Intro to Using Defense Hacking Tools with Jordan Drysdale and Kent Ickler
Hello, everybody. And welcome to today's Anticast with Kent and Jordan. I'm super soaked for them to get started because they are they always bring, like, some entertainment to to their webcast. And it's always like a surprise to me like what they do. So I'm really excited to see what they bring today.
Zach Hill:Jordan or yeah. Jordan said that he didn't have anything planned and that makes me scared. So I'm gonna head backstage so they can get started. You guys have And I'll I'll come back when there's like five, ten minutes left. We'll do some q and a and go from there.
Jordan Drysdale:I think the actual words you used were, did you bring anything spicy today?
Zach Hill:I did.
Jordan Drysdale:I did.
Kent Ickler:You don't go anywhere without something spicy.
Zach Hill:Can't wait. Alright, y'all have fun.
Jordan Drysdale:Thank you very much. Appreciate it.
Kent Ickler:Hey, everybody.
Jordan Drysdale:Welcome everyone. Appreciate your time, consideration for us.
Kent Ickler:So you may have noticed, those the most astute may have noticed that I think this webcast was discussed out in the community three different ways. One of them was Intro to Hacking Tools, one of them was Live Demonstrations, one of them was Intro to Defensive Hacking Tools. So here's a fourth one, Intro to Hacking Defense Penetration Testing Tools, but now with a little bit of AI.
Jordan Drysdale:And documented a little differently as well, So we did drop the Lab Building 101, which was all live, full demo. This one is not that.
Kent Ickler:Here's what happened. We did our last webcast and we did live demos the entire time and we didn't get through everything. We're like, how can we still get through everything we want to talk about? And the only way we can really do that is not to have the demo, which kind of stinks. But instead, we've got some good stuff coming up.
Kent Ickler:First off, we do have to talk about the executive problem statement. And this one's not a joke. It's actually somewhat legitimate. Okay. So organizations, they need to be able to identify security weaknesses and ideally before attackers exploit them.
Kent Ickler:Of course, in the roles that we have, we are the attackers, but we're also working on behalf of the organization to identify the security weaknesses. So it's a little bit tough, right? Our toolset consequently is more than just what attackers were would would use. Of course, we use those tools, but we also use other tools as well with our customers to help them identify and better understand their their security vulnerabilities vulnerabilities and weaknesses. So the reason this comes up though, I think, is that we talked a little bit in pre show banter about what the job market is right like right now.
Kent Ickler:And I know in a few years, it'll probably be much different, maybe it'll be completely different, I don't know.
Jordan Drysdale:That is the only guarantee is that the job Yeah, market will be that
Kent Ickler:is true. And one of the things that comes up is, you know, if you're just starting out in this industry, like where do you start? And what I wanted this talk to be about today is going through essentially a bunch of tools and tooling that we use very often. And how often is very often? Some of these daily that we're going to talk about.
Kent Ickler:Some of them are weekly. There is one in particular that I'll name that I haven't used in years, but it is still relevant so I'll talk about it.
Jordan Drysdale:I assume that's ReconNG. I you using that regularly?
Kent Ickler:We've automated it recently. Yeah,
Jordan Drysdale:that's fair.
Kent Ickler:That's fair. No, we'll talk about the one coming up that I haven't used in a while. But what I really wanted is like just essentially fire you all with all the tools that we use. Because if someone comes in and like, well, what does this do? How do you use it?
Kent Ickler:All these things are out there. In fact, the next slide that comes up is first and foremost, the tools that we use are Okay, maybe I shouldn't say Google and Maybe I should say search engines. Yeah.
Jordan Drysdale:Quality just isn't It's not there anymore.
Kent Ickler:So one of the things we do is you can't know everything, right? So if you come across a scenario, maybe you did a vulnerability scan and you found a exploit that's maybe it's a zero day, maybe it's a week old, maybe it's ten years old, maybe it is so old that like the the realm of knowledge is no longer like relevant in today's society and it's completely deprecated but you still have to like figure out what the impact is. Google is great for, you know, being able to kind of leverage and grab all that information Mhmm. In somewhat a consumable means to do and get you at least pointed in the right direction. Of course, the Google index has has been changing as of recently and and I think every search engine kind of follows suit where we'll see.
Kent Ickler:But it's still an incredibly useful tool. Obviously, if we come across those things that we were not aware of, we do search.
Jordan Drysdale:Before you go on, there's a couple questions here. Is is the dead Internet theory real? Like, do you subscribe to that? Is it is the Internet dying in in the sense of pretty much just becoming totally filled with garbage?
Kent Ickler:So it's interesting because we know right now where we're at with AI is that AI is kind of we'll say is summarizing and aggregating everything for us. But at the same time, we know that we're losing some fidelity of that knowledge at the same time. So eventually, end up in a scenario that if the indexing is occurring on things that we wrote, that humanity wrote, and then later on, the indexing is going to be looking and aggregating and summarizing with less fidelity the things that AI wrote. That becomes a circle where you lose fidelity of knowledge over time. So maybe I think there's a breaking point where someone says, wait a second, we actually need to do something different here.
Kent Ickler:From the perspective though of of, know, bots and automation and that type of thing where there is money in activity, there's money in interaction, and right now if you go to any of these social media platforms and you might argue that search engines are at this point social media somehow. But yeah, a lot of that is losing fidelity over time. And you have to go outside to find human connection to find good high fidelity content knowledge.
Jordan Drysdale:Okay. I'm gonna follow-up that and then I'd still have one more question. But is the in crapification theory also real? Like, okay, say it's not a dead internet. There's still useful stuff and it's fun and there's lots of things you can do with cats and gifts on the Internet.
Jordan Drysdale:But like, is it true that all of our data is being collected? What we search is being monetized? Oh, yeah. And the results are getting lower and lower quality We always knew. In crapification.
Kent Ickler:Most when you thought about it, how did Google make money? Right? They provided a free search engine and free is all subjective in that context, right? Because we always knew that we were the product. We shouldn't be surprised that we found out that we were paying for it with ourselves.
Kent Ickler:And I don't think that's too much of a surprise. In terms of, you know, like I said, the fidelity of knowledge is what I'm concerned about because what we know right now is that you can ask Google a complicated not Google. You can ask an AI chat platform, whatever, a complicated question and it will give you back a reasonable looking answer, but it might not be correct. And that's kind of why I talked about that reduction in fidelity of that knowledge. And if you start looking now and if AI start referencing their own content that's been produced that is not correct, you end up in a scenario that is kind of scary.
Kent Ickler:At least in terms of knowledge knowledge curation, we'll call it.
Jordan Drysdale:Okay. Final question on this slide. Do you use DuckDuckGo personally? And if so, do you know which back end search engine they pay or do they maintain their own index?
Kent Ickler:I think it used to be Yahoo, but I don't know. Okay. And mind you, Yahoo would always be Bing, Yes. So it's
Jordan Drysdale:That is accurate. Yeah. So the back end of DuckDuckGo is Bing which is why That's why I said Yahoo. Because And and it's low, I would say, I have to dig a little deeper to find the results I like. I am almost strictly DuckDuckGo.
Jordan Drysdale:I use DuckDuckGo browser.
Kent Ickler:Thank you. Now, also have to dig a little deeper in Google.
Jordan Drysdale:That's right. Alright. Alright.
Kent Ickler:So Maybe this at parity. Despite the
Jordan Drysdale:fact that we're throwing search engines on a slide and pontificating about the internet, it matters. Like when we go to do tooling on some given challenge that is contextual to a scenario, this has gotten worse and worse over time, unfortunately.
Kent Ickler:But then okay. So now Now we got these. Now we got these, right? So now like it's great. We we used to be able to say, hey, I need to, like, give me all of the command line arguments for this tool, right?
Kent Ickler:And it would send you to, like, the read me page on GitHub or some some blog, some something. And it would tell you, like, that that was from the author. It had all the information you needed. Now, these search engines are super great because they just tell you ahead of time, here's the command line arguments you want to use. And then you're like, sweet.
Kent Ickler:And you go to use them and they don't work because it hallucinated. It was like, maybe it is so well aware of what these command arguments command line arguments should look like that it assumed that they were there. And that's kind of why it talks about that fidelity of that knowledge is not there yet, we'll say. And there's definitely arguments that I'm not an expert on to say, will it ever get there? I don't know.
Kent Ickler:Right? It is, Remember, it is like reading word per word to figure out what the next word should be. And yeah, maybe. Right now, what you need to know is these are effective tools. But you have to definitely read into them and use your critical thinking skills Yeah.
Kent Ickler:As as much as you would on Google, right? Because if you could have definitely ran it on a troll website in Google, that gave you wrong information as well.
Jordan Drysdale:That's fair. So I asked DuckDuckGo for a webcast intro, words for our last webcast, and some things about the road tools framework. It's not bad. I mean, it's not bad. It gets me to where I need to go.
