Hacking Gamification – Learning Hacker Techniques

Hello everyone. Good afternoon.

So, and thank you for coming to the session today. So, this is a workshop. I've modified it slightly.

So, this is a workshop which is all going through hacking gamification. And it's all about kind of teaching you, you know, hacking techniques. The techniques that attackers use globally. And these are used in a lot of incidents that I see and respond to.

So, I see these in the real world. I'm going to focus a little bit on some of the identity side of things.

So, some of the identity compromise and identity-based risks. So, this section itself, what I've done is it's split into two parts.

So, the first part is really going through, you know, the idea of gamification. The value it adds, the different things you can learn from it, the different platforms that exists. And then the second part of this, I'm actually going to be taking a risk as always, which I enjoy doing, which is actually going to be doing live walkthroughs. I'll actually be taking several compromised run-over machines. I'll be doing live walkthroughs, but I'll be teaching you the mindset.

That's really the important thing is you're going to learn the mindset, my thought process, as I see information, and as I interpret that, and then look for ways in order to gain access to machines. So, it's broken into two parts.

So, first part, educational. Second part, the practical side. No matter what skill or what knowledge you have, it's for everybody. There will be technical, you know, some deep technical side of things, but no matter what level you're at, you'll be able to learn. I'll try to keep it basic enough and also explain as we go through.

So, first of all, my name is Joseph Carson. I'm the Chief Security Scientist and Advisory CISO at Delenia, and I'm a security researcher. I've been in the industry for over 30 years now. I know you're going, this guy, how can he be? He looks so young. He looks like a kid, you know. But I've been in this industry for quite a long time. I'm based in Tallinn, Estonia, but before you start saying my English is really good for my second language, it's not my second language. I'm originally from Ireland, so hence the poor English that I have. But hopefully that will not stop you from learning today.

We have a lot to go through. I'm really excited about today's session.

Normally, I've kind of, this session is a lot longer. Normally, I would also have you go through the walkthroughs yourself.

So, some of it would be setting up your machines, getting you online and connected, and we all walk through together. I've modified it slightly so that I'll be doing the walkthrough, but you'll be able to take the information away.

Later, I'll try, if you're interested in getting some vouchers and access to the platforms, I'll make that available to you. I also make my own write-ups as well.

So, I do a lot of my own write-ups for the machines that I do. And therefore, if you're interested in those write-ups as well, I'll be happy to also share those with you as well.

So, we're all ready to get started. And quick question, who in the room does capture the flag or hacking gamification today?

Okay, we have like three hands up almost, almost like, oh, 3.5. I was like, almost.

So, okay. So, some of this might be familiar with you.

So, but hopefully, the mindset process that I'm going to share with you will be the value. But for everyone else, hopefully, this is going to be the start of your gaming career because it's fun. That's the best part of actually the industry.

So, first of all, the disclaimer and ethics is I'm going to be showing you real techniques. I'm going to be showing you basically the techniques that attackers use.

And again, these can be used for both good and bad. So, as we go through this, what makes us different from criminals is we do it with authorization. We do it with permission. We do it in safe environments.

You know, the intention here is to do no harm. The motivation is learning and education. Also follow the law. Make sure you understand the laws and the places that you operate from are located. And make sure you're operating within the laws of those locations.

And again, it's educational purposes. So, it's to learn.

It's to, you know, learn about how to make your organizations, your social sphere, your family, the world that we live in a safer place. And that's ultimately my intentions is to make sure that everything we do online is that we do it with basically in a safe manner, in a safe world. And hopefully, this will actually help you along those lines. Who is this session intended for?

If you're, you know, a pen tester getting started, you want to learn more of the kind of different skill sets because there's a wide range of skill sets in the whole pen testing area. If you're an instant response, if you want to be able to learn how to go through and look for the indicators of compromise, look for the actually evidence that helps you actually respond to incidents.

So, if you're an instant response as well, there's another area that you can actually use this for. Actually, one of the third scenario that I'll be going through this afternoon is actually I'll be taking my ransomware environment and I'll be walking you through me as an attacker attacking an organization and then ultimately where you get to the point where deploying ransomware.

So, the third part of that is going to be a ransomware walkthrough. If you're also an IT system administrator, if you're responsible for setting up secure systems or just setting up infrastructure for your organization, this will also get you into secure by design, secure by default, into thinking about how you can make sure that when you're going through and implementing infrastructure IT systems that the organization is going to use and that you're actually doing it in a secure manner.

If you're in IT security and you want to understand about what security controls make it difficult for attackers, this is also for you. If you're in auditing, sometimes you want to understand what controls can be put in place, how to make sure you actually get in the governance and what security controls can be applied to, again, make sure that it's actually reducing the risk of organizations, this is also for you. If you're like me, I'm just a geek. I love technology. And it's my passion.

So, if you're anything like me, then just if you just love technology, this will be educational for you. So, gamification, the beginning. It really started a long, long time ago. It's been used ever since even technology started being used by society.

You know, in the 60s, gamification was heavily been adopted. When I get involved, it was in the 80s. I get heavily involved in games. I went to our local bowling alley. And what the bowling alley was, it was tons of arcades, Street Fighter. It was like lots of different games that you can actually enjoy.

So, gamification has been around for a long time. And it's something that actually, you know, it can be sometimes we look at it, you know, it's just another kind of waste of time. But it actually is very educational, depending on kind of the game style you play. This is me, actually, when I was younger, just starting my IT career.

Actually, so that's me on the right-hand side with my old friend, Dimitri. And you can see there my first computer, which unfortunately, you know, I wanted an Atari 2600, which is not what I got. I got an Atari ST-800XL running BASIC.

So, that's where I started my first programming. I created football league programming in order to determine the league tables and the scores and point systems. But it also got me big into gaming. I love gaming. And that really started kind of where my passion and love for games.

And, you know, where I couldn't afford games, I actually had to write them myself. I had to write them in BASIC. And therefore, from that, it really set forward the career path that I chose. And actually, ultimately, getting to the point where I'm in front of you today.

So, gamification is where it started for me. And ultimately, when we think about the world that we live in from a security perspective, cybersecurity is almost like a game of space invaders. We have all of the bad kind of attackers out there, you know, trying to gain access, trying to get by your defenses. And ultimately, we are trying to make sure we stop them from gaining access. We stop the attackers from getting in.

So, therefore, we're looking to always continually to evolve our defenses, keep the attackers out, and make sure we keep the organizations that we're protected and that we're actually tasked with safe from the attackers. But ultimately, we also have many industry challenges as well. When I started my career, I spent seven years at university to get into this industry. We can't wait that long anymore. We have a massive skills gap. We have a massive resource gap. We have also a massive reskill gap as well.

Because even the technologies we use, even five years ago, or sometimes not even relevant today. So, we have to make sure we're also spending a lot of time keeping our staff and our resources up to date. And also making sure we're efficient at onboarding the new, actually, talent coming into organizations.

So, we actually have a massive challenge about how to make sure that we keep our skills, our resources sufficient enough to keep the, actually, organizations that we're tasked with safe. And that's also been challenging as well. As we've adopted lots of new technologies, we've seen a lot of transformation, digital migration to cloud environments, multi-hybrid cloud, which also means that the skills and knowledge in order to protect those are very different from traditional. We also have, actually, a change in basically remote working as well. A lot of employees are still working remotely.

Again, the way that we actually make sure that we keep those employees in the access they have protected also involves some changes as well. And of course, now we've got AI as well, in order to make sure that we're not only just protecting the use of AI, but also we've got AI algorithms in our environment. We're also protecting the access to those also.

So, we've got lots of industry challenges. And for me, gamification is a way to solve a lot of that. It's a way to make sure we keep our skills current. It's a way to actually task people with actually getting the knowledge and ramping it up really fast. Because also, what's great about it is it gets to the practical side very quickly. It teaches you to think and gives you challenges and puzzles. Sometimes I think about gamification. Anyone ever does an escape room, that you go into a room, you've got an hour to get out?

For me, hacking gamification is almost the exact opposite. You've got a room that you need to get into, and you've got to figure out all the puzzles.

So, it's almost like the reverse, but it's the system versus you having the puzzles and challenges to get out. So, for me, it's a puzzle. And looking at it, it's also me going through and understanding about what do I see, and what can I think about what's happening in the background. And why gamification, it's been around for a long time, as I mentioned, and it's been heavily used in other industries. I came from a background in healthcare. I spent the first 10 years of my career through the 90s, and actually in things like hospital beds, medical records, ambulance service.

And we actually use gamification in a lot of those areas in order to actually simulate, to practice, to get ready for when disasters happened. It's used in crowdsourcing. It's used in educational and training today. My kids are actually, they're not going through a traditional education. They're actually going through what's called as immersive education, which is, again, going through that gamification. They do it by project-based learning. It's used in technologies. We see it also in the gambling industry, the gaming industry.

So, gamification, it's been used by a lot of other industries, but it's also starting to get that acceleration in the cybersecurity industry. And we really need it because we really need a way to make sure that we stay up to date and we stay knowledgeable.

So, one thing is the gamification. It can actually use to train teams. A lot of times we look at individuals as individual development and training for that person, but one great thing is we need in the cybersecurity industry is collaboration with other teams in the organization, within IT. We need a way to collaborate with the board and with the senior management. We need a way to collaborate with HR as we onboard new people.

So, it's really important to make sure gamification can be used to bring different departments together in order to help make sure that we're actually ready as a team. For me, it's a great way, for example, teaching new skills. For example, if you've got HR that wants to do cybersecurity awareness training, it's a great way to be able to onboard new people as a community organization.

So, it's really great to actually do cross-departmental knowledge training and sharing. The other area as well is learning hacker techniques, which is for me, this is a big part of my job and what I do in research. Learning hacker techniques is so important. If you don't understand the mindset and the thought process and the skills and the knowledge and the methods that hackers use, you're going to be wasting time putting the wrong security controls in place, focusing in the wrong areas, putting budget in the wrong places. Budget's not our issue.

If we actually use the budget in the right way, we can actually reduce the risk of lots of attacks out there. So, it's really important. You can have the biggest budget and spend it in the wrong places, which I see many organizations sometimes do. But learning hacker techniques will help you understand, and when you actually understand how to apply that to your organization's business methods and business structure and what types of applications and data that is really important to the organization.

If you do it from a business resiliency and a business risk assessment, you can look at the techniques that actually apply risk to those and then look for the ways to mitigate those. So, learning hacker techniques is a big area, and you're going to learn lots of those techniques today. The other area is actually doing team building. One of the things we sometimes do is we do red team kind of activities. We also do blue teaming, which is the defending side of things. Purple teaming, which is the combination between blue and red together. We got right, we got red, we got yellow.

