills Information Security and Active Countermeasures. How many of us have tried some new configuration option, utility, or hardware on a production environment, only to crash a critical piece of the business? (me raising hand…) It’s amazing how quickly we learn not to do that! Now we have to decide – do we stop trying out new things because we’re scared of causing problems, or do we come up with a safe way to play and learn? We’re going to cover how to set up a Home Lab – an isolated environment where you can test new hardware, programs, and applications. By keeping this totally separate from everything else, you get free rein to play without risk to your other systems – and without risk of breaking any company policies! We’ll cover how to set this up, the equipment needed, and how to configure these. Best of all, you can use throwaway hardware to do it! Join the new Threat Hunting Community Discord discussion server: https://discord.gg/JmXpQFD Download slides: www.activecountermeasures.com/presentations 0:00 – You’re In Charge 2:06 – Ok. But Why? 7:18 – The Network Layout 9:43 – (John’s Spaghetti) 20:38 – Project Hardware 26:06 – Firewall 29:21 – Switch 30:53 – Wireless AP 36:49 – Sentinel (00:00) - You're In Charge (02:06) - Ok. But Why? (07:18) - The Network Layout (09:43) - (John's Spaghetti) (20:38) - Project Hardware (26:06) - Firewall (29:21) - Switch (30:53) - Wireless AP (36:49) - Sentinel (38:33) - File and Drive Image Transfer (41:04) - Laberv (43:41) - Guinea Pigs (44:46) - John's Setup Porn (46:44) - HELK (47:35) - Beaker (48:13) - Creating Evil (49:48) - Recording (50:14) - Incrementally Opening Up the Firewall (51:50) - Software (53:31) - Packet Capture (54:25) - Network Monitoring (55:09) - Scanning (56:12) - Disk Imaging (56:43) - On a Budget – What's Critical (57:04) - Closing Notes (58:05) - Questions (01:01:28) - See Something Cool

What does it mean to work from home across your corporate VPN? What exactly is VPN? Is your home office prepared? How can you improve and better secure your home network? Is your corporate network ready for the change in IT environment network access? Join us to explore these topics, and describe some potential actions you can take to improve your home office and network environment. And join the BHIS Discord to discuss all of this — https://discord.gg/ST5NdFu Download slides: https://www.activecountermeasures.com/presentations 0:00 – We’re Not In Normal Anymore 2:04 – Viral Pandemic Networking (VPN) 7:34 – Home Office Runner 11:16 – What’s Your Frequency, Kenneth? 17:17 – It’s Always DNS 19:12 – Secure The Perimeter 23:34 – Game Recognizes Game 27:55 – Master of Your Domain 43:36 – Solutions, Solutions, Solutions 47:20 – Remote Workers Unite! Individually In Your Own Homes! (00:00) - We're Not In Normal Anymore. (02:35) - Viral Pandemic Networking (VPN) (08:05) - Home Office Runner (11:47) - What's Your Frequency, Kennith? (17:48) - It's Always DNS (19:43) - Secure The Permitter (24:05) - Game Recognizes Game (28:26) - Master of Your Domain (44:08) - Solutions, Solutions, Solutions (47:51) - Remote Workers Unite! Individually In Your Own Homes. (51:41) - Questions and Answers