Jordan Drysdale:Right? Help me write a PowerShell loop. Want I want to add a group member to a whole bunch of Azure enter ID.
Kent Ickler:I think if you think critically about what it gives you back, it's gonna get you where you need to go. But it might not be a 100% accurate.
Jordan Drysdale:But let's let let me throw one more thing at you. If the search results bring me an eleven year old Reddit thread, I am almost certainly going there to find the answer I want. I I believe that pre AI data and if you can see it's pre AI data, like I I put a bit more value in that response and result. Anyway.
Kent Ickler:But that's because it's that human connection. It's coming from think. Yeah. I'm sure there's bots on Reddit too.
Jordan Drysdale:Yeah. And have been forever.
Kent Ickler:So let's talk some more tools that aren't search engines and AI. By the way, that was the little bit of AI. That's
Jordan Drysdale:it. Hopefully that's mostly it.
Kent Ickler:Know that the industry will change very soon about using AI more lucratively, we'll say, in pen testing. But for right now, we're going go through some more of the traditional tools. First up, recon and osent. There's a lot here. There's a lot of different tools.
Kent Ickler:I think I called out maybe eight or 10 here. The main thing with these tools is you're trying to go out to the Internet, not just the Internet, but yeah, the Internet, open source resources, which one of the funnest ones I still find is in America at least, have essentially a lot of our legal documents are publicly accessible. So it's always fun to kind of see when we talk about open source and public, what does that actually mean? And it's more than just what's on the internet, right? But to help identify exposed data, breach credentials, domain credentials, That's kind of from the breach side, but then publicly available OSINT information and what that looks like.
Kent Ickler:Trying to take an organization and better understand what someone can gain about you by just knowing the name, knowing what your website address is, that type of thing. Trying to figure out and visualize, maybe measure what that online footprint looks like. And then taking up that next step is if you only know about the website or only know about the organization name, trying to then go to that next step without any additional knowledge of uncovering the potential vulnerabilities associated with that. So for example, if you have registered a domain name, is there contacts associated with the Who is record, right? That's one of those things we talked about like twenty years ago, but still relevant today in some capacity.
Kent Ickler:Most organizations use private Who is registration. So it's hidden, but that information is still out there, right? And then back to that credential breach information, that is huge. It's much bigger than it used to be lead credentials being saved. You know, if you have a browser, say for example, you've got a VPN portal, you think you're doing that correctly, you have your remote employees log in to the VPN and they're doing that from a website, well, might save their password on that VPN website.
Kent Ickler:And then what what device are they using? Right? And if that device is compromised, maybe it's their their home personal device. If that's compromised, you end up in a scenario where their enterprise credentials could end up reached. And it's not because the organization didn't do a good job of protecting their information, it's because their employee didn't do a good job protecting their home system, which arguing argued that how do you fix that?
Kent Ickler:And it might be that your remote employees need a dedicated device that is for nothing but work, right? And it's got a VPN that's always on. There's opportunities like that, but that has other risks as well. So that's really coming up. Flare.io is a great resource for that.
Jordan Drysdale:My absolute favorite. This thing is insane.
Kent Ickler:They've gone through and taken some of the, I don't even know how big their data set is, it's huge. But essentially allows you to do keyword searches off of all, not all, a huge amount of the breach data that's out there, as well as all of those compromised browsers. And we're finding it all the time, working with medical facilities and they're finding out that they're patient portals. We do searches for our customers and we find out that their customers' data has been breached as a consequence and now they're seeing that rebuild, can report that through. And we're finding a lot of things like that.
Kent Ickler:That's scary when you think about it. If you're a large organization and you're not really controlling what your exposure is, it's kind of scary. Other tools out there, ReconNG, Jordan talked a little bit about it. It's little bit dated now. It's one of those traditional tools for Recon.
Kent Ickler:It allows you to do some keyword searches and then use a bunch of AI, API keys to pull information from a bunch of different resources and then combine them all together and build a report and kind of give you a profile, an OSINT profile of an organization. Have I Been Phoned is another one of those, I'm going to call it traditional layout. It's almost, say, legacy, but it's like it's been there for quite a while. The ability to put in an email address and get back the breaches that are associated with that does not give you credentials back, but tells you what kind of information was associated with a breach based off an email address. For organizations, they should be monitoring that.
Kent Ickler:Have They Been Pwned has a service where you can essentially, an administrator of a domain can go in and put their domain into that list, and then that is being tracked. So when a new breach comes out that has an email address associated with that domain, the administrator can get a notification about that, that one of their email addresses on their domain has been included in the breach. URL Crazy looks at things like domain names, and if there's a typo or domain, and for typo squats, some information there. And then of course looking for, you know, pace from searches. We we used to have a Paceman used to be a huge one.
Kent Ickler:I wanna say eight, ten years ago, it was it was way more practical that there was not all these different I shouldn't say that. There were still deep web, Tor, whatever resources for breaches. But oftentimes what you found was breaches were just dumped into Pastebin. And that doesn't happen quite as much anymore, but it's still a valid resource to go look. On the same token, going through and looking at GitHub and seeing if an organization has accidentally put in maybe sensitive keys and a Git commit or maybe even released private code or proprietary code in a repository accidentally, that type of stuff.
Kent Ickler:I've been verified as one of the data aggregators, we'll call them.
Jordan Drysdale:This was the first one I ever paid for, right? I paid for Yeah. Been verified for a while just to see what the data brokers had on me, on my family, on my anybody I knew, right? I don't like it. It's really uncomfortable.
Kent Ickler:It's just not It's a great tool of Yeah. Most in, but uncomfortable the kind of data that's out there about, you know, an entity and a person, a family.
Jordan Drysdale:And that is basically for sale on the internet.
Kent Ickler:Yep. So have some other ones there, hunter.io, great tool for doing some additional reconnaissance. Somewhat automated, but helps you build that profile of what that looks like, trying to get you an idea of of what information you have out there, building that OSINT footprint.
Jordan Drysdale:And two things about certificate transparency. Do you remember when someone came to us and said, hey, we found something interesting in certificate transparency logs you might want to know about?
Kent Ickler:Yeah. So don't talk to my
Jordan Drysdale:Yeah, no. I wanna say this very delicately. You noticed that question there. It was delicate.
Kent Ickler:We'll we'll put okay. Say for example, let's put it this way. Say for example, you have an organization and they have a VPN endpoint. And that VPN endpoint has a obscured name, right? Because obscurity by security is not great.
Kent Ickler:But anyways, the point being is that, so to do the transparency, what it's essentially doing is anybody that goes to a website that's HTTPS, the browser by default, is configured to go do a couple things. It's going to take the certificate that the browser received from the server and just validate it. So it's going check like certificate revocation logs, make sure there's it's not in that, to make sure that this certificate is good. When it hits that CRL, it ends up in a log called certificate transparency logs. And what's interesting about those logs is it's transparent and it's publicly I won't say accessible.
Kent Ickler:It's publicly accessible, but more specifically it's indexed in a way that is queryable. So what you can do is essentially say, I'm interested in this domain. And it will give you back a list of the logs of all the different websites that have used that domain TLD. So if you do like google.com, it'll give you all the subnets when someone has accessed the web page of that subdomain. And it will list them all there for you.
Kent Ickler:So it used to be when we did like DNS subdomain enumeration, we'd have to go through and like guess DNS subdomains. And now you can just query a certificate transparency log. Because if there was a HTTPS website on that sub domain at some point, the browser has reported in and now it's now queryable. So come out of the days of trying to hide DNS records. It's a little bit less practical now if you do any HTTPS services on those on those DNS records.
Jordan Drysdale:Alright. And point number two about certificate transparency logs and the way I use them. So these days we see a lot of WAFs, a lot of load balancers, a lot of firewalls, a lot of front end proxies. And what we often do here is say, okay, customer we're testing your web app, we're looking at your web application, we go check certificate transparency logs to find source potential origin IP addresses. And what this means is basically we're looking at the domain name, we're looking at certificate transparency and history and saying what IP addresses have been associated with these installations over time.
Jordan Drysdale:Then we may be able to jump past the proxy, find the origin servers and good to go. I guess
Kent Ickler:the privacy thing there is if you go to an HBS website, we've got Discord pulled up right now. If we go to discord.com, my browser has made a record that my browser went to discord.com. There's a privacy thing there too. Anyways, it's interesting. It's always DNS.
Kent Ickler:It is yeah, DNS is a thing. Alright, so let's talk now. We've built that OSINT footprint. We've kind of gotten a profile about what our organization, our target organization looks like. Kind of where do we go from there?
Kent Ickler:And there's a couple of great tools out here. This really talks about doing that next step. It's no longer maybe necessarily just trying to build a profile, but now investigating further, trying to find some of those weaknesses. Showdown is another great tool. It could probably be included in the prior Reconnaissance and OSINT tool as well.