There's all the colors of the rainbow out there that we use in cybersecurity, but it's really important to make sure they're working together. And for me, one of the big areas is actually team building is actually sometimes having teams who have different agendas and different motivations working together.

So, when you're actually doing a gamification, actually having the red team help the blue team make sure that they're actually putting the alarms and sensors and alerts and notifications in place. So, that actually makes it harder to actually, you know, for the red team to be successful. That's where actually collaboration teamwork can really make a difference. When you do them in a silo, when you go and just get a pentest team to do a penetration test, you're just getting an assessment, and then you have to decide what's the right things to do.

But when you get the actually red team and the pentest team working with the blue team, working with the white and green, it allows you to make sure you've got a stronger strategy, that you've got incremental actually improvements of your security strategy, and gamification can really help there. It also can help actually with security awareness training. When you're trying to explain the reasons for actually some of the things you're putting enforcement in place, why you're putting things like passphrases and longer passwords up.

One of the biggest things, always the challenge is an organization wanting to increase their password length from 10 characters to 12. The nightmare that they go through actually just getting employees to adopt that, and that's a massive challenge.

So, we have to make sure that we're actually helping employees understand about why we're doing things, and the education knowledge, because ultimately at the end, we're all tasked with, you know, not just the security team tasked with making sure we put the right controls and the right defenses in place. We're also tasked with making sure employees, and actually getting to where we actually make security a culture, you know, a part of the organization's culture and DNA, where we actually help all the employees.

So, one example, I'll give you a great example. Years ago, I worked on, was a large car manufacturer, 120,000 employees, and they had a cybersecurity training put in place. And ultimately, we looked at all the different security measures they had, and then after three months of trying to enforce them, we created so much friction with employees. Huge friction. They hated the security team. They wanted, you know, any time they saw us, they wanted to kind of give us a hard time.

And that was something that we realized after three months of trying to roll out security as a, you know, really enforcing it on the employees, we were actually making it worse. And this is something we have to understand about how do we make sure that we're using gamification security awareness in order to make sure that the employees understand their role that they play. And when we were going through this process, I actually, you know, we were running out of ideas. We were basically doing very traditional types of security.

And it was interesting because we were sitting in a room going, we failed. We have no idea what we need to do in order to move forward. And it was in a room a few doors down, there was a bunch of kids playing. And it was actually bring your kid to work day in the actual organization. And we thought, you know, we can't get any time with the board right now. Maybe we can go talk to the kids. Maybe see if they have any good ideas to help us change how we're moving forward. So we actually went on into the room. All the kids were playing.

And we said, hey, you know, we got a project we're working on. Would you mind helping us? And as we went through that process, we sat down and we said, here's all the things we're trying to do. And the kids were like, oh, I'm bored already.

You know, like the tensest span of five seconds. And ultimately, it was interesting. One of the kids put your hand up and said, hey, have you tried, you know, ticking because we were doing it in a very policy structured legal text that was pages long about why we needed to actually put strong passwords in place, why they should be very worried about plugging USB sticks into their computers and all these long things about very complex. And they said, oh, that's like that's really confusing. We don't understand. Why don't you put it in a comic book like a pictures?

And we're just like, huh, that's interesting. So we actually took each of the policies and we created a four picture storyboard, which also meant that we didn't have to do translation. It was very easy to understand. We took very small steps that was basically, you know, around social engineering and phishing, around password best practices, around, you know, plugging in on USB devices into our devices, just taking each of those individually. And then the other thing we asked was, okay, clearly our way of delivering it to employees was not being successful.

So one of the kids raised their hand, said, have you tried putting in the bathrooms? Because all of us need to do two things every day. We need to eat. We need to go to the bathroom. So we realized that actually, huh, that's interesting. So part of the security awareness was all of our policies were in the back of the bathroom doors because every employee at some point in the day needed to spend at least two minutes in there. And at that time, we weren't really, you know, connected to phone. There's something to read on the door.

And that meant that we had incremental knowledge sharing of the policies. And we also posted in the canteen, elevators, toiletries and stuff. And it was actually that moment in time where we realized that, you know, when we actually, you know, realizing the value, first of all, the kids were making and changing how we thought about security, that we needed to help them. And we also realized that security is part of our social sphere. And that organization realized right then that security doesn't start in the office and it doesn't start with the employees. It starts with your social sphere.

And that's where they actually started actually pushing their security controls and policies, things like password managers and antivirus software to protect their employees, not just their corporate devices, but their home devices. So this is really where we need to think about, you know, cultural DNA. How do we make sure that our security awareness and gamification could help actually raise some of those areas and actually help us move forward? The other area is also learning and understand vulnerabilities.

Vulnerabilities come out quite frequently, as you saw in the keynote today, that there was like multiple every month. We see it all the time. And sometimes just having the time to go through and learn about the different vulnerabilities, to go and set it up, to go and recreate it in your environment is time consuming. I could waste a lot of time doing that. But what happens very quickly is a lot of the platforms that does gamification, they actually already create it and have it available for you.

So you can go into these platforms, you already have a machine set up with the vulnerability created, and therefore you can go through and start learning and understanding about it. It was very popular for things like log4j, also print nightmare, and other vulnerabilities as well. They had machines that was already set up with those vulnerabilities.

So you can actually go and walk through the steps and understand about how they're actually configured, what makes them vulnerable, what indicators of compromise can do from a detection perspective, so that you can quickly learn about them and then try to apply the lessons from those environments into your own environment to quickly protect and put the right controls in place. And it's one thing I do quite often is when there's a new vulnerability, I go and I look for those platforms to find out who's already got a machine or an environment that has it already set up so I can learn from it.

I can learn quickly. Because otherwise it's very, very time consuming.

Also, the other thing, as I mentioned earlier about practicing and simulating instant response. The last thing, one of the things I see in a lot of organizations is when they practice instant response, it's in the middle of a live incident. And it's the worst case scenario. Every time I get brought in, you know, I'm an advisor for numerous organizations and governments and agencies.

And when they have a major incident, sometimes I get brought in as an advisor and I'll go in and I'll look through and I'll say, hey, you know, your instant response plan, you're the first time they're actually really, you know, they may have practiced it within teams. Sometimes they may have done it within the security team, sometimes in IT. But the first time they're practicing it as an organization, with HR, with legal, with the employees, with their PR team, with the board, is during a live fire incident. And that's the wrong time to be doing it.

Because in an instant response, time is so critical. Time is so essential. Especially in a ransomware case. You've got, you know, one case I worked on not long ago, a large transportation organization was being held a ransom. And ultimately, it was 10 million euros within two days, which was a 50% discount, 20 million euros within four days. And the CFO is running around trying to figure out what the hell Bitcoin was and how to get it, where to get it. And you can't waste time like that without actually in the middle of an incident. It's so wasted time.

So practicing and simulating it, you know, understanding about how to collect evidence, how to investigate logs. And a lot of the platforms help you actually go through the scenarios. There's complete tracks in gamification in order to help you actually understand and gather forensics for different applications, different environments, different scenarios. So it's really important to kind of understand and use those as a simulation.

And I also recommend, you know, when you're going through those, also include other teams, like HR, like the support team, that might be getting influx of calls as well. So it's always about being ready. And that's what hacking gamification can help you in that scenario. Other thing as well, it's fun. It's actually one of the funnest things that when you're actually doing gamification, and you get team building and team working together, our industry is a scary industry.

I mean, day in, day out, it's always, you know, doom and gloom, many cyber attacks, new vulnerabilities, new ransomware victims. It's a very scary, very sometimes a burning industry. And we need to make sure that we spend some of the time to actually have fun, to actually do a game. I don't know about you, but if you go do some entertainment, you go to cinema, you go bowling, you go do something entertainment, you go to a football match, whatever it might be, that's enjoyable. And that's what we need to be doing with our colleagues.

We need to be bringing more fun back into the industry so we can actually have enjoy it and remember the kind of fun times. And gamification is what allows us to do that. It's a great way to basically, you know, get the team to set some fun goals, to make it, you know, entertaining, and also at the same time be hugely valuable to the organization from a value perspective. And it's also a great way to, you know, spend time with their kids as well. This is my son doing hacking gamification. It was interesting at the beginning. He has homeschool on Friday.

So rather than doing from home, he would come to my office and actually do homeschool for there. And what he wanted to do right after, you know, finishing his schoolwork, he wanted to go straight to the PlayStation. So he's already big in the gaming, but from a console game perspective. And I got upset. I was like, I want, you need to be learning something. This is like, just going straight to the PlayStation is a waste of like, you know, valuable time. So I give him some challenges. The first thing I gave him was actually lock picking.

I said, okay, I got the controller. I put it in the box and I put a lock on it. And I said, okay, you got to find a way to get that controller right. So he became an expert at lock picking. Very fast. There's a funny video I might share with you at some point of him actually going through, spending like time picking the lock. And it got too easy to the point where I needed to give him more challenge. So I got him into doing, you know, he had to go through and basically do a capture the flag.

So getting him into actually doing a system to the point where then once he completed and got the capture the flag was successful, then he got to play the games console. So just getting some challenges as well. Now he's getting a bit monetary focus. He's not getting into, you know, bug bounties, which is okay. But it's interesting also, but just getting, you know, connecting with the family as well. Gamification is a great way of doing that and sharing that moments and enjoying it. So that's some of the things that I try to do as well to make sure that it's something that we spend time doing.

But it's really important as part of the gamification is design. Design is so critical here. And that's one of the challenges with a lot of the gamification platforms we have today. It has game elements, but it's not truly gaming.

It's, you know, if you compare doing a capture the flag and playing a game, there's elements that's been lost between that transition. So I think the industry and the gamification side, we still have a long way to go. But some of those design elements is, you know, getting rewards for progressing, certificates, getting knowledge. You have points which can also be converted into rewards. You've got basically a progression, how you could progressing in certain areas, you know, being able to start and stop whenever you want to, you know, comparing with others in the industry as well.

So having stack ranking, so having a leadership board. And then also kind of work level you're at, and they're hard to get further down kind of the kind of reward system. So looking at here, this is a common kind of areas of gamification, which is so critical. But this is kind of, for me, this is some of the kind of core elements that platforms have. So let's look at some of the gamification platforms out there. And there's many to choose from, and they all have different values. They're not all the same. So one that I commonly do is hack the box, because it's exploratory.

