SensePost Training at Blackhat USA

What is SensePost infrastructure training about and what does it give you as a novice pentester? What does it give you as a pentester looking to move into infrastructure hacking?  Training at SensePost focuses on learning the Trade and not just the trick, thus our focus is on your testing methodology rather than simply showing you some cool tools. And what is this methodology you may ask, well it is one that aims to emulate real-world scenarios and push you into doing the attacks that are actively happening.

Inspiring Our Training

As a security consultancy, it’s SensePost’s responsibility to demonstrate the technical risk our clients face. With our training, we aim to give you the methodology to do the same.

Many consultancies would say demonstrating “risk” is easy. Simply running any of the myriad of available vulnerability scanners will return thousands of findings. Some of these will be exploitable, many will not. In our experience, critical vulnerabilities can often do no more than cause a Denial of Service (DoS) condition, while Informational vulnerabilities can sometimes be used compromise entire domains. These results need to be interpreted before they become useful.

The only problem is, the people who “interpret results” are not the people you really need to worry about. Simply interpreting results is knowing your tools, rather than the trade and the technical implications of detected issues. The people you need to worry about are the attackers who care little about what version your firewall is when it’s trivial, and often more rewarding to socially-engineer your secretary.

This is the real risk organisisations face. This is the risk we need to demonstrate, and the only way to truly demonstrate it is to do what attackers do in the wild and not emulate other penetration testers. 

This is what we aim to emulate with our training at SensePost. By the end of the training you should be eating, sleeping and breathingthis approach.  The approach to becoming a successful penetration tester is demonstrated by drawing parallels between published hacks and SensePost’s tools and methodologies as provided in our training. Take the 2015 breach of Hacking Team for example.

Whilst Phineas Fisher doesn’t disclose how he initially compromised the network, he recommended the same social engineering strategies commonly employed by determined attackers. These are relatively simple, and very well documented and yet utterly brutal when done right.

Once inside the network, the first step is to enumerate as much of it as possible. Phineas Fisher talks about using Responder to passively enumerate hosts, and this is an excellent strategy. Adding to it, SensePost queries various aspects of an organisations infrastructure, such as listing available name servers, and seeing whether any of them are zone-transferrable. Once these techniques stop yielding new hosts, we’ll port-scan the Class-C net ranges our hosts fall into for a short list of common ports.

Next, he mentions accessing unauthenticated NoSQL databases, but that is only the beginning. At SensePost, we call that a piece of “low hanging fruit”. Further to NoSQL databases, we look for unauthenticated X11 and VNC servers, as well as easily-guessable credentials for services such as MSSQL, Tomcat or JBOSS. Any of these can be used to compromise hosts, and gain a foothold in the network you’re attacking.
Once we’ve compromised hosts, we gather as much information from them as we can. Primarily, we check for credentials that have been stored in the registry, in configuration files, or directly in memory. Once identified, we use these credentials to move laterally through the network.

Phineas Fisher showed that a Domain Administrator was logged in to the first host they compromised, but this isn’t often the case, necessitating lateral movement. Typically, domain credentials are pulled from one of the hosts compromised in the previous step, and are used to legitimately log into other hosts on the network. This process is repeated until a set of administrative credentials are identified. A mention of using PsExec, and WMI is made, good choices but at SensePost we’ll typically use PsExec through the Impacket toolkit or the Metasploit framework. All of these steps could be replicated using a mirade of tools, however, the basic priniciples remain the same, and this is what our training aims to convey.

Hard work pays off

While getting to this point seems like a lot of work, in truth this is when the attack really starts. Usually this is where you emulate attackers and not other penetration testers. Having Domain Admin creds lets you log into any server hosts or users workstations on the network, which opens all kinds of doors. You can record people through their webcams, and listen to them through their microphones, basically become a sleeper on the network looking for valuable information that can be exfiltrated.

Knowing a specific user’s credentials lets you log into their email account, which can be particularly useful if the credentials belong to someones secretary. This is the real risk faced by companies – not just basic flaws but what can be done when exploited by someone with a goal.

Join us at Blackhat USA

What we’ve successfully achieved is putting the above approaches into 18 hours worth of content so you, the student, can really learn how to discover, target, exploit and reap rewards against your own training instance. This is not a course where you mimic other penetration testers, but where you step into the shoes of an attacker. Join Etienne, Keiran and Dane at Blackhat USA and learn how to be more like Phineas Fisher and understand how attackers work.