Kent Ickler:Essentially, they have a really great, it's not 100%, but they have a really great index of Internet connected devices. So essentially, I want to make a statement here and I know it's not 100% accurate obviously, but if something is connected to the Internet, it has been scanned by SHODAN and indexed. And that's not entirely accurate, but it's pretty close. And what I mean by that is, say for example, someone has a maybe a physical switch networking equipment that has been plugged in and they have the VLAN tagged wrong, so that switch got a public IP address, which means the management interface is now on the on the public Internet. Shodan would have scanned the public Internet to some capacity and may have indexed that to where someone could then search for a regex query about what that management interface looks like and get a list of all of them that are publicly exposed to the internet.
Kent Ickler:The example that I can give is I use a smart home hub at home. And I took some regex strings that I built based off the management interface of that and dumped it into Shodan. And it gave me a list of like all of them that were exposed that someone in their home or wherever it's installed at essentially gave it a public IP address or did a port forward for it, which is a terrible idea. Don't do that, please. But it kind of ended up in that scenario.
Kent Ickler:The next thing that's interesting about that though is this specific this specific hub had a different like content on the screen if it was set for default credentials. Like you could read it and it's like, hey, default credentials set of default credentials, they haven't been changed yet. So I created a regex string that that searched for that. And then I got a list of all of these different smart home hubs and smart home, maybe it's smart building hubs that were set for default credentials. And I think it's easy to see where why that's a problem.
Kent Ickler:I remember there was a Big Bang episode where it's like, hey, we connected these things. Now we're able to, like, chain turn the lights on and off over the Internet. And it's like, hold on. And they they set it up with a global IP address and now it's just turning on and off all the time because the Internet was just setting it and doing it and it's kinda like that. Alright.
Kent Ickler:Nmap, great tool, very useful. We use it for usually quick checks is how we typically use it. But it can do a full poor scan and identify services and sometimes can identify vulnerable conditions or at least give us more information about the systems that are running, the services that are running. And then Mass Scan is great. When I talked about Showdown scanning the entire internet, mathematically, IPv6 is not possible, right?
Kent Ickler:IPv4, it's kind of possible. In fact, I would argue that it is possible. Mass Scan is a tool that allows you to essentially, at mass, fill a bandwidth and whatever pipe you give it, will be able to take it at added speed and and be able to try to scan for Internet services and then give you back the ports and then you can kinda leverage that off into other tools like Nmap and and things of that nature to find additional services. Lot there. Oh, I forgot to mention.
Kent Ickler:I do have a task for anyone that is so inclined. You'll notice that our tools do not have URLs attached to them. So I love this. So if anyone would like to go ahead and help us out by when you see one of the tools on the screen, just go ahead and dump a URL in chat for us for everybody else that would
Jordan Drysdale:Netter has a very interesting point here as well, sir. And that is that you can definitely DOS things with Masscan.
Kent Ickler:It's
Jordan Drysdale:Oh, yeah. It has it's very capable, especially if you've got the right drivers and things underlying and can actually reach some of the theoretical maximums this thing can do?
Kent Ickler:High level, it works at bypassing the network stack on the typical network stack on like a Linux system. And it works directly on the hardware. So it ends up being kind of hardware accelerated, not really, but kind of. What's interesting about that is you can like fill the pipe that that device is connected to. So if you think about most on the on the public Internet, they might have a gigabit pipe because their their device is connected to a one gigabit service.
Kent Ickler:Right? What if it's in a data center where they have 10 or 40 gigabit service, and you say, Masscan, go like scan this this organization's external IP addresses. But maybe the actual organization only has a one gigabit pipe, so you can accidentally or intentionally use Masscan as as a denial service. That may or may not be a felony. So be cautious.
Kent Ickler:Don't do it on purpose. Usually when that happens, it is accidental.
Jordan Drysdale:What do you think is behind scanme.nmap.org or whatever their public scanner is? Do you think it's it's beastly? Like is it huge and capable or could we all mass scan it right now?
Kent Ickler:I don't know. Decentralized, so a lot.
Jordan Drysdale:Oh, fair enough. Okay.
Kent Ickler:The the root DNS servers are not just like a couple servers. There's too many. More than, you know, 13, whatever it is. Is it still 13? It was 13 when I did.
Kent Ickler:It was 13 when was in high school. How about that?
Jordan Drysdale:That's an interesting point. 13 clusters for root DNS servers.
Kent Ickler:Thousands of DNS servers.
Jordan Drysdale:Don't know.
Kent Ickler:All right. So that takes us to the next step. Now on the public Internet, you might have an idea of here's our OSINT footprint. And now we've kind of found these services that are operating on these different on Internet IP addresses, what have you. And where do we go from there?
Kent Ickler:And now we're kind of kind of converged, and we'll talk about both external networks and internal networks, being able to do vulnerability scans. And there's a couple tools here we'll talk about. I mentioned much earlier that there is one tool that I haven't used in years and that's Nexpose. Just throwing it out there. Great tool when I used it.
Kent Ickler:And from the perspective of the version that I used was more geared towards vulnerability management, meaning it would scan for vulnerabilities and then it would help a security team over time reduce their overall risk with some metrics that are helpful for business leadership management. I'm more familiar with Nessus, which is kind of the industry standard for a long time. There's a tool in here I did not list, which is OpenVAS, which is still around hanging out, the open source kind of version of these. Nessus, of course, does have the Vulnerability Scanner tool, which we're more familiar with. But it does also have the more enterprise versions, which have similar vulnerability management platforms.
Kent Ickler:So you're also able to do that vulnerability management risk reduction over the course of time. But essentially, these tools will allow you to take those those endpoints that you're interested in and tell you if there are any likely vulnerabilities on them. And there are false positives. There are also false negatives. So you have to kind of take this and think critically about all the results here.
Kent Ickler:Nuclei is another great tool. Nuclei is one that's been around for a couple years now, but is getting really good and it's getting fast. Not necessarily a replacement for a commercial tool but it's getting really good and it's interesting, kind of up and coming and allows you to also build new modules for it. The community that's there supporting it has been
Jordan Drysdale:Let's just say Project Discovery is awesome. Yeah. Like plain and simple. They have a ton of awesome tools.
Kent Ickler:Yeah, I wouldn't say that any of those three are not on equal active development, but Nuclei being open source is definitely making
Jordan Drysdale:Do you remember the one Matt Hussein built? Is that still out there? The vulnerability scanner? Yeah. The name of it either.
Jordan Drysdale:And then there was AlienVaults scanner. I mean over the years, I think we have seen every single vulnerability scanner at at some point.
Kent Ickler:I wonder how many start from OpenVAS and then say, this OpenVAS interface is kind
Jordan Drysdale:of tough. This is not great. Yeah. But we can make this commercialized. We can in crapify this.
Jordan Drysdale:That's not what commercialized means.
Kent Ickler:So I see where you're going. Arguable. All right. So if we go from vulnerability scanning, now maybe we've got a list of vulnerabilities we're more interested in. We'll talk about vulnerability exploitation.
Kent Ickler:That's kind of taking into that next step. Say, for example, the vulnerability scanner identified maybe a remote control exploit that we could do that we might be able to remotely access the system and gain some access to it. Where do we go from that? And what tools can we kind of use to help us get there? Metasploit is the first one I want to call out there.
Kent Ickler:A huge, huge framework. A lot of information there, a lot of tools there. So there's great coverage. If it is a if the if the vulnerability was significant and public, there's probably a Metasploit package for it. And it's as easy as kind of going in there and you open up Metasploit and you say search and you can search for the CVE number or search for a keyword, get back the module and then set up that exploit and it's all there.
Kent Ickler:So it's really a great go to. It's kind of one of those again, I'm using the term legacy here. It's not legacy, maybe traditional. What will be interesting is when someone takes when Metasploit becomes Metasploit AI, that's going be kind of crazy. Maybe it's happened already.
Jordan Drysdale:It's guaranteed under the hood somewhere they are researching how
Kent Ickler:to I'm make that sure someone's built integration for it, but it's coming, right? We know it's going to happen.
Jordan Drysdale:Definitely.
Kent Ickler:So then what happens if it's something that Metasploit doesn't have? Well, revert back to slide one, which was talking about search engines. Slide two is talking about AI. We have been in situations where it's like, I've got an exploit. I can see that what I want to do, I can see the pathway for it, but I can't quite figure it out.
Kent Ickler:We now can just go ask Claude or Chad GPT or whatever, hey, here's my scenario, can you help me write some proof of concept code for this exploit?
Jordan Drysdale:Would one ever consider reverse engineering what Nessus does?
Kent Ickler:Yeah. I
Jordan Drysdale:mean, they've got I'm just curious.
Kent Ickler:Yeah. Okay.