It's the one that kind of really makes me have to think. There's a track called the active machines, where there's no previous known walkthroughs. And therefore, you really had to go through and try to, you know, it's going to an escape room with zero knowledge about it. And you had to find your way to getting the flag.

So for me, that can exploratory really pushes me to my limit sometimes, especially when you get a machine that's classified as insane. That is, it's really testing your skills very, very thoroughly. They also have not just machines, but they've also got academies, challenges, tracks, and so forth. Cyber is more the instructor-led type of platform. You get people walking you through. Immersive Labs is a bit of a combination between the two of those. TryHackMe is more of a guided walkthrough. It will walk you through the steps rather than the exploratory side.

So it's really good for, for example, if you've got vulnerabilities or things you want to learn about or specific steps, it will walk you through step by step. And that's some of the differences. Bug bounty platforms will give you challenges, which means that also you can get rewarded. A really good friend of mine made something like a million US dollars last year on just doing bug bounties. So it can be actually rewarding. So finding your area in that can actually be very valuable. VulnHub is machines where you can actually go and download.

It's a bit of a, you know, use at your own risk type of scenario. So you want to be careful about the machines you're downloading. I always have an environment where it's sandboxed and separated and segregated to make sure that if you download something, that could have something malicious in it because you don't know what's on some of those machines. So it's really important to make sure you're doing it in a safe way as well and understanding the different risks. They've got also the Web Security Academy. You've got OWASP Juice Shop.

Those are really good for learning about web application vulnerabilities and security as well. So kind of really walking you through things like the OWASP Top 10 vulnerabilities and then teaching you about things like SQL injection, cross-site scripting, and so forth. It is very different.

You know, my skill is really centered around things like identity compromise, privilege escalation, lateral Web is not my kind of core area. So sometimes when I get into a machine that's very web-focused, I struggle a little bit. So sometimes the purpose is, is we learn from other people. So I've got a whole kind of community of people that want something that I come up against that is challenging for me. I reach out and ask them. I ask them for direction.

I ask them for help because in our community, we need to be using the same things, techniques that attackers use and attackers do the same thing. They find people that has that knowledge and they communicate and they share. And we need to be really good at sharing as well. We need to make sure that we're sharing our knowledge and finding ways to do that. And gamification is also a great area out there because it brings those communities together.

It's fantastic way of bringing people that want to learn and actually finding the people in the industry, which are the top experts in those fields and connecting them with other people that can actually help share that knowledge. Pentester Lab is also good to kind of walk throughs as well.

RootMe, then you get kind of global online capture the flag events, which happens periodically. So if you're interested in actually just doing and competing with other people as well, some of those events are fantastic. You've got HackMe and then also the Offensive Security have their own proving grounds as well, which is also if you want to go down the path to getting your OSCP, which is Offensive Security Certified Professional, which is quite challenging. The proving grounds is kind of the path to those certifications as well.

So it's really important that all these platforms have very different values. And really, it's important to find the one that can help you progress your career, but also find the one that helps your organization use in order to, you know, do that team gamification side of things. Each of them will have different values. This is one that was a few weeks ago. This was actually held in Tartu, Estonia. This was the Cyber Spike, which was the cyber battle of the Nordics and Baltics.

And it was actually kids between the age of, I think it was around 13 and 19 or so, competing for the actually best hacking team in the Nordics and Baltics. So it was actually, you know, lots of teams competing and then they had the final battle just a few weeks ago, which is amazing to watch. It was amazing to watch kids actually come in and actually really kind of showing how they view things and how they see things, which is sometimes very different from somebody like me that's been in the industry for a long time.

Sometimes they surprise me with some of the way that they approach things as well. So it's really important to make sure that we actually make that connection, not just about an industry, but also where we source our future talent from as well, in order to make sure we're also as a way to guide them to using their skills for good and hopefully not going down the path of criminals.

So it's really important to make sure that we actually do those ethics and those options for them very early on, because a lot of the criminal attackers today is because they don't have those environments to do safe things and sometimes play in a dangerous way, but doesn't result in harm.

So it's really important to make sure that, you know, opening these up to kids will also be a great way to make sure that they're actually learning in something a way that also might provide some type of ethical kind of moral compass for them as well, because ultimately that's where, you know, sometimes if they don't get that direction and guidance, they will go into the criminal world and we need to make sure we actually get to the point where we actually put them into where it's making the world a safer place and not dangerous. So this is Cyberspike, happens every year.

I think this year was the third year in a row. So if you have kids and you want them to compete, this is a good opportunity to kind of put them in that direction of competing for money and for basically, you know, fame in the hacking industry. This is the one I compete in. So Lock Shields, which actually runs every year. This is the NATO Cyber Defense Center of Excellence. So it's all the NATO countries plus NATO cooperating countries. Every year, we actually basically these two islands appear every year, which is called Crimsonia and Borrelia. And Crimsonia attacks Borrelia.

And then you've got 20 blue teams defending the country. And that's things where you've got, you know, critical infrastructure from water supply to banking and finance to social media to 5G networks to air defense systems to battle management systems to energy, gas and power. So ultimately, basically, all these countries, we can see the Shields all basically bring their teams together. And I was a red team member for a long time, but I decided to switch sides and become blue. So I had to wait some time for that to bypass.

And eventually, this year, I signed up and joined the Irish and the South Korean team as a joint team of 200 in order to defend our blue team country. It's the world's biggest live fire defense exercise. And it's where you've got basically 40 nations. It was the 14th year, 18 teams this year, 4,000 participants, 5,500 virtualized machines, 8,000 attacks over a space of two days. So it's quite intense. And to the point where even for me, who's a seasoned person in industry, I learn lots of lessons every time I do this.

Every time I participate, there's something new for me that I come out, I'm just like, wow, I never thought of that. And it gives me a new perspective on things. But it's also not just about cybersecurity defense, but it's also about forensics. It's about legal side of things. It's about strategic communication. It's about the whole thing working together.

Actually, interestingly, the Estonian and the French team were teamed up this year. It was actually the France sent their Olympic cybersecurity team to train before the Olympics this summer. So this is where they did their practice run before the Olympics happened. And you can see here, this is some of the screens, pictures from the events. The top left is my team that was partly in Dublin. And then the Korean team was a lot of doing threat hunting. You can also see here in the center bottom, this is Michael doing the websites that were defaced. This is the SCADA control systems, the power.

So actually in the live fire range, if your power station gets affected, these actually explode and smoke and fireworks comes out of it as well. So they actually really put a lot of effort into making it look real. But it actually is a live simulation. It's a gamification. And it's all about getting people to work together, bringing people in order to share skills and knowledge. Just to give you one scenario, one of my areas of specialization in it was to manage the identities and service accounts across all of the environment.

And I basically went in and every kind of day, every 30 minutes, I'd be rotating credentials, updating them, and then making sure that the team had the access in order to actually go and defend and remove malware and so forth. And during one of the afternoons, all of a sudden our Korean threat hunting team reached out and said, Joe, I thought you rotated those credentials. And I was like, I'm looking at it.

I'm going, yes, I did. I looked at it. Everything was successfully rotated. All the lights were green. And they're like, no, we just basically ran a check and the default credentials were still working. Ultimately, what happened was there was a piece of malware running on those systems that basically was caching all credentials. So that if you actually went to that system, even if you re-changed the credentials, everything still worked, all the previous ones.

So for me, it was one of those situations where it was interesting because I'm looking at seeing in the SIEM, in the SOC, everything's green. But ultimately, the attackers were bypassing and falsifying that. The mistake that we made was while we changed the credentials, what we should have done was actually change also the usernames as well from default. So getting them from administrator to being something else. And that would have actually helped us in that.

So again, lessons learned, but usually from the gamification side. So ultimately from this, what we really want to do is understand the attack path. And that's what we're really trying to do, is understand about the whole step-by-step process that attackers do as they walk through, and the mindset, and the thoughts. And when they see something, what is it that they're thinking about? So that you can see the same thing. And when you're looking at your environment, is that sometimes we don't have the same perspective.

And it's important that we get that same perspective, that we look at it from an attacker's view. And ultimately getting to some of the attack paths, open source intelligence gathering. To be honest, the first two there, OSINT, open source intelligence gathering enumeration, is about 80% to 90% of my time. When I'm doing a capture the flag, if I do those really well, the rest becomes easier.

So it's important to make sure that you actually spend your time accordingly, that when you're actually doing the gathering at the beginning, that you're actually going through an understanding and trying to think about what you're seeing and maybe how it's configured behind the scenes, or how it looks behind, or what the possibility and options are. So it's so important to make sure that if you do those really well, what can happen if you don't do those really well, you get into what's called as rabbit holes. And rabbit holes are nightmare.

When you get in a rabbit hole, and you're trying to get in a certain path, and you're finding it's not working, and it's not working, and you try, and then you start trying, you blast everything and nothing works. It's because you didn't do the first two really well. It's important to make sure sometimes you step back, take a bigger perspective. And if you've done those, it will help you make sure that you get the guidance. Vulnerability discovery, which is also a skill set, is also when you see something in order to find and detect vulnerabilities. How to modify and change exploits.

The initial access to remote code execution. Getting persistence, which we'll go through pretty much all of these, we'll go through in the actual practical session. Enumeration, so once you've got the food and the door, how do you actually evaluate? A lot of times the attackers want to reuse what you've already deployed, so they can hide behind the scenes and actually use your own tools to move around to gather further information. Privilege escalation, lateral moves, data exfiltration. So these are kind of things that attackers are thinking about at each stage.

And then they want to kind of slowly move, and the good thing is what they have is they've got lots of time, which is the bad thing for us is that sometimes we have a limited amount of time to spend in this. So it's important to make sure that we actually have the balance right. So sometimes I can actually compare this to the MITRE ATT&CK framework, which you've got here. So it's really important to understand that when we're going through gamification, and some of the practical sides, is that exactly where they fall in this area.

So you've got the different things again from reconnaissance to development of the resources and platforms and infrastructure of command and controls, initial access, execution, persistence. So all the things I just went through, which I summarized into a fewer steps, this is the things that attackers are looking to move across, ultimately where they actually make an impact, whether it being deploying ransomware or getting initial access and then selling those credentials off to other attackers. So at that point in time, are we ready to play a game? Who's ready to do some gaming?

Oh, okay. I got a few people that's excited. Everyone else is kind of like not quite sure yet. You're kind of like, you know, okay, we'll see where this goes.

So, okay, let's get into the gaming side. And this is where it is live.