Jordan Drysdale:Like they've got a bunch of exploit code. Is it could you ask a search engine now, hey, I see it told me that this exploit exists. How did it verify and can we reverse engineer that? Sure. Or is it completely protected by all the legal wherewithal of a gigantic corporation that's probably
Kent Ickler:Not gonna be traded one
Jordan Drysdale:day.
Kent Ickler:I haven't read their terms of service in a while. But let's say that Nessus identifies a vulnerability and it's you can't find any public exploit for it. But Nessus in the like in the finding says that it exploited it. What do you do? I mean, if I'm out of options, yeah, that's an interesting perspective.
Kent Ickler:Do I do I do some Wireshark and capture what's happening with Nest to see if I can figure it out and reverse engineer it? Well, before I would do that, I'd go back and check the terms of service to make sure that it's legal to do so is the right answer.
Jordan Drysdale:That makes sense.
Kent Ickler:And I appreciate that that's what you do if you
Jordan Drysdale:This conversation is protected by legal counsel and is confidential.
Kent Ickler:Anyways, so I would use AI. I would certainly, know, go that route. I would take everything it says and think critically about it. But if you're at a point that you're stuck, just go ask it. It's just kind of like Google Maps.
Kent Ickler:You go ask, you get the AI summary at the top anyway. And when someone watches this talk ten years from now, that's probably going to look completely different and who knows what it'll be. Exploit DB has been around for a while. So usually we find some good parity between Metasploit and Exploit DB. If it's in one, it's probably in the other, but not always the case.
Kent Ickler:There are vulnerabilities that Metasploit doesn't have coverage for yet that you might find in Exploit DB. Exploit DB is more ish real time, Meaning that if zero day comes out, might be more likely to find it on exploit DB.
Jordan Drysdale:App update, app upgrade Kali, search exploit, string, boom. Maybe a recent Python.
Kent Ickler:And the next one is GitHub. Of course, searching for proof of concept code or exploit code on GitHub is interesting because you need to read it first before you use it because there is exploit proof of concept code out there that just infects your system or the target system with Malvern, gives someone else access.
Jordan Drysdale:Was it the crack WiFi thing that came out? The like most commonly resulting search for crack exploit was a GitHub repo that had you run a series of commands that sent a reverse shell to the author. And the author was intentionally posting the results to say
Kent Ickler:Don't do that. Why didn't you read the code? Yep. Which is interesting. Someone put on there choose wisely.
Kent Ickler:Yeah. Essentially question everything is the other side, So just don't blindly trust someone else's code on the internet. Despite, you know.
Jordan Drysdale:Might be. Has a reverse shell out there? He's pretty much forked all of GitHub at this point.
Kent Ickler:All right. So let's go through and you've done that reconnaissance. You've done some additional information, use NMAT, did port scan, did NASA's to find vulnerabilities. You now want to maybe do some more targeted investigations about web applications and some different things you can use to do that. There are lots of options out here.
Kent Ickler:One them that's not on here is Nuclei, because we already talked about it. Nuclei being a vulnerability scanner that really targets web applications. Great opportunity there. Some of the ones here, Eyewitness and GoWitness are very similar. Eyewitness is a Python application that essentially you give it a list of URLs and it will go take screenshots and capture some information about that and put it into a consumable report.
Kent Ickler:And what's nice to do is it'll also go through and categorize things. So say if you do this on an internal network, you essentially get a report of like, here's all the network switches that had their management ports exposed. Here's all the API endpoints and so on and so forth, all in a report. You scroll through them, you find some information. And typically, we're looking for in internal networks is like, hey, there's a printer.
Kent Ickler:We'll try to log in to the printer for default creds and see if LDAP integration is set up. If LDAP integration is set up, we'll redirect course authentication to something like Responder and capture the creds. So Eyewitness is the tool to help us be able to visualize what the web applications look like. GoWitness, very similar. Different tech stack on that, but similar output, a report of that.
Kent Ickler:And then finally, Burp Suite, which is huge. Burp Suite, a great tool for essentially doing web application security testing.
Jordan Drysdale:Do you regularly browse the Internet through Burp Suite?
Kent Ickler:So it's interesting. When I'm doing pen testing Sorry to throw you off. Yeah. When I'm doing pen testing, basically the entire pen test is pushed through Burp Suite. And then there's some passive things that checks for that maybe Nessus didn't catch or whatever.
Kent Ickler:I have before, you get varied results, cookies get messed up. Some of it's scary. Some of it's scary. You see things, no, I don't want get into it too much. Anyone here follows the Honey application and what they were doing with cookies to essentially, use the right words here, Procure, steal, change.
Kent Ickler:I don't know. Not steal. Steal is not the right word. But capture maybe affiliate revenue that they weren't should not have had. Doing something like if you proxy all of your traffic through Burp Suite, you'll have you would have seen happening, right?
Kent Ickler:But when we use a a contemporary web browser, maybe Edge, Chrome, whatever, you don't see that. It's all happening in the back end. You don't realize that when you load a web page, that web page is looking at all these other different cookies from other websites that you visited. That's all happening in the background and of course, the browser doesn't want to tell you that it's happening because then it you'd start distrusting all the websites you go to. Burp Suite starts calling all that out and you're kind of able to visualize that, see it.
Kent Ickler:But, yeah. Huge tool for application testing.
Jordan Drysdale:And Kato. I've heard Kato on the there's a couple podcasts that are like bug bounty and they talk about Kato.
Kent Ickler:Yeah. Yeah. That is Another one.
Zach Hill:For sure.
Kent Ickler:Also, the one that's more open source traditional is the Zap proxy is still out there.
Jordan Drysdale:Gonna steal a quote here from Bibi that is basically, we ask our browsers to be this very thin veneer between us and the horrors of the Internet. We ask it to trust, we ask it to separate session IDs and maintain security of our data. We ask it to be fast and efficient. And all of these things kind of combined should keep us very, very nervous about our browsers and their security.
Kent Ickler:And browsers are the endpoint right now.
Jordan Drysdale:Yeah, Absolutely. Which is why like we make this argument lately that the workstation, the desktop, the endpoint is the edge of your network now. It's not your firewall, sure. Great. I mean, that's an egress point.
Kent Ickler:We know what's happening, right? Because if you think of what Zero Trust was seven, eight years ago when it first coming out, Zero Trust was the LAN is untrustable. The wireless network is untrustable. Everything about how you connect a device is untrusted. So going to Zero Trust says, if the network's not trusted, you need to re identify and re vet every connection.
Kent Ickler:Essentially, I'm kind of paraphrasing and summarizing it but from that perspective, know, just because you're on the LAN does not mean that you should be entitled to things. Anyways, going from there, going from what we just talked about vulnerability exploitation, now looking at a local system, what can we do on local systems? There's a couple of tools we often use. Prevesque Check is a great one. Does things a little bit differently, whereas Ness has kind of looked at what ports are accessible a system.
Kent Ickler:Being logged into the system, we can run things like Prevesque check. And it will essentially go through and check a bunch of different methods to taking the current user context or whatever you have on that system and be able to privilege escalate in some capacity and giving a pathway for doing that. Awesome tool for that. I don't even have a great example of different ones we can do. Things like, say you've got a service running on the machine and you go into like the services.
Kent Ickler:Msc, you pull it up and you can see the path of the service is running. If that path is running, is writable by the user context, the user can change the executable and then run the service as system and end up being able to capture privilege escalate that way to the system level. So things like that are very interesting. Seatbelt is another great tool. Seatbelt is is more than just local system tooling and information.
Kent Ickler:Now there are some great detailed information there. It's getting really a lot of stuff in there. But gathering system information, you know, if you have a quick question, if you want a single tool to pull in a bunch of stuff that we typically look at and take us a bunch of different tools to be able to gather things like what's the AV running, what are the services installed, all the different platform things that are baked into Windows that are difficult to find, puts it all in one place for us so we can do some quick audit checks really easily. You know, I say audit checks, what it also might mean is vulnerability checks as well. Things that aren't checked because they're not ports exposed, so.
Jordan Drysdale:WinPE is awesome and it's also a tool we have in our obfuscation pipeline so that we can run it. I mean, it's great. If you're on the far end of a C2 channel and have the ability to run dot net code or C, it's a fantastic tool.
Kent Ickler:All right, next up. So let's say we have a list of user. Let's say we have an Active Directory user account. We can go through and maybe query all the other Active Directory user accounts, right? And now if we've got a list of user accounts, we might do a password spray.
Kent Ickler:Here's a couple different tools for doing password sprays. The first one is domain password spray. When someone takes the URL for this, if they could grab the original author, the one that's stood there in the PowerShell command is actually a forked version that we have that static. Grab the correct one for us. Yeah, domain password spray, basically we're sitting on a laptop, we can run this and be able to do a password spray across the domain.
Kent Ickler:Very interesting, password sprays on a domain, mind you, is we've got a list of user accounts and maybe we've got one password we want to try.