So, and you know, whenever anyone's up doing something live, unexpected things happen, okay? So you just have to kind of, you know, just pursue, whatever that word is, to kind of just continue with me as I go through. So I'll be exploring as we walk through this. So let's move into, so I've got a virtual machine running, so let's move into it.

So, okay. I'm just going to give a few quick checks here. I know that in the back, I'll try and, are you seeing it okay in the back of the room?

Yeah, okay. So, okay. So what I've got here, the first thing is the first scenario, I'm going to take a walk through and I'll explain. And one of the things, as I walk through and looking at from an attacker perspective, what I will do also is, you know, work with you on the defensive, what things would stop it. Let's think about also that, you know, the defensive side, what things could be done differently, okay? So let's take a walk through. So for example, this is one of my default areas. This is my kind of default setup. So one of the platforms, as I mentioned earlier, is Hack the Box.

And it's actually the one that's exploratory one, which is always I'd like, because it really challenges me. And I'll walk through some of the areas. One of the tools I use quite often is CyberChef. CyberChef is great for basically manipulating data back and forward, whether you're changing from X to ASCII or so forth, or from binary, Base64. It's just a great way of kind of modifying. I think we're cutting the screen off a little bit there. So let me see if I can change this so that it moves a bit more. Okay. Hopefully you're seeing that better, because the screen is a bit cut. Okay.

Another one is CrackStation. It's just a quick way of dirty way of kind of getting a hash and checking if it's already been previously cracked as well. One I also use is reverse shells. Just a quick way for me is creating a quick reverse shell command. So I can take, you know, let's say, you can see here I've got three IP addresses. I've got my public, my internal LAN, and also my VPN tunnel here, which is in the top of the screen there. So just make sure when I got the 14.5, which means here, I want to set that to basically the same.

So if I want to create a reverse shell, it's already preset it, and then I can go through and create different shells like a Netcat, a Bash shell, a Par shell, command, PHP, Python, so forth. So it's really kind of easy way to create those. So I can say here, I want to create a Python shell, and that creates that for me. So it allows me just a quick, easy way of creating reverse shells. A reverse shell is simply me getting the target machine to make a connection back to me.

A lot of times organizations have set the firewalls up so that I can't actually connect directly from the outside in, but most machines from the inside of the network have free access to basically the public internet, and therefore, the reverse shell is the easiest way. My preference is not to do a reverse shell. My preference is always to actually find where I can actually change the configuration of the machine that allows me to connect directly. So that's my preference, but it comes down to finding the right technique.

Attackers have different techniques that they prefer, and sometimes it's finding those methods. As I mentioned, the other one is the TriHackMe one. So you can see here, this is the one that's more of a guided walkthrough. So if you can sign up, some of them have free versions. So we can actually go through, and they will give you access to certain free machines. In this case, you've got basically web fundamentals. It gives you new rooms, resume learning, and simply if we go here to the learn, we can actually go and search.

For example, one that I mentioned earlier was log4j, which is one that I use quite in this one, which if we put a four in there, it'll be quicker. So you can see here, solar exploiting log4j, and that's great because it's actually a guided walkthrough. It really helps you understand about how attackers may take advantage of that vulnerability. So there's lots of different ways of doing this, but let's go and take you through some of the practical examples in the Hack the Box.

So one of the things I just want to make sure, I'm going to refresh the screen here, make sure my VPN connection is still running. So I see I've got two connections. Let's just make sure that I'm just going to ping a machine that already got running.

Okay, so I've got a ping, so that's all good. So I'm just on my sanity check, make sure things are working as I expect. So let's take a walk through some of the things here. So you can see there's different ways. You can see your basically progression. You can get respect from other people. You can see how many systems you've actually compromised. Global ranking, I haven't played in the summer, so it took a big hit to my global ranking. I think my top rank was about in the top 70s, so which is, I don't know, if you're in this capture the flag gaming, it's a pretty good ranking, if I do say so.

And so there's lots of things, rewards, and there's hiring, there's recommended boxes. You've got seasons, so there's lots of different seasons. So you can get rewards for actually going through different types of machines. There's challenges. Challenges is where you've got things like OSINT, you've got hardware challenges, and then there's a combination between, for example, all active are the ones that don't have any write-ups, so you really have to figure them out for yourself. Retired are retired, and they will already have different write-ups.

There's people like John Hammond, IPSec, OXDF, that are all creating these write-ups, and they're fantastic, educational, so you actually go through and follow their method. And the great thing about a lot of these machines is that there is an intended path, but there's lots of unintended paths as well, so you can actually approach them for many, many different ways. So it's really fantastic kind of from an education perspective.

You've also got tracks, as I mentioned here, if your team is wanting to go through, you want to learn, for example, about cloud vulnerabilities, and just a control systems, got to control, you've got basically Android, you've got blue team defense, hardware hacking, red team, so there's lots of tracks that can actually take you through and take those specific areas of educational knowledge and actually teach you those very, very specific areas. One that I recommend highly is things like instant response and digital forensics.

If you've got an instant response team that wants to learn about how to collect evidence, how to collect images, how to evaluate them, how to actually correlate them, use tools like log to timeline and Palaso and, you know, gathering disk images, it's a great track for really kind of getting the instant response team. But there's lots of areas, OSPOP top 10 if you're into the web application side of things, so you can see loads of different tracks. You've got global rankings, you've also basically, you can join up with the team, so you can join other teams.

For example, for me, I'm part of the Estonia team, which we're not doing so good right now, so, but, I mean, that's the challenge is that it's signing up. You can see here some of the top teams, U.S.,

India, Germany here are in the top three rankings, so that shows that there's really good knowledge in those three countries for my basically skills area. And some of those people, they spend, they dedicate their, like, it's a job for them in many cases. They will make money not just from capture the flag, but also from the bug bounty side. So they'll actually use capture the flag for testing their tool sets, and then they'll turn that and actually then put it into bug bounties to make money.

And they're making, you know, tens of thousands of euros in, you know, sometimes per month and millions per year, if you look at some of the bug bounty side. There's pro labs, and then there's also academy as well, educational. Where I spend most of my time is in machines. I would typically spend a lot of time doing active machines. So as I mentioned, active machines are where there's no write-ups. This is you go in and you have to figure it out yourself.

You can sign up, you can collaborate with other people, you know, there's lots of kind of communities that can actually work together and bring your skills and knowledge together. So there's the community side of things. There's a few people that I share ideas with, one's from a web application, and then the other one's from one of the world's best password crackers. So we kind of work together in order to try and find our way forward. We don't try to share everything. We try to kind of lead them to the right path.

But, you know, it's all about knowledge sharing. So here you've got lots of machines, and they're ranked from different. You've got easy, which is quite relative. The easy ones are quite easy.

So, you know, if you have some knowledge, you should be able to do the easy ones. When you get into insane, that's a whole different ballgame.

Insane, those machines, it's crazy the thought process that goes into how those machines are actually, you know, how you get to the root flag. You know, if we have time today or within this week, maybe I'll show you one insane machine, which had me actually, I was heading my head on the table because I was running in the rabbit hole. I couldn't figure out until I reached out, and a friend of mine just said he pointed me in this one right path. And once he pointed me, it all came together. So sometimes it's just, you know, it's finding and seeing kind of what's behind the scenes.

What we're going to do today is we're going to do some of the retired machines. The machine we're going to do is driver. So I've actually already got driver running here. So we can go to driver. So you can see here if the machine will give you some understanding about the machine itself. It's a Windows machine. It's easy. You can click in the machine. It will actually give you a description about what you need to do. You also have walkthroughs. There's both PDF walkthroughs, and then there's also a video guided walkthroughs. So the videos, if you're really starting, the videos are amazing.

Ipsac is one of the kind of rock stars in our industry. He started his career off with basically sports commentary. So he's got one of those voices that's really good, you know, for commentary. And he's turned that into, he was also kind of into sysadmin side of things. And he's turned that into being one of the industry's best, basically, let's say, gamification entertainers, which is what, you know, that's becoming a career now. We have influencers. We got hacking influencers who's doing gamification.

So, and then you've got lots of different walkthroughs, and they get rated as well. In those walkthroughs, you find lots of different paths and lots of different alternatives. So not everyone takes the same direction, which is also educational as well. So play machine, what you simply do is one of the things you've got here, guided mode, which is similar to the TryHackMe one, and a few others, you've got guided.

Others, adventure mode means that you just go find a flag and find your own path, which is my preferred method. Sometimes I do recommend before you start, you reset the machine, which will set it back to a clean state. If you don't do that, somebody else may have been playing the box and may have left things behind that might make it a problem. And ultimately here, what you're trying to get is two flags. You're trying to get a user flag, and then you're also trying to get the root flag. That's ultimately what you're trying to achieve. And then simply just start and stop the machine.

There's the red button here, which will stop it and then put it back to its unpowered state. And then if it's not on, then you have the ability to play the machine and spawn it. Ultimately, you know that you've got the machines running. You've got an IP address here. That's ultimately what you start with. In hacking gamification, sometimes all it is is you've got an address to go to, and that address will be the starting point. And that's what we have here. We've got an address of 10.10.11.106. And ultimately, in the adventure mode, we know it's a Windows machine, and it's easy.

That's ultimately the two things. So going back into my command prompt here, one of the first things I always do is ping the box just to make sure we have a response. I've got connectivity. And already, you can see here that we're actually getting information. What does this screen tell you from basically pinging the machine? The time to live, 1.27, tells us immediately we know it's a Windows machine. So already, we're starting to get information. That's what attackers are looking at. They're looking at all the data here. They're looking at basically the response time.

Sometimes the response time will give you a little bit about the overhead of the machine. Maybe the machine has a high performance, high workload. If it responds quickly, it's pretty good connectivity latency. So just some things here will give you an idea. But the time to live typically will tell you the operating system. If it's a network device, Linux, Unix, or Windows. So the next thing then we do is we'll end up running basically a network map.

It's basically, you know, it's like going to the front of a house and you're just standing looking at the house and you see there's four windows, there's a door, there's a gate, there's a fence. It's just standing outside and looking and observing and understanding about what things, you know, what type of lock is on the window, what type of lock is on the door. It just gives you that observation about what services that house is providing. And this does the same thing. My typical, this is my typical command that I do. It's at the bottom here when I'm running an NMAP.

I'll create, this is for my typical command line for doing the gamification side. So I'll set an alias to the IP address and I'll also run an NMAP at a quick rate with a timing template of four against the IP address. Once I get that, then I perform a much more in-depth NMAP scan for the output of the ports. And then that will give a lot more information. So I'll actually then go and run it against the ports that gets returned. But this time I will actually run it with basically default scripts, service information, don't do a ping, do verbose, and then output it to this actually name.

So for me, this is the one that I use the most because I'm using a lot of kind of grip cuts and sets in order to get the ports. But it's the fastest because if you're running this in a time sensitive capture the flag, you know, event, you don't want to be running one that's slow. Because this is probably sometimes when you're doing CTS and gamification, this is the sometimes the most time-consuming part is scanning all the ports, 65,000 ports, and then you want a TCP versus UDP. It can take a lot of time. So doing it this way can actually accelerate.

So basically what we're going to do here is I'm just going to kind of show you what I've already done this. And as I mentioned, I've also, I do my own write-ups. So let's take a look at the write-up just so you can see the write-up itself. So the write-up, this is the write-up here that we're basically going to go through all of these steps today. We're going to walk through all of these areas. I might refer to the write-up just for speed of copy-paste because, you know, I'm not the greatest at typing things.

We all, you know, get mistakes. So I'm going to walk through and do some copy-paste at some point. But this is the walkthrough we're going to go through. So we're going to go through all of these steps. So the first thing we're going to do is let's take a look at, I've already run the Nmap here beforehand, basically for just sake of time. So let's go ahead and take a look at the Nmap. So this is one of the things that's looking at the system from the outside. It's really about understanding the services. So in this particular Nmap scan, you can see what I ran.

I did Nmap dash VVV, which is verbose, verbose, verbose, so three levels, and it will output much more information. I did uppercase P, lowercase N, which is no ping, which means if the machine doesn't respond, still run the scan anyway. Default scripts and services. Timing template of T4, which is a bit aggressive. Attackers prefer to do it long and slow if they're doing it in real. They also might tend to use other tools as well, which are not as, let's say, noisy. Sometimes they'll use something like a partial, their own custom script, rather than using predefined tools.

I'm searching for all ports and then output to this driver underscore Nmap, and that's the target IP address. So that's this one that I ran for this. So let's go ahead and take a look at some of the data that comes out. First thing we see is port 80 is open. So we know that IS is running as a web server, so that's one of the first things. We can see here that basically which version of IS is running. So that can also give you an idea if you go and search for basically IS version 10, you can already get an idea of what type of machine operating system version it is as well.

It will give you kind of much more narrow. Next thing we see here is that there's actually, in the actually auth side of things, we get an unauthorized response, which means there's some unauthorized access. We're getting a 401 access tonight or unauthorized. And you can see here the basic realm that's saying that this is some type of firmware update center, and it says please enter the password for admin. So we know that maybe this is basically gated, and it's asking for, which is already, we got 50% of the puzzle, which is admin. So we already have 50%.

Now it's a case of we need to figure out the other part. We can go further down. So we already know there's a web service running. We know this requiring a password, and we know it's some type of firmware update center. We can also see that basically a simple RPC is running on 135 and 445. And then we also see that Windows remote management. So this also gives you an idea. This machine would be something that's typical, would not be public internet facing. It'd be something you would commonly see on an internal network.

So that's one thing we kind of, so the attackers, if they ever get access, they've got one foot in the door. This might be a machine that they would, for example, in a real world, use for privilege elevation and getting access to a higher level of privileges. So this would be something that most likely would be on an internal network that wouldn't be gated. But we can see here that with Windows remote management running, it means that potentially the path that we need to go down is we need to find an authenticated user. So that's kind of what you're thinking about.

So we've got a Windows 10 machine. It's got only a web service, which is gated. We've got Windows remote management. There's an authenticated user we need to find. So it's already giving you some, that's why these are easy machines. It's giving you some guidance already from what you can see. You've got an idea of the path that you need to go down. So one of the first things, also one of the things I also look at is the clock skew.

The clock skew is really important because if I have to do some sort of certificate cracking or certificate or ticket granting system, the skew is really important because that's telling me the skew between my machine and the actually victim machine. And that for me is one thing I note at the beginning because if I needed to, some sort of ticket, I need to synchronize my time with the actually target time if I need to create a ticket. I may need to make sure that's within five minutes of the ticket granting.

So sometimes when you're going through, an attacker is going to be wanting to note all of those possible things that they need to do really early and understand all of those areas. So the clock skew is really important in that scenario. So let's go ahead. One of the next things we'll need to do is let's go look at the website. So let's open up Burp Suite. Burp Suite is the tool that's basically used to intercept web traffic. So it's literally a web proxy. And ultimately what it allows you to do is intercept and then basically evaluate the traffic before it goes to the target system.

So I tend to prefer to use Burp Suite. Sometimes here I've got the plugin that would allow me to redirect Firefox directly to Burp Suite. I tend to prefer to keep them two separate. So what I'm going through here is under proxy. I've got intercept that's currently set off which means that the traffic is going to pass the traffic through and I'll be able to just observe it. So what I'll do is open up the browser. I'm just going to use the Chromium browser which is built into Burp Suite. And we're simply going to hit the IP address.

So we know here that already that we're getting prompted as we saw from the response in the MNAPS scan. We already know the first part of the puzzle which is admin. And then because this is an internal system as I mentioned it's very likely on the internal network maybe somebody did something default and didn't change something so you can already start guessing. Anyone want to take a guess what the password is? So admin default credentials. And this is very common.

I can't tell you how common it is to the point where I've done pen tests and parse stations and the scatter control system which cost multiple millions of euros that was advanced threat protection. It was funny because the picture I've got set on the side of the scatter control advanced threat protection. The most secure scatter control system ever. Brilliant picture. Default credentials.

So you're in those situations where it's so common that the problem is sometimes yes you might get somebody installing it but what they don't do is they all of a sudden rather than having a process going from like you know let's say test and user acceptance to production sometimes they just switch the light over and they just make a production without having some type of you know handover process and changing those credentials. Because it's working. It's working. Let's get it to production as quickly as possible. Therefore let's just basically make a production.

And that's what happens a lot of times. And so we end up with lots of things with default credentials. So as you go through right now we have to start thinking about well okay what's my next step. And you'll spend a lot of time I'll go through and I'll start basically analyzing the traffic. But we simply see here there's a few things that basically by putting the mouse over you can see in the bottom left hand side it just goes to hash which is the home page which is there's nothing there. Driver updates nothing there. Contact details nothing.

So we see here the only page that actually has anything behind it which is a PHP page which is the firmware updates. So we can click on the firmware updates and what we can read here is select the printer model and upload the respective firmware onto the file share. So there's a firmware update. So basically people who want to do printing maybe it's a marketing or print shop or somebody's doing templates or design house or advertising and they need special printers and they need somewhere so they can upload the drivers and this is would be coming in those areas.

So you can see here the different printer models and then I can choose a file and what it says here our testing team will review the updates manually or the uploads that you do and initiate the testing. So it means I can upload a file and you can go through different types of files you can try an exe file or some type of kind of reverse shell. But the one that works in this scenario is actually a Windows shell itself. So I've already created one and just to show you so basically what it looks like inside. So this is the filename.scf which is basically a Windows shell file.

And you can see here what I've done is that as I upload this as a driver what it will do is that when it gets to the icon file the icon file is not embedded local it's actually going to make a call back to my machine and by doing that what we're going to do is we're going to be able to trigger what's called this lmnr poisoning or not bias poisoning in order to get a network ntlm hash. So ultimately we're trying to do and simply you know a lot of attackers will run this all day long just basically without you know waiting they will just simply already have this running.

So we'll do sudo responder what I'm doing here is minus i which is the uppercase i which is the interface I'm choosing tunnel zero which is my VPN tunnel and then minus v because since I've done it before I want to do verbose and check for everything. So simply run that I'll need to do sudo and now I've initiated net bias and lmnr poisoning. So please do not connect to my machine I will be getting your hashes which I don't want and you probably don't want that too.

So we can see here what we've got is lmnr poisoning net bias so if this is running on an open network if I was run this on the conference wi-fi or hotel wi-fi or cafe and public domain I can guarantee that many machines will already try to start connecting to this machine and be just pumping their hashes to me. This is what attackers do all day long if they get access to network or they get access to public area or just go to cafe near the office or the target they're looking for they will just sit and run this and they will just collect hashes all day long. Hash after hash after hash.

So let's show you kind of how this looks like. So we got it running now we just need to go back to the actually driver interface and I showed you already the file which will make a connect back because I've told the icon file it's on my machine. So go ahead and click okay we're going to submit.

So now what's going to happen is of course there's a process in the background that somebody's going to evaluate it they're going to open up that shell file and if I go back to where we're running we might see already hashes just after hash and of course this will happen even if if a machine has for example map drives as another good example if you've got map drives to network shares this will basically run all day long you'll just get those machines connecting out. Lots of organizations are still struggling to mitigate this because it's just because of legacy systems, legacy applications.

Sometimes you just have to maintain legacy in order for things to work and this is what exposes and is a major issue from legacy. So now we simply see here we're getting a hash back and we'll take that hash I'm just going to stop this from running because I don't want any accidents happening. So let's move into the next phase. So we now have a hash so I'm going to cat and we can see 28.hash.

So this is the next phase we go through so one of the first things is that you know one of the mitigations that we've done so far is one is default credentials also another area is making sure that machines are not running what they shouldn't you know shouldn't be running anything more than what they primarily just need to run so and then this area is really where the NATBIOS and LMNR poisoning you've got to be checking make sure and minimizing the traffic and segmenting where you possibly can is another mitigation.

So let's go through the next stage we now want to do is crack that hash and this is where we basically rely on you is rely on you choosing really really bad passwords that's what we're ultimately relying at this phase. If you are choosing a password of human created this is where bad things happen. So what I've got here I can go through and do a hash id and that will tell me that this is a ntlmv2 network ntlmv2 hash which means so we're going to use a tool called hashcat there's another tool called john which is also you know cracking passwords.

I go between the two depending on what type of password I need or hash I need to crack but for this one simply hashcat minus m which is 5600 which is the network ntlm hash tony.hash which is the hash that we actually have in the file. I'm just using the rockq data dump which is you know if I'm doing live ones I've got my own personal one which is actually much more kind of let's say accurate and I use a lot of rules and masks as well to make it quicker.

I've got a very powerful machine which is used for gaming when I'm not gaming I'm cracking passwords on it and then I've disabled pot file because I've already run this before. So disabling pot file will just mean it will actually process it again. So let's go ahead now we're going to crack the hash that we just got and you can see here it takes seconds that literally the power and processing is so fast and this is all it takes is the attacker to find one active credential.