Jordan Drysdale:Or not, right? Like this tool will auto ingest. Yeah. So two minutes to get that tool running.
Kent Ickler:Find the user accounts for you. It's great because if someone is using, you know, the password Summer2026Exclamation, we're gonna find it. And the reason we do it this way and stuff like that brute force is because we don't want to lockout accounts. In fact, if someone has a very aggressive lockout policy, three attempts in five minutes locks out the account indefinitely, to us that's typically a finding because that's a denial service condition. It's just waiting to happen.
Kent Ickler:So be very careful when we do things like domain password spray. Of course, there's other tools that can do that. NetExec, there's the command line for it there. Kerberos is another one using Kerberos to do that instead of NTLM. There's also, we talked about Metasploit in a few slides earlier.
Kent Ickler:Metasploit's got several of these modules based off the type of protocol that you're logging into. So you've got SNMP, you've got SMB, you've got HPS HP rather. All these different RPC, all these different protocols that are exposed by a system, Metasploit also has packages for as well. So yeah, still really helpful for us. When we go through and did that original OSINT profile for an organization, we're finding now passwords associated with users, employees.
Kent Ickler:And if we ever see in those passwords, we get the plain text passwords, right, in these breach credentials. If we see a pattern where it's like Organization123Exclamation, and it's shared between more than one account in these breach datasets, we know that's a password we want to run the entire thing in Password Spray for because we're probably going to get a hit somewhere. We see that all the time. Otherwise, we'll do the seasonal year exclamation point, still a good hit. Of course, that's because it's a complex password, not long enough though.
Jordan Drysdale:I would add a question here that's kind of based on the chat going on during the webcast now. How do you what do you use to maintain documentation? So I'm going to say real quick shout out to Obsidian, which is awesome. BHIS has its knowledge base kind of behind Obsidian, but front ended, which is absolutely brilliant. I personally like Sublime Text for my initial note taking and then I translate that into markdown and get that into Obsidian.
Jordan Drysdale:What are you using these days?
Kent Ickler:Yeah. I am using Obsidian mostly. Markdown, readme files. And then, of course, I've got notes. Txt in a folder called notes on my desktop.
Kent Ickler:So there's still that. There was a time ten years ago when we were all using OneNote and then we all realized that OneNote wasn't that great. Yeah, but I'm sure it's part of tooling, part
Jordan Drysdale:of pen testing, part of all this. You definitely need some kind of text management. Yeah. Yeah. Notes everywhere.
Jordan Drysdale:Every single day, some new form of notes. And then for a while, I was just creating a blog post. It's like, I want
Kent Ickler:to remember this later. Yep. We'll make a blog post so we can find it later on. Absolutely. All right.
Kent Ickler:So let's take a pivot now. Maybe you did find a couple user accounts and you're able to laterally move in your environment. Let's talk a little bit about Active Directory. The first one is a resume generating event when used in production. So don't run it in production.
Kent Ickler:Bad Blood is a tool that helps us build, well, I won't say vulnerable, but interesting looking Active Directory environments. And it does it by making a complete mess of Active Directory. So this isn't necessarily a hacking tool, but it's great for learning things. So from that perspective, don't run it in production. But we do oftentimes use this.
Kent Ickler:Oftentimes when we're doing a debrief with a customer, they want to see kind of like, hey, show me this in Active Directory. What does it look like? We can pull up an Active Directory environment that's been populated with Bad Blood just so that we can kind of demonstrate things, vulnerabilities, in an environment that's not just like having five accounts and isn't as exciting. It kind of makes it more real for the customer. They're able to relate it back to their own environment more easily.
Kent Ickler:Don't run that in production. ADXplorer, from Sysinternals with Microsoft, excellent tool. What's great about it is you can proxy all that traffic. We're gonna talk about proxies here in a minute. But ADXplorer, essentially, if you think about ADX, Active Directory Users and Computers, it's an interface for sys admins, typically, to be able to go and see what Active Directory is configured with in terms of user accounts, groups, computer accounts, that type of stuff.
Kent Ickler:ADXplorer gives you access to that information as a standard user. And that's the main thing I want to say here is Active Directory, it's an LDAP, right? It's Lightweight Directory Access, and it's giving you information about the directory. And it does so in a very permissive way, promiscuous way even. And it's just important to remember, it's just like a Rolodex.
Kent Ickler:If you walk into someone's office, can scan through the Rolodex like it's 1985. From that perspective, that's its job. And people say, I didn't know that all of our users could read the telephone field on the user accounts. That's where we stored our passwords for the service accounts at. And it's like, well, that's a terrible idea but yes they can.
Kent Ickler:And and it's we do find that all the time. We see sensitive attributes in active directory. This is where data is stored and kind of we've seen in the description field, the comment field, it's just kind of weird to see it there but don't store sensitive things in I Active
Jordan Drysdale:remember the last time we ran ADSH and we got a question that was, what is the difference between what Bloodhound reads from the Active Directory schema and what AD Explorer reads from the Active Directory schema? Oh, interesting. You wanna take a swing at
Kent Ickler:that? Yeah, AD Explorer is is In terms of AD schema, AD Explorer is gonna be more granular and complete.
Jordan Drysdale:Yeah, absolutely.
Kent Ickler:Because it is connecting directly to the AD database and giving you the schema, not only the schema but also the contents of the database. Whereas Bloodhound is connecting with the API calls or whatever method it's using to query Active Directory for specific information using LDAP, whatever protocol it is, but it's not looking at the database holistically. What you can do with AD Explorer is take a snapshot of the entire database, take it offline and then do analysis with that. And you essentially have a copy of all of the attributes in Active Directory that the user account that queried the snapshot was privy to, which is almost everything. It just does not include exceptionally sensitive things like password hashes, but it's there.
Kent Ickler:And then Bloodhound, going through that process of being able to make those queries. And of course, Bloodhound does a lot more. It will also not just look at Active Directory, but we'll start calling out and connecting to all of those computer systems as well, and capture information about those computer systems. And then being able to map that and analyze it. It gives us the ability to kind of visualize an attack.
Kent Ickler:Say maybe Bob in accounting for whatever reason is an owner of the accounting group, and the accounting group members have the ability to change a password of a service account. And that service account is logged into a server where there's a domain admin also logged in. So we can start to build a chain where we can get logged into that server and then capture domain admin credential from Mimikatz. So we can start to visualize a path like that that might be interesting and exploitable. More about Active Directory.
Kent Ickler:So those are kind of the initial tools we'll look at. These are very interesting ones. Testimon and GPOs are, I'd call more auditing architecture tools. But they go through and look at Active Directory, the stance, the health, the I guess overall architecture of Active Directory and it tells you things that are not aligned to this is where I would say better best practices but I'll call them better practices. I'll just call them practices.
Kent Ickler:It finds issues that might be sensitive.
Jordan Drysdale:Well said.
Kent Ickler:The most obvious one I can point out here is if you have one domain controller in your domain, it will call out and say, hey, you don't have You have no high availability for your domain because you only have one domain controller. So that is just that's the most obvious, like, high level one I can think of. Very, very in-depth. It goes looks at replication, make sure it's all good. The next one that's related to that is GPO XAR.
Kent Ickler:It's going to go through and look at all of your group policies. It's going to build you a report of what's in all those group policies. And it's going to inspect those group policies for vulnerable conditions. For example, a vulnerable condition in a GPO that might call out is you've got your GPOs sitting out in sys fall, right? And that's where it's at.
Kent Ickler:And the GPO maybe is a startup script that starts when the computer boots. Say, for example, an admin at some point had went through to that that folder where the GPO is written at, stored at in SysVault and made it so that end users can write to it. And you're thinking, why would they ever do that? Well, they might do that because that that startup script has points back and saves data like a log of information about that computer back to that file share. This is bad idea to do this by the way.
Kent Ickler:I mean, you'd want to actually use a a correct method for this. But if they did that, they would have right access to the startup script. And they could change the startup script to just launch a c two at boot time in a GPO and then rain shells from everywhere. You're thinking that would never happen except for the reason I'm telling you is because it has. And it's not that uncommon.
Kent Ickler:So be very careful about that. GPOs are does a great job. It points out a lot of different things, but one of those interesting ones is when the the file share, the SysML file share for the specific GPO is overly permissive, it'll call that out.
Jordan Drysdale:Quick shout out to Evotec IT. Yeah. This is a very small shot. They do a lot of great things for open source, so if you're a contributor to open source, check out Evotec IT as listed here on GitHub and give them some follows, pull requests, whatever you can do. They do some great things for open source.
Kent Ickler:Now, there are some other products here. PingCastle is a commercial product that does something similar. It goes through and kind of inspects the architecture, the health, and the security posture of an Active Directory deployment. And also, the commercial version does a pretty good job of building a management platform. And I'm going to say management, I'll call that kind of loosely.