They need to crack one password and if in the real world if this was a you know an access broker the next thing they will do is they'll actually validate that credential and then they'll put it up for sale and they'll just wait for another criminal ecosystem going to come along they'll buy the credential they will log on and they will cause you pain.

That's ultimately the kind of process so what happens is that you know that's what attackers do is they simply just go and they pay a really good friend of mine Jason Haddox did a great talk a couple years ago he used to work for Ubisoft and he walks through basically exactly the scenario where they paid like 10 US dollars for a credential on the dark web and the pain that caused the company was significant.

So it happens time after again you know attackers simply crack passwords they fish they get credentials they log on that's the process and that kind of swings back and forward when there's vulnerabilities they will abuse the vulnerabilities when the vulnerabilities are all patched up and actually secured and gone they will go back to social engineering and phishing and getting passwords and credentials and brute forcing and if we leave humans to make password choices that's where you're going to get little Tony as the password.

So now we know okay we we've been able to go through the process now to get a basically a credential and we remember going back to the previous NMAP scan we know that Windows remote management was running in that system so we know Windows remote management is running so it means that maybe if basically this credential will work with it.

So in this case I'll open up a new terminal screen and this way we use a tool called EvilWinRM so EvilWinRM basically this allows us to make a connection to the IP address using username and the clear text password little Tony and by executing it we'll see basically if the Windows remote management allows us to connect and it does.

So now we've already got to the point where this is actually we've got stage one off the flag so we've now got the user flag and now the case basically so you can go simply the user flag is typically located in the desktop of the actually compromised user and you can see the user.txt and we do type user.txt you'll get the flag and you'll take that hash you'll submit it into the actually the machine where it says user flag and you'll get the points so that's typically the process from the gamification side of things.

So the next stage is that we're just user we need we need to get root we need to elevate that's where basically the goal of this machine is. So let's go through the next process so I'm going to go back into documents and feel free if you have questions just feel free to ask questions at this point. So the next phase is that I want to do enumeration.

In a real world enumeration attackers what they tend to do things is very slow and very basically you know drip feeding they will go and run commands that typically will be commands that your support team would run to do troubleshooting so try to stay behind the scenes. So real world they'll do stealthy slow simple commands stay behind the scenes and basically gather information.

The one thing attackers are really good at is actually inventory gathering they are they will gather inventory way better than you would and they will start understanding about software versions configurations setups what tools are used to manage once they find out what tools are using what they'll then try and do is figure out how they can use those tools for themselves maybe using psexec maybe using parse shell to manage the environment maybe using different seams security tools and they will try to find ways so they can actually use those to gather the information for them.

For me there's a couple of actually automation tools that that typically are good for learning but they're really only good in the gamification side.

So a really good friend of mine Carlos Pollock created a couple of privilege escalation tools ones called WinP's LinP's and Purple Panda they're fantastic we've been able to do enumeration for the system so what I've got here if I go back to my machine do ls I've already got basically the windows privilege escalation awesome script uh sitting on my machine and the great thing is once I've done basically evil winrm all I need to do is upload WinP's and within a little bit of time a little magic a little dust and we have WinP's on the machine okay so if I do dir it's sitting here so the next thing is we want to execute this and it's going to basically output everything about this machine's configuration so in gamification a great way of doing it quickly but attackers in real world they don't do this the only reason they will do that is if you actually have zero security in place and you're not watching anything then they'll be like okay I'm going to do the quick and dirty way but in a real world they will do all of these commands slow stealthy take their time they've got a lot of time to waste so they'll do each of them individually but they'll they'll have a list of prioritization of their own structure they go through I do the same when I'm doing actually pen testing I'll have my own structure that stays stealthy but a gamification I'm not really worried because there's no one really looking I just want to understand about the configuration question so the question is it's feedback more it's good for purple teaming absolutely it's good to see what type of information can be gathered from a machine and look for areas of misconfigurations absolutely it's good for that kind of offense defense collaboration and finding out what can be put in place to actually minimize the output you get here so this is going to keep running I'll let it run until it finishes at this point time while it's running just until I finish it do we have questions in the room is everyone everyone's sticking with me everyone's still we're all we're all moving through this together am I over compliment come am I making it too complimented or what was it what's the word complicated yes I told you English is not my best language even though it's my first so I should have stuck there earlier that yes I'm from Estonia I speak Estonian nothing else but I don't want to make it too complicated I want to make sure that you stay simple and that kind of go along with the process so okay so let's get let's analyze the data okay so when piece is finished running on this machine you get lots of information so we're going to go straight up to the top where you get the nice little piece kind of logo the great thing about this version is actually color-coded as well so it allows us to kind of pinpoint to what's actually important for us and then Carlos Paul is awesome he's been on my podcast a few times so if you do want to listen to our discussion on win peas and limpeas and purple honda you know jump on my podcast and listen to the episodes it's it's lots of fun so let's go through so we're looking basically for you've got different types red something you should be interested in green means there's a protections enabled for that particular and then you've got light yellow links disabled users and so forth so we go through here and you'll see some information that you've got basically some possible vulnerabilities of local privilege escalation I'll explain one of the unintended routes on this particular machine is actually print nightmare so print nightmare this machine is vulnerable to it and there's the unintended path but it's not the intended path so we're going to avoid the unintended path and stick to the ones that was actually intended for this machine to be vulnerable so we can dine we can see lots of information the computer name is called driver user tony information partial which version is enabled some of the variable paths processor path text and so forth so kind of we can go through and see lots of different information about the machine itself you can see laps is not enabled in this machine so it means that there's no uh local administrator kind of protection um let's see here credential card is not enabled cache logon no av was detected so it is a very vulnerable machine but even so that even though that machine is vulnerable there's still ways even if it was running a full security stack the paths here would still be actually usable if you did it in a certain way so we're going through and take a look and here's a kind of area of interest that we see here there's a partial history file so you can see here that basically um we can go take a look at that file so we already seen that earlier yes print nightmares enabled but we're not going to do that path so what we can then do here is type let's take a look at the partial history and we can see here that in this area you can see that somebody added a printer and the printer was a rico printer a driver um and this was added to the machine so you can now see that this section machine is running some type of driver um which is rico so now we start thinking about okay is there paths that i can go from the tony user to administrator rights so we're looking for privilege escalation so we can simply take rico and we'll pop a new tab and this is the next tool that is commonly used which is an offline which is great meaning that we can run it which is search plate so search disability to look through and try to find ways of either vulnerabilities exploits and paths to privilege escalation for local privilege so we can simply just search and then we get tons of responses and we're going to go through and read through all of them um and this is what attackers will do they will actually go through each one individually and trying to understand is it applicable here and how to identify does it apply to this particular system and we can already see here there's actually a local privilege escalation we can see basically um there's a few other ones here there's actually another one privilege escalation which is local and we can see here that this is actually part of metasploit um so there's a metasploit module um which is here which we can potentially then check and see is that machine vulnerable to that so search point has now helped us take a look at that see we now have a rico driver running the machine there's possible local privilege escalation um options um and now what we're going to do is we're going to go and check and validate is that actually the case so one of the first things that i've done here is i've actually created a reverse shell so rather than using evil win rm uh in order to basically uh do the investigation checks i'm just going to upload the reverse shell and use that to make a connection back to metasploit so let's go and run metasploit so we do msf console and while that's running and i'm going to go back to my evil which i need to call it properly so i like calling things so i can find it much easier here i'm going to upload the reverse shell it's uploaded now i need to go and use exploits multi-handler and take a look at options so what i'm doing here is in metasploit is basically a basically a framework that allows you to basically manage um uh target systems to scan to look for exploits and to do payloads so what we're going to do here is by using the exploit uh multi-handler this is simply a way of basically uh receiving reverse shells and making a connection in session so we can actually interrogate that machine for us to do that we need to actually put in some parameters here the first thing is we need to put l host which is my local host which where i'm expecting the reverse shell to come to and up here i've got basically the ip address which is 10 10 14 5 which is my tunnel so what we need to do is basically set uh the l host uh to my tunnel so that's set i don't like using the 444 port because sometimes that's something that's default that you're already monitoring for so sometimes you'll change that to things like uh 443 or basically some common ports in order to basically mask the traffic because those are typically traffic which is allowed um so if i was to set for example the port 443 would be a common way to try and you know bypass traditional circuit controls i'm going to go and set it to what did i set it to 9001 is what i've set it to so we set that the next thing we need to do is make sure the payload is set because the payload right now by default is set to generic shell reverse i actually want a much more powerful shell so i'm going to set it to a meterpreter shell so i'm going to set the payload to windows x64 interpreter slash reverse tcp oh okay so all the options are now set so i should be able to run and that's not going to be listening on port 9001 on my tunnel address and waiting for a connection so if i go back to the machine here i can simply take my reverse shell that i created using ms venom execute it and we go back to our metasploit now we have a shell so what we've done is we've taken a machine and we've created a reverse connection back into the actually command and control warning and i'm going to interrogate that system we can see already about get uid so we're actually still under the user that we actually initially compromised already we can also do sys information to see a little bit more details about the system itself it's windows 10 as we saw from the is um it's 64-bit and the machine names driver so one of the things before i tend to do things because if i do process we're sitting basically running on the uh this process and sometimes if all of a sudden an av is running on that machine and it kicks me out i don't want to stay on that too long i want to be able to move so what i tend to do already at this stage i want to move off that and move into another process so i can stay connected in case some av runs and kicks me off from that session so what we'll end up doing is here explorer is a nice one to to migrate to so i want to so let's go and migrate and i want to do it by name and i just need to add an extra e so what we're doing is migrate from our reverse shell process into explorer and then that means that we're going to get a much more basically uh persistent connection we're going to make sure that we don't lose the connection so now we're running under the explorer process so the next thing now we're going to do is we're going to basically background that session and we're now going to use uh let me search for local uh is it we look for local privilege escalation we go back this is where i need to go copy paste because i can't remember the full path okay this is the one so we're going to run local exploit suggester so okay so basically with local experts suggest what it's going to do is based on the session that we've got it's going to basically go through all the possible local privilege escalations and suggest which ones will work in that machine so quick way of being able to identify uh you know ways to elevate privileges the only thing we need to do here is simply set this uh session to one and then run it and now it's going to go through and it's going to check like events like two to three thousand different possible exploits in the database and then see which one potentially will work for this particular machine we already know the rico one is you know the potential past but this is just a way of validating and verifying that this is the one that's going to work for but this is just a way of validating and verifying that that's the case as you can see there's 2294 possible options as i go through i do know the print nightmare will show up here because that's one that i we know that's the unintended and possible option any questions while i'm going through this correct i could have done it with the previous shell but um i wouldn't have been able to do local uh exploits register and also i wouldn't have been able to do the uh exploit itself the payload for the uh privilege escalation so you can see here although the red was not exploitable and then we get up to the top and we start seeing where it is exploitable so you can already see there's lots of possible options you can see here already the print network is already coming up with a spooler secondly log on handle so lots of options uh the one that we're going to use is this one this is the intended path which is the rico one that we saw in the partial uh script so if we go and we actually use that exploit now we take a look at the actually options and we can see here okay we need to set uh the session we need to set uh the actually payload local host and port so let's go ahead and set those so let's set the session to session one because that's the reverse shell that we have let's set the local host to my tunnel let's set local port to 9002 just to keep it simple let's set the payload to the one that we have the windows okay set okay so now what we can do is now we've got all the set if this machine is vulnerable we should be able to basically be able to run this exploit and gain access so you can see it's actually been able to add the printer driver it's not deleting it it's created uh the shell so now we do get uid we're not anti-authority system so that's kicking you through all the thought process that an attacker is doing is they're looking and as you go back to the open source intelligence and the actually enumeration phase that is so crucial to be able to kind of figure out all of these possible areas all of these paths really good inventory understanding configuration the machine understanding all of the you know possible options and also understanding about how to stay stealthy and hidden so that people can't detect you so living off the land so in this case if we do basically shell and we can go to c backslash users cd into administrator cd into desktop and then we do a dir we know i have the root file and we do type root dot text we know i have the root flag and now you've owned the box and that's ultimately taking you through a capture you know gamification capture the flag scenario um and getting ultimately access and owning that machine at this point in time once you've owned this type of machine the path to domain administrator is so easy it's peanuts to go from this now to domain admin and the way the attackers will typically do that is uh what they tend to do let's say is i'll put it in a kind of hotel scenario so i can get into one's level is right now i'm in a hotel and i've got my hotel key which allows me access to elevators in my room okay and i go into my room okay and i go into my room and i'm sitting in the room and if i'm an attacker what i want to do is be able to go and clone some of the hotel staff's cards because what are they privileged users they've got more power typically access to everyone's room access to all areas of the hotel so typically when attacker will do is they'll make some problems in the room that they're getting access to so for example this one may be causing application error or try to get an alarm and ultimately all of a sudden the application owner or somebody in the support team sees oh there's a problem in this machine i need to go fix it and then ultimately the person in the support team hotel staff will go up to that room they'll use their key card to open the door and that's what the attacker is doing is cloning that key card getting that token getting that credential and ultimately when that person goes in they fix the problem they leave now the attacker has been able to use access to you know that initial access point um patient zero they've cloned that person's key and they can move around the network and that's ultimately what kind of the steps that it will do so ultimately making kind of it problems uh in the network be ways of doing privileged escalation okay we've got two options here you know segue into two two paths i'm going to give you a bit of a a path to the ending of this session today we can do another machine on hack the box or we can go straight into the ransomware walkthrough which one okay who wants to continue doing another hack the box machine put your hand up who wants to do the ransomware walkthrough okay okay i guess that's a no like uh we we have i have a lot to go through if you need a bathroom break or you want a coffee or something um you can go do quickly now while i set up the environment for the ransomware one so uh you can yeah you can go quickly but if you can be back here in two to three minutes it doesn't take me long so be quick um there's so i'll show you here's the here's some of the machines that uh let's go find them so this is where i do my write-ups uh i do my write-ups initially in one note and then i do it in joplin the machine is the research part um so the live walkthrough so a couple of the insane ones there is here sauna is pretty good because it's an active directory one it allows you to do bloodhound and be able to look for ways uh to lateral move um the other machine i was going to do was netmon which is basically a vulnerable application that allows you to go from a standard user to elevated domain admin sorry it was it was a standalone machine but if yeah standalone machine um the one that's really kind of difficult is this spider one this is a i think either a hard and insane machine this is one i struggled one on was doing the uh this machine um and the key part of here was actually when you were using burp suite you would actually send it to basically a non-existing web page and the key way of finding out was actually that when it comes back as uh 404 not found all in capital letters what that tells you is flask is running in the background and that was the only little indicator that you know that flask is running and then once you know that flask is running then you basically get into server-side scripting injection and that will allow you then to execute code on the server side um and once you find that out and then the rest of the path was easy uh but it was a it was a very difficult machine it was uh lots of uh bypassing the security controls there's a web application firewall in place and then finding ways in order to actually sign and do the privilege elevation as well but it's a pretty it's a really good box to do to learn about flask exploitation and website and server-side injection so it is but that's where i use this to kind of do all of my own walkthroughs and notes and then it allows me when i come up against a machine that has a very similar kind of let's say application or setup i can go back and search these quite easily so um and also my kind of improving shells and privilege escalation techniques and you know there's lots of kind of my notes here so this so let me get this uh set up here we have is it interesting for you so far okay okay we're getting there okay so to give you kind of a bit of a context um this is actually a replication of a real victims environment um that was a victim of the ransomware case the one i mentioned earlier the 10 million euros and 20 million ransom demand and this is the exact setup so i'm going to walk you through the attacker perspective um there's multiple attackers in this uh uh environment so i'll explain kind of the process that went through okay i just need to make a few checks on some things okay okay so let's get on to the ransomware one okay so what I've done here is in order to train teams and do instant response simulation to do gamification side of things I created this environment which is almost exact replica of a victim's environment in order to teach instant responders to teach IT teams about what security controls have put in place and also teach them the techniques that attackers use so sometimes depending on this environment I will wear different hats let's go through as an instant responder let's go through as digital forensics let's go through as an IT security team and let's go through it today we're doing it as the attacker side so you can get an idea of kind of the process in this environment there was multiple it was an ecosystem of attackers we had the initial access brokers who did the initial access we had the actually hands-on keyboard attackers who basically gained access bought the credentials and then deployed the ransomware the ransomware was a ransomware as a service so it was a ransomware that was actually bought off basically ransomware craters through an affiliate program and then there was also another part of the criminal ecosystem which was helped us in order to help the organization find ways in order to gain access and pay the ransom and so forth so dealing with multiple attackers what initially happened was is that we don't know how the initial access was occurred it was very likely to phishing social engineering and potentially password reuse so the initial victim of the attack was an accountant the accountant basically had access to a system through remote desktop that was outside the visibility of the IT team so there's always gaps there's always people who find circumvent security and this is one of those so ultimately we can see here through the same process is that if the attackers were able to get a hash they can go through basically and run hashcat and again i've changed the passwords for this particular example i've simplified them mostly just for me but the