Kent Ickler:It more gives you a quantified value of your security posture of Active Directory ish. When you first run it in any organization, it's going to be like Peg did 100 saying everything is on fire. Go fix things. And that might be accurate. It might be blown a little bit out of proportion.
Kent Ickler:But the point is, if you run this over a course of time, you're able to pull that security posture, increase your security maturity, decrease the key number of indicators, and end up with a scenario that you're have the let's just have reported fewer reported indications of vulnerability, meaning that your management say you're doing a better job. I don't know. The the quantified metrics of of Pincast aren't necessarily my favorite, but the data it gives you back for practitioners is useful.
Jordan Drysdale:Eight slides left, nine minutes left.
Kent Ickler:We got this, I think. All right. Keep going.
Jordan Drysdale:Right. Block check.
Kent Ickler:This is a bigger one, really quick. So SSH and proxy chains, Here's what we do. If we're on an internal network and we're able to SSH out out of that network, we'll do it with a reverse proxy. Because say, for example, we're operating on the internal network but not in a way that we can run some malicious tooling, if we can get an SSH connection out, we can expose the internal network to a system that we manage control outside of that controlled network. And by doing that, we can run all that malicious code and just SSH proxy it through.
Kent Ickler:You need to be managing your egress for SSH. Probably what I mean by that is blocking it, except for certain conditions where it might be necessary. Yes, keep going. Proxy changes used for that. SMB file shares, this is a huge one.
Kent Ickler:We're still finding all the time. We get dropped into a network. We've got, you know, whatever method we we were able to get a user account. And now we're going to run one of these tools, Snaffler, Snaffler, Snaffle, Snaffle Pi, or Manspider. SMB Share Hunt.
Kent Ickler:SMB Share Hunt To essentially go through and connect to all these SMB file shares and look for data. These all work off various means to identify sensitive data, usually off RegEx strings. And they're gonna look for things like passwords, like AWS keys and we find it all the time. We're finding it to the point that like there's a you might have file one, right, as your server, and there's a public folder inside the public folder is like 4,000 different files and nobody knows what's in them. Well, we've got a tool that's going go through that and look for AWS keys in there and we're finding it all the time.
Kent Ickler:So be very careful about that. If we find that information, we see what we can do with it, we report it back. But this really comes down to managing file shares. If you have a file share, you must manage it. And you manage it ideally with least privilege.
Kent Ickler:Just meaning that if someone doesn't need access to it, they don't have access to it. Also, the one that's not up here from a sys admin perspective is f FSRM, File Server Resource Manager. That can do the exact same thing in Windows as a feature and categorize and classify your files based off the content in there. You're able to do different things like change ACLs automatically, that type of stuff. Alright, next up, Kerberos Interaction.
Kent Ickler:Dern, you want talk about this one? You're talking pretty quick there.
Jordan Drysdale:I think you actually got yourself back on track here. There's five slides left now. So we use Ruby, it's pretty consistently, it's one of those great C tools again, we're on the far end of a C2 channel, we can run dot net code, we pack Ruby as and use whatever we need to from the tool, We want a ticket, we want to talk to the CA, we want to do all kinds of interesting things, Ruby as does that. When we SSH out of an environment, we can proxy chains Impacket. So these are tools where we're kind of down the road of we've established and we're moving into post exploitation, these tools become extremely useful for us on the far end of C2.
Kent Ickler:To addressing, Impakit has similar has lots of different stuff, but has some similar functionality. What's great about Impakit is, I said we could use that reverse SSH connection, that tunnel, to do this all on systems we control. We're able to use Impacket to proxy that are we can use the SSH proxy to use Impacket on those systems remotely across that tunnel. So speaking of which, Jordan, I asked you a question earlier today. These are the Impacket tools of some version that I pulled a screenshot for.
Jordan Drysdale:Yeah. Yeah. It's It's some favorites here. It's missing
Kent Ickler:I know.
Jordan Drysdale:It's My current favorite which is RegSecrets, right? If you're running EDR, there's a couple that are starting to pick up RegSecrets interrogations of remote systems, which isn't uncommon, right? You should be able to see that a system is interrogating, touching LSA, grabbing your SAM. However, RegSecrets not listed here is a great opportunity. We use SMB exec consistently, WMI exec, there's just tools this entire package of tools does something interesting.
Jordan Drysdale:Get TGT, say we want a ticket issued to us, we can operate in Kerberos, username and password, get TGT, use the TGT to authenticate with TACK, TACNoPass, and use Kerberos credentials. RegPy, there's just there's so many tools in this kit that allow us to operate post exploitation in your environments.
Kent Ickler:Call up to add computer.py. Essentially, by default, an active directory is standard user accounts, your typical domain user, nothing else has the ability to create machine accounts in active directory. We can use add computer.pi to create a machine account or computer account with a static password that we set and then we can immediately pivot to the context of domain computer.
Jordan Drysdale:How did I not say NTLM relay x?
Kent Ickler:That's yeah. That's huge too. Alright. Next up, free Windows 2,000. So you're thinking it's it's like way after that.
Kent Ickler:We're a couple decades after that. Yeah. PreWindows 2,000 computers are interesting in Active Directory by default. Back in the day, you you think nt four dot zero were way past that, computer accounts didn't rotate their passwords. It's when you join a computer to the domain, it its password was its computer name.
Jordan Drysdale:Lowercase. Lowercase.
Kent Ickler:Yeah. So predetermined. This script helps us go through and essentially take all list of all the computer accounts in active directory and do a password spray matching the computer account name with the correct predetermined password to determine whether or not it has a static password. If it does, we can immediately switch to that context and log in with that. Bear in mind that computer accounts are just like user accounts in Active Directory.
Kent Ickler:They're just a since they're simply a security principle that you can use to log in with. So be aware of that. But yeah, this gives us the ability to maybe find some accounts. When we find pre Windows '2 thousand computer accounts, the computer accounts typically are not built before 2000. So just because it's called that doesn't necessarily mean
Jordan Drysdale:And that's I would I like that statement too, that's accurate. Just like GPPs, we we still check for group policy passwords, we still check for pre two ks. My last test before break, guess what? Speak For you two ks systems.
Kent Ickler:Of NTLM RelayX. So this is the font gets smaller here. So a couple tools, we talked a little bit about an SSA's tool earlier. NTLM RelayX is great because if you can convince a system to authenticate to you, you can potentially take that authentication they gave you and just relay it somewhere else for some other means. NTLM RelayX is a great tool for that.
Kent Ickler:Responder is a great tool, that helps you convince or coerce other systems that are on the same network as you to talk to you. And when they talk to you, you say, before I talk to you, I want your authentication information. They give that authentication information to you and then you can pass off to NTLM RelayX to then go and relay out. DeepODM is another one. DeepODM does some specific I'm not going to call them exploits, they're going to use Windows features to convince a system to connect to you.
Kent Ickler:And essentially it's credential coercion again. But then as soon as they connect to you, you want to relay that back off and utilize that authentication material elsewhere.
Jordan Drysdale:There's another great comment here and it's just simple, WPAD. It's me. Right? We offer WPAD to the network because browsers ask for it constantly. So you have Edge Internet Explorer on your network, it is asking constantly for a WPAD record.
Jordan Drysdale:When there's an adversary in the middle situation and we offer WPAD, guess what happens? Those browser credentials are relayed through the adversary and then we send them wherever we want. Manage your browsers.
Kent Ickler:Next up, about four or five years ago, everybody realized that ADCS was hugely vulnerable because default conditions and instructions in ADCS were a mess. Yep. So certify and certify are tools that help us kind of analyze the environment, the active directory, to give it services environment, looking for vulnerable conditions. There's a great meme here that still stands the test of time. We needed a CA.
Kent Ickler:We deployed it and forgot about it. We didn't configure it, and we were taking the cleaners. That's all it takes. If you deploy it in the default state, you are blind to what's happening and you are probably vulnerable. So these tools will help you out with that.
Kent Ickler:Moving right along. You're so close.
Jordan Drysdale:I think you're gonna do it.
Kent Ickler:Browser hijacks. Again, we talked way earlier in this webcast that the browsers are the new endpoints. And when someone saves a password in their browser, that becomes a potential vector, a risk vector. There's a couple of tools that help us with this. If we're able to get on that system or have administrative control of that system, we're able to run some additional tools.
Kent Ickler:Chrome Elevator is one, Don Pappy is another one. Essentially goes through and looks in the system for their browsers and says, hey, are there any passwords saved in here for all these profiles on these browsers? And if there are, just gives it to them, Gives us to them and we can kind of pivot from there.
Jordan Drysdale:And if you're not monitoring your browsers for passwords getting stripped from them, that's under event ID 500145. There's some queries in there somewhere.
Kent Ickler:By the way, our classes talk a lot about event IDs. People like, hey, how did you know that? It's because we're ingrained in our heads from all that work. All right. It's the last slide.
Kent Ickler:We've got a class coming up February at Mile High in Denver. It's also virtual, so check us out there. Thank you, everybody. That was a fire hosing of tools. Thank you, everybody, for putting the URLs in chat.
Kent Ickler:Someone I mentioned someone I saw in chat said, hey, someone should, like, index this and and have AI read it all and then build, say, playbook or something. Hey, great idea. That would be awesome. If you want, yeah, fantastic. There's a lot of tooling there.
Kent Ickler:We didn't cover it. If your favorite tool isn't covered, I get it. We kind of focus on the ones that we use very common. The slide that's missing is SCCM. We'll get that next time.
Jordan Drysdale:Sure will.
Kent Ickler:Thank you everybody. Thank you. I'm Justin Craft Prism. Appreciate you. Yeah.
Kent Ickler:We got some questions.
Zach Hill:Yeah. For you all, if you if you have any questions that you wanna ask to Kent and Jordan, you can put them in the Discord or in the Zoom. I'm trying to, pay attention and queue them up as we can. For anybody who's looking for the recording, it will be available out on, YouTube after this. And if you did sign up via Zoom, you will get an email with a link as well.
Zach Hill:So definitely, stay tuned for that. And one thing that I I wanted to mention before I forget because I forgot to mention it earlier, there is a CTF for today's webcast. So if you guys are interested in competing in the CTF, it is going to, be related to the the material that you learned today. Let me pull up the link. It's going to be in our slide resources channel.
Zach Hill:So if you guys go to the slide resources channel, in Discord, you'll be able to find the link to that'll take you over to our CTF. So good luck to you all. We'll be picking, winners from that, next week on the newscast. So next Monday. So you have until next Monday to get your answers in for the CTF.
Zach Hill:Thank you for letting me talk about that. Anyway, if you have questions, we'll we'll get them answered here. And one of them was, how do you build the how do you build these skills, y'all? Like, somebody said that this seems beyond t eight, like, try hack me. So what
Jordan Drysdale:do you what's the best,
Zach Hill:you know, route for somebody to take who wants to learn more about everything that you just talked about? So
Kent Ickler:try hacking is a good place to start. So are all the CTS. Good great place to start. What you just got was eight years of pen testing experience. Fire hosed at you.
Kent Ickler:So there's a lot there.
Jordan Drysdale:Let's just go ahead and add them together. Eighteen years of pen testing.
Kent Ickler:And then if you want to add another 10 each for IT generalized before that, you're talking about thirty six years.
Jordan Drysdale:That Let's just round it to forty.
Kent Ickler:That's forty years of IT experience for you.
Jordan Drysdale:Getting old now.
Kent Ickler:Does that mean that you have to work forty years to gain that knowledge? No, it's not worth saying. We're saying we're giving you the opportunity to learn this stuff and you know.
Jordan Drysdale:Yeah, Caitlin and Alyssa are happy to teach you and give you hands on assume compromise. Basically, action based activities. We teach the defensive side of that class, which is securing all of this mess. It's kind of our bread and butter where we came from, we spent ten years handling all these different networks, cultures, CISOs, policies, procedures, and came to this conclusion that we're probably at heart still blue teamers.
Kent Ickler:Yeah, think if we could get someone at our level and say that if we could help them not spend all the time we did getting here, you know, we're all for that. It's going to better the industry, it's going to better the world in some capacity, so that's what we're here for, trying to do.
Jordan Drysdale:Yeah. That's a great question.
Kent Ickler:Lots of missteps that I've taken to get here,
Jordan Drysdale:so So many. So many.
Zach Hill:I'm gonna throw a question to you all based on what you guys kind of said here. But with you guys mentioning all, you know, all the years of experience that you've had, and you might not have a good answer for those. At what point in your career would do you guys feel like you really started feeling comfortable in what you know versus what you don't know?
Jordan Drysdale:Do you feel comfortable, Kent?
Kent Ickler:What what is what is that what is that that curve? Do you remember the name of it? So I would I'd be a fool to say that I know everything. I'd be a fool to say that I know everything that I don't know or that I don't know everything that I do know. Whatever it is, I'd be fooled to saying those things.
Kent Ickler:What I can say is I'm comfortable knowing that I can use my resources to get where I need to go and be willing to like traverse that path to get there. Because if you if you hit an obstacle like what do do, stop or do you try to figure a way around it or over it or whatever And it's it's really coming down to that like, do you persevere through it and figure it out? That perseverance is sometimes 2AM when the rest of the family is asleep and you're staying up to do research. Right? So it really comes down to the perseverance and how much effort you're willing to put into it and yeah, it's tough.
Jordan Drysdale:Zach, still believe that someone's gonna call me and say, hey, we finally figured out that you still don't know what you're talking about.
Zach Hill:Yeah.
Jordan Drysdale:It's kind of that like You've been pretending to do this thing and you know what you're talking about, do you? Yeah.
Kent Ickler:Know, think that we can't know everything, right? So if someone says, but wait, what about this? Be willing to listen and be willing to consider the fact that someone else might know more than you. And the greatest thing about someone else knowing more than you is now you have someone you can learn from.
Zach Hill:Yes. Yep. 100%.
Jordan Drysdale:And I can tell you right now, Zach, I there's not a day goes by that I'm like, man, I'm comfortable in what I do. Jeez. This is I'm I'm great at this. I'm mediocre.
Kent Ickler:After winter break, he forgot his password and now I'd have the help desk help him.
Zach Hill:So That's Yeah.
Jordan Drysdale:Well, that's because it's one of the passwords that I don't put in a password manager. Right? Like, there's like 10 or 12 good passwords that I try to maintain and manage in my brain. The rest, like, the the throwaways go in the password manager.
Kent Ickler:It's filled with Yeah. The brain is finite. Right?
Zach Hill:So I brought up that question because for me, like I would much rather see people focus less on trying to know and understand everything and focus more on just being comfortable not knowing everything. And exactly, think what you had said, Kent, is knowing how to find everything and knowing like where those these resources exist. That's much more like that that's gonna better suit you out throughout your entire career and just being comfortable and like I and understanding that you don't have to be an expert in everything, you just have to know how to find it.
Kent Ickler:Can't be an expert in everything and you have you have to accept that.
Zach Hill:Yep. 100%.
Jordan Drysdale:Yeah. And I think we're getting more and more siloed isn't the right word, but we're we're needing to focus more and more because there's so much to know. Yeah. And I was like, remember being a sys admin? The argument we would make Zach to customers as a managed service provider is you cannot go hire someone who has the skills that our team has.
Jordan Drysdale:Period. Full stop. You can spend $200 on an expert that is not going to understand virtualization, storage, networking, end user desktop, compute, management of system services updates, inventory controls, file shares. I mean, you name it, you cannot replace like the skills of a team with an individual.
Kent Ickler:If your organization is big enough, you hire a team for every one of those things. If you're not big enough for that because that's expensive, know, an MSP looks like an attractive and cost effective option. If your MSP does have a team for all of those things. If they've got one guy that operates out of his car
Jordan Drysdale:Trunk slammer?
Kent Ickler:Sammy.
Zach Hill:Sorry. I was responding to somebody in the chat about your class being on demand. And I don't I I think we're gearing up to get that.
Jordan Drysdale:Yeah. ESH is close. There was a question back here that I wanted to address. Let me see if I can find it real quick. This is the problem with Discord.
Jordan Drysdale:Okay, let's see. So some customers, this this question is, I don't know that I could get my company to approve running some of these tools. How do you manage the security and get that trust? I guess the answer I have here is basically bring in a third party, work with your third party if at all possible, You may not have a budget to have a pen test come in. As you are communicating with your pen testers, tell them directly.
Jordan Drysdale:I would like a finding that says allow these tools to run-in your environment. Get it into the executive summary section. And I have a finding that I write up occasionally that says allowances for IT tooling. You you may need it. You may need a third party to come in and say that.
Kent Ickler:So I was doing an internal pentest recently. Just side note, but doing internal pentest recently and the customer is going to issue us accounts and they were they were following their stack, their their proper like SOP and I says, we have to have you sign this user account acceptance thing. This this disclaimer about how you will use this account that we're issuing us. I'm like, okay, fine. And I got the the like agreement and it had things like you will not hack, you will not try to access things that you are not, you know, supposed to access.
Kent Ickler:And I was like, I will sign this but I'm going to redline items that I cannot agree to. And they're like, you're what? No one's ever told us they're gonna redline the user acceptance agreement. I said, yes I am. So I sent them back the agreement signed with redlines through everything that I could not agree to and they said, we're not going to accept your redlines.
Kent Ickler:And I'm like, that's fine but I'm not not going to have an account then? How is this engagement going to go? And we said, well, let's work together. They sent my red lines back to their legal department. Their legal department updated their company wide user acceptance agreement to include caveats for the systems team and for the security team to be able to leverage these tools without breaking their internal user acceptance policy.
Kent Ickler:And I thought what a great op like what a great way to look at that is to if you go through and do that, yeah, it's great for the security team because now they're slightly protected or whatever. Whatever you wanna make of that. But now every single person that they hire has to read that there is an ex there is a caveat for the system for the security team because the security team is actively going to defend their networks by attacking. Right? And to have every employee that starts go through onboard training and have to read that actually goes a long way for that security awareness training.
Kent Ickler:So anyways, just a thought.
Zach Hill:Thank you, sir. Lord just asking, any thoughts on quality of pentesttools.com or any specific resources recommended for HIPAA pentesting, HIPAA blue team security?
Jordan Drysdale:That's funny. I'm at pentest tool pentesttools.com right now. And it looks like a commoditized version of a lot of the stuff we do.
Kent Ickler:It looks like a way to get money.
Jordan Drysdale:And I I would say it's probably okay, you know? If if they're claiming they have relationships with Starbucks and Rolex and Accenture and it it looks like they're publicly traded, probably well funded. The the product itself is probably mid, maybe better. I don't know. I don't I don't personally have experience, so I would hate to judge this product based on a website.
Jordan Drysdale:And also, I don't like giving third party platform advice or recommendations.
Kent Ickler:I do try to stay pretty vendor agnostic with Open stores, all the things. Except for Nessus is pretty strong. And I'm sure Nexpo and all the others are too, but Nessus has around for a long time, kind of an industry standard for us. Yeah, and I I would say, I mean, Jordan was flying past it and I saw some very big accounting firms that have audit firms. Those audit firms are absolutely going to take your money to give you your HIPAA audit.
Kent Ickler:Yeah. And I bet they do a really good job because you're gonna pay them lots of money, so
Jordan Drysdale:And that's a fair point as well.
Kent Ickler:I don't think it's meant for practitioners though, I could be wrong,
Jordan Drysdale:but Early in the webcast, we mentioned context. So the context of testing an educational system is different than testing a medical institution, right? You have to be exceptionally careful inside a medical institution there's life and death mistakes that can be made. And that's not even a joke.
Kent Ickler:Yeah. The utility company that doesn't quite know where their OT network is?
Jordan Drysdale:Yeah. Or exactly. Like how many hospitals have you tested that are actually well secured? And let's say network blocked. I'm I'm missing a word here in my head.
Kent Ickler:I don't think any.
Jordan Drysdale:Yeah. Segmentation is questionable at best. So if you give me a block and I go discover more blocks and we run a scan and we hit an MRI, like, we we can't do that. So it's it's testing hospitals is a different critter for us. It's just it's just contextually different.
Jordan Drysdale:We have to be more careful. Same tool though, generally.
Zach Hill:Zoro Gaming is asking, what are some good resources for cybersecurity training for your organization? I'm gonna have to say anti syphon training for sure.
Kent Ickler:Anti syphon is a great place to start.
Jordan Drysdale:John's classes are the best introduction you can get to pen testing, SOC, and cyber defense that exist. And they're free. Like, this guy will allow you to take his classes, I think, for 20 maybe? Sorry. So not quite free.
Kent Ickler:No. Free.
Zach Hill:But the
Jordan Drysdale:pay for what you can.
Kent Ickler:John's are free? Okay.
Zach Hill:They're They they start at zero.
Jordan Drysdale:They start at zero. And it is it is ridiculous to think that the knowledge in that guy's head be is being given away for free. But there isn't a better place to start in the industry. Like, I mean, you're gonna go like learn to hack some boxes to defend your network? No, probably not.
Jordan Drysdale:What you need to know is what pen testing looks like. You need to know how SOC operators work. And then you need to know cyber deception so that you can start to catch incidents early. Like right now, you're still at 220, 240 to from initial infection to detection these days. That's average per IBM.
Jordan Drysdale:That's unacceptable. We have to move the needle this way. Thus, working on cyber deception, that's such a great class.
Zach Hill:Love it. Here's a great question from Josh Wells. And they're saying a lot of job description seem to want you to know everything. And you guys mentioned here at the beginning, people looking to make entry into the industry. Do you guys, based on all the years of experience you have, what you guys are seeing these days, any tips for people getting their first opportunity in the field?
Kent Ickler:I'll go back and first say that great job description that has everything in it. Impractical to think that everyone's gonna be an expert at all of it. And that's why we're kind of saying that wherever that job description is, the applicants are probably gonna get filtered by AI. So if your your resume has all those has all those things, great. It does come back to if you haven't a job description that you're applying for, great.
Kent Ickler:Because now you know everything that they're gonna ask for so just make your resume say that. I'm not saying lie about it but you know what you need to get through to get through that filter. More practically speaking, I said that AI is now reading all the applicants and AI is now doing all the applications, so it's a net zero. You have to do something else besides apply. From that perspective, it's gonna be networking.
Kent Ickler:If if you wanna be serious about cybersecurity, if you wanna do pen testing, you have to be able to network. Get your name out there, volunteer, you know, be at the your local conferences, get a name for yourself because that is going to allow you to walk into a job rather than trying to compete with the 10,000 other people that haven't done any of that stuff, but think that they're going to walk into that job and they're not. It's gonna be the people that stand out.
Jordan Drysdale:And then, let's add this. Say you get your first job in cyber. One, be hungry. Maintain consistent hunger and desire to grow. We mentioned a bunch of tools in here.
Jordan Drysdale:We have to be agnostic with operating systems, with our text editors on Linux endpoints, with the text tools we use on a daily basis, with the tools we use, so maintain hunger, keep growing, you're gonna have to. Make sure the organization that has hired you and brought you in understands that you are interested in what they are interested in. What I mean by that and being more specific is, if you're hungry, ask them how to show value. How can I demonstrate my value to this organization? Grow, you have to grow.
Jordan Drysdale:And it's going to be a constant state of change. We don't know what's coming with AI. We don't know if all of our jobs are gonna be automated. I'm assuming in the next five years, pretty much everything I do will be automated and then every tool I try will be caught because AI defense mechanisms are better than I am.
Kent Ickler:So that's
Jordan Drysdale:zero. It's just it's wild out here. Like everything is changing. Demonstrate hunger, passion, be a good person.
Zach Hill:Yeah. I couldn't say any of that better myself. Thank you, guys. I don't see any other questions come come in recently. I don't know if you guys saw anything that you wanted to answer, but do appreciate you guys coming here, sharing your knowledge with us as always.
Zach Hill:And if you guys want to check out and learn more from Jordan and Kent, they're gonna be joining us at Wild West HackinFest this year. It's next month. So February thirteenth or tenth through thirteenth, something like that. It's on their tenth through eleventh. Well, no, tenth through the thirteenth.
Zach Hill:Pre conference training is tenth and eleventh, and then the conference is, eleven, twelve, and thirteen. And you don't have to be there in person. You can sign up virtually if you'd like. And if you aren't able to make the virtual events, you will get access to all of the recordings. So even if you sign up for one of the classes, you'll get access to that recording as well.
Zach Hill:So if that's something you're interested in, definitely come and check it out. We'd love to have you. Would love to see you as well.
Kent Ickler:I I love that, Zach, because our classes are kinda dense. I know someone said I was talking fast. Those glasses got a
Jordan Drysdale:lot in them. Glasses just like that too.
Kent Ickler:It's good that they're recorded. You can watch them in the evening. The only time
Jordan Drysdale:he takes a break is when he's like, hang on, I need to Alright.
Zach Hill:Awesome. Love it. Alright, y'all. Well, we appreciate you being here. We don't have a a webcast from Black Hills this week, but we will be back next week.
Zach Hill:And I should know who's coming up, but I can't think about it right now. Next week, we have I think it's Fawn. It it is. It's Fon Russo. I'll grab the link for that.
Zach Hill:He'll be joining us for our anti cast threat hunting malware communication over DNS. That actually sounds like a lot of fun. We have a AC webcast on Friday. I don't see that on my calendar, though. Gotta get that added.
Zach Hill:Yeah. Anyway, we hope to see you all next week. Thank you again, Kent and Jordan. You guys are phenomenal as always. I can't wait to see you guys in Denver, and hope to see some of you all out there in Denver as well.
Jordan Drysdale:Thanks, Zach. It's been a great ten years, sir.
Zach Hill:Congrats on that, by the way.
Kent Ickler:Congratulations on your ten year anniversary. Is that
Jordan Drysdale:okay? Thank you, buddy. Okay. There we go.
Zach Hill:Appreciate Alright, y'all. Have a great day. Take it easy. Kill it with fire.
Jordan Drysdale:Sonny, cheers. Kill it with fire.
Zach Hill:Kill it with
Creators and Guests