passwords were more complex but not very complex they were still easily guessable but you can see here quickly the password is easy crackable very quick in the live environment when i did the digital forensics the passwords i cracked them within you know 20 minutes so just to give you perspective so here we also have ntlm hash as well that was from the environment and again we can go through the process of running it through hashcat the first one was an ntlm v1 this is an ntlm network ntlm v2 and it's again it's only a matter of time so ultimately the purpose here is that you can see some of the methods and techniques attackers use to gain access they will crack passwords they will do social engineering they'll do phishing and ultimately find victims and then basically find out where they're reusing this passage across multiple systems so what they'll end up using is then tools like crowbar crowbar is a tool that allows you to target different basically public so one thing is that attackers will do is they'll do things like showdown searches they'll do public internet searches for all machines that are rtp facing or have applications facing that they know that they've already previously found ways in in this case they'll scan they'll get all the rtp facing systems then they'll scan all of the compromised users that they've already gained access to and simply they'll just go and run it until they find one that works ultimately that's what they'll do is they'll go through the process and do brute force try over again over again until they find one successful and at this point in time this is where the attackers who gain access to this credential the accountant's credential seven months before they did it seven months before that password had not been changed in that time and they did three initial validations of the credential over that seven months and then they sold it to the hands-on keyboard attackers so in that case now you had three successful connections that the indicator that they were coming from no on tor exit nodes and also no on bpn tools that they were not using so if you looked at the ip addresses and the dns resolution you can see that the connections of those successful logons were not coming from locations that they would typically be from an organization so that was something that they were not looking at and something the organization should be looking at but you can see here successful rtp connection and therefore now they have the password so what they can simply do is the hands-on keyboard criminals they buy the credential and simply all they do is log on under the disguise of the existing user simply that's the path and again there's multiple things that happened here yes the accountant chose per passwords they didn't have multi-factor authentication or additional security controls on the system however even with that the system was vulnerable to bluekeep so they could still bypass it anyway so there was a vulnerability that still allowed the evidence gathering showed that they didn't uh attempt to use the vulnerability because that vulnerability bluekeep is very unstable and you get lots of crashes in the system and there was no indications of crashes so now they have access to the system i'm not kidding you this is actually how the system looked and on the desktop there's a file called important stuff and in that file called important stuff was actually the server password the database password the financial system password all sitting in clear tax and desktop that's exactly how it looked of course i've changed those names and passwords just for sanity of uh uh disclosure but that's what i basically find sitting on the accountant's desktop the next thing that was actually quite shocking uh was as well when you open up the browser the accountant used this machine commonly um and on this browser if i go to send the passwords they were storing their personal email accounts the vpn information that was basically their the vpn that should have been using was actually then stored here in the browser along with their office 365 personal email account and other financial systems details so there's lots of things that that accountant was storing and then unfortunately the thing is of course no security in the browser that's you know the browsers love cookies and passwords uh but by default if you're not managing it not securing it you're the great at storing them but uh not great at securing uh the access so the next thing the attacker then is looking to do is we'll find out okay what type of access do they have and they can go through who am i okay i'm neo they can do basically net local group they can spell and ultimately the next mistake this organization made was the accountant was a local administrator so next mistake so now you've got per password choices no mfa um machine was vulnerable uh storing passwords and clear text both on the desktop and the browser and now the account is a local administrator right and next thing is that when the attackers find this they know that's only a matter of time before they get the domain admin so we can kind of go through the process in this gamification scenario this is kind of as we're going through in the the ransomware gamification side is the attacker now knows that okay uh what they'll do is uh here on their downloads uh this is actually how it looks is that a b c d e f and scan and zap uh scan is a scanner tool zap is the ransomware payload a is the automation scripts b is additional automation scripts and tools c and so forth and they contain different types of payloads so the attacker simply has these hosted up in a command and control you'll access uh to the machine and they'll download it because the way they've actually set this up is that a dot zip will not be detected by av it will bypass av so now we go back to the machine um i've already downloaded the scripts on this machine just for sake of speed so here on the enumeration uh the automation so this is the a dot zip uh payloads and in here you can see a clean clean script cleans up the log files of any evidence of the last five minutes um disable security disables security for 15 minutes the sessions last seven to eight minutes long uh typically downloader downloads the rest of the payloads uh new user creates a new user sticky keys uh put sticky keys in the background i can actually show you this this is actually script the attackers use the real script what it goes through and basically disable security and it means it gives them a 15 to 30 minute window because uh protected services will not kick in between 15 and 30 minutes so if they disable security they know they can actually stay hidden for that time that's why sessions last seven eight minutes long um so they can basically do any activity they want all it does for the security team all it looks like is basically that machine just disappeared for 15 minutes not no activity no logs no nothing this machine all of a sudden just had a blip of loss of information lost connectivity for 15 minutes um they'll put sticky keys um basically is another way of getting persistence in case the password changes so simply just go make some configuration changes so now they've actually disabled security they're hidden their tracks they're staying away from basically visibility the next stage they have is going and basically downloading the next tools mimikatz um on machines today most of these are actually uh a password and clear text is not by default but a simple registry change will change that so running this in the registry will not mean anything that logs into this machine after i make this change i will be able to extract the password and clear text and memory um and again you know practically looking for those configurations is important so it's not like you want to be able to see what's you know where those have been changed next thing is they'll run dumb creds so you can see here this is actually the dumb creds this is the script um i always think it's interesting they made it nice color-coded and they had a title and stuff and then it basically runs and dumps uh the credentials and the first time they run it they're only going to be able to get the credentials that they're logged in themselves but the organization made a mistake they had a service count which was doing a backup job on a daily basis that service count was actually taking a backup of the financial uh database that the accountant was using and that service count was running on their domain administrator um and ran every night at 11 30 at midnight so all the attacker needs to do just like okay i'll go play some games drive my ferrari spend the bitcoin that they've got and then the next night they come back and they open up basically uh the output and they can go through and check and check and check and check and ultimately what they'll find is is that because that service count that script is running that it's only a matter of time before they will find if i find it here that's not it the main administrator that that actually service account was running under so now they've got that the next stage is okay i've been able to now basically because i've got local admin access i can disable security i can make configuration changes i can now extract passwords and clear text and going back to my mention earlier about the hotel about luring somebody into this machine they didn't need to lure anybody because they actually their backup script was doing it for them but if that backup script didn't exist they would look for other ways to try and lure somebody to log on that machine going back to the ukraine scenario a few years ago the way they were luring uh in was they were running a poison pill which was filling the disk up and the disk space was running out machines and then all of a sudden because this space is running out they're getting alarms they will log in the machine to fix the problem with the disk space running out credentials gain access so another two things is i've got the ntlm hash and the clear text password even if i didn't have the password the attackers can simply go back and use the ntlm hash here in order to log on so they don't actually necessarily need the password they can simply do lateral moves with a hash voila again windows remote management on the internal network host name i'm on the domain controller um i can use ps exact because they were using ps exact to actually do the backup jobs i'm not on the actually victim machine um using uh ps exact so literally hiding within the traffic of the victim and simply also uh with sticky keys if the anyone ever changed the password i can simply go and to utility helper ease of access and i get a command prompt who am i anti-authority system copy paste add a new administrator shut down the actual console and because i did it so fast if you're running an edr av it's not going to detect that it's just too fast for it to pick it up it will pick it up if i left it open if it was open for longer but because their attackers are so fast copy paste get them in new account new password new credential gain access so next stage is what they'll end up doing is they've done enumeration they've got a privileged account they go go back um in here they might actually run the clean script and that will delete all of the mimikatz and all the data it will delete their activity in the logs re-enable security and then they will leave come back another day two days three days later do the same thing download a dot zip extract it disable security download the payloads check this time to see uh is the domain controller just one mistake they made uh was here was see the printer redirect checkbox that was actually a mistake the attackers used in this ransomware case that printer redirect uh redirected to local i uh printer on the network which revealed then their ip address range um so that was one mistake that they made um doesn't mean it's actually necessarily the location um in that case it was actually uh occupied uh eastern part of ukraine ip address range so uh some of the scripts were in acrylic uh russian so you kind of get an idea of potentially where location but the attribution was never identified 100 so it could have been a proxy another location who knows uh but it was never found but they did make some of those mistakes by having those check boxes uh if i connect a domain controller at this point in time that action means that the tick clock starts counting down whereas four hours before ransom is deployed uh next stage what the attacker will do is they'll go basically using computers they'll actually add a user a little backdoor user make sure they have persistence and gain access on that point in time the next thing they do so they've got persistence to the main controller go and they will launch the attack and that will then basically download the uh zap which then contains the ransomware and then it goes to all the systems so just showing you kind of as we went through the hack the box gamification where we went through and we had users making poor choices lack of security controls local administrator rights all of those things again going into a live simulation where i created this from a real ransomware case you can see the same techniques used over again this is the playbook this is the exact playbook that's used over and over and over and over again it's maybe slightly modifications to it but that's the basically initial access might change from social engineering and phishing and vulnerabilities and so forth but once in an internal network it's step by step almost exact techniques over and over again um well it so i mean it comes down to is as you might see i i have many computers all with different purposes this one itself is one that is uh low risk um so therefore the protection of this there's no sense of data on it's just virtual machines running as actually as possible yes i de-risk myself so i got different computers for different purposes and tasks um i've got my basically demonstration machine i've got my work machine which has got large level of protection um to mfa to disk encryption to um all of those things and then i've got my virtual machine which has got all of those things and then i've got my demonstration machine i've got my work machine which has got large level of protection to mfa to disk encryption to uh different types of controls to my hacking gamification machine which has got a whole different set of controls uh to my lab environment so it's a great question that um for the counts that i've got is i heavily rotate credentials i use uh privilege access in order to get the highest level password i can possibly get i use mfa in front of everything i also use different mfas for different types of accounts i monitor the activity of where they log in from all of the uh login information and i regularly go and check the hygiene of all of them so um excuse me and i also have a backup system where i rotate disks in my backup environment every few months so that if i ever do have a failure i've got an offline backup and i lose a maximum of maybe two to three months of data um worst case scenario um if you automate it it's not a lot of work um yes initially when i set it up there was a lot of manual processes so the question to the audience is that uh it sounds like a lot of work for me to do uh protection of those systems um but the initial setup yes but once you get into the understanding about what can i automate and put you know in place a lot of it's automated where i don't need to think about it sometimes i need to go back and review my process just to make sure it's still up to date protecting against the latest threats so yes it's a case of just continuing but lots of things that can be automated so let me go through so the future i mean this is something that's really turning into like an esports um i've actually seen it already and becoming an esports is actually live streams of hackers basically showing their techniques um gamification capture the flag events as i showed the cyber spike and lock shields it is actually something that's becoming a sport and something that you know potentially you can become olympians uh and at some point you know maybe become a olympic sport um but this is something that you know that actually um you should actually try to make sure that you kind of stay up to date and and see the the path but for me i think organizations the value that we get from this is huge for the organizations and the ultimate goal here is to reduce the risk we need to meet we need to find ways to accelerate our learning to keep our employees engaged to make sure that we actually have a way of understanding and actually putting the right defenses in place not just following risk and compliance because we have a checkbox to go through but how do we apply the real risks and then understanding about how the governance compliance maps to that and make sure that we're actually spending and mitigating the risks that applies to organizations but ultimately it's a case of that's what we that's what i realize that my job is and gamification is for me is how i stay up to date i catch the flag is how i evaluate myself in the industry cyber security is my skill set knowledge and my job on a daily basis is to reduce the risk and make the world a safer place that's ultimately kind of it's understanding about how all of those get applied so ultimately my kind of statement this is something i've i've said time and time again understanding hacker techniques it's the best way to help you defend your organizations your social sphere your family and keep them all safe but we need to convert that into value as you know to your point earlier but you know it sounds like a lot of work but the purpose is is that there's value of reason for doing that and it's really business resiliency it's to make the world a safer place so some of the key takeaways here i'll kind of open up for maybe a few questions yes so fantastic question so um and the question is about you know in all my processes and techniques and flows um how does ai fit into uh this so from so from my side uh that yes ai and a defensive side is actually an acceleration attackers are not using it that much from an attacker perspective because the basics still work um why invest in something that uses more resources that basically doesn't get them any additional value i have seen it being used in specific areas from an attacker side into things like uh phishing campaigns so we're let's say in estonia estonia language used to protect us uh with generative ai and that protection is gone because the translations are so good so it means that yes they're using it for better social engineering and phishing campaigns it's more successful it's hard to tell the difference these days it's also a discussion so maybe the malicious payload isn't until conversation or communication five or six the other thing that's been used heavily is on when data exfiltration occurs it used to take attackers months to go through and analyze the data that they've been able to extract they can do that in seconds today so they get large data dumps you know gigs and terabytes of data and it used to take them a long time to analyze what do i have where's the credentials where's the financial information where's the value what can i do with this with basically ai it's done in seconds they can analyze that data at basically a click of a button it's also lowered the bar as well for attackers meaning that you don't you know not everyone needs to be sophisticated anyone with an internet connection a computer can go and basically ask a unguarded ai model for basically hacking techniques and be able to do things that they may have not been able to do before so it has lowered the bar quite a bit in regards to the entry into criminal world um but other than that i haven't seen it being used maybe more in deep fakes a lot and and that side being able to use your digital dna and deep fakes so those are the areas in the defensive side it also allows us to analyze our data much more as well faster and correct not for the attacks themselves um really if you hear people talking about ai i've been using the attacks it's security researchers and academics um all showing the capabilities very rarely i've seen attackers using it in a campaign other than the areas that i've mentioned today um so yeah it can be used but they why invest in it when their existing techniques work so so some of the key takeaways from this is a great question hopefully that answered your question so so key takeaways here is you know if you're going down the path of gamification and you want to get value out of it try to focus on specific areas first don't you know i i took it at a very broad perspective and tried to do everything at once um my recommendation lesson from that is it's it's focusing on focus on things that you want to learn quickly or you want to specifically focus on or you know if instant response or it was basically about uh what security controls you can put in place if it's web exploits and so forth focus it will help you get uh quicker get a mentor don't try to go this alone again the lesson i learned is i try to do everything myself i'm a kind of perfectionist and i want to learn as much as possible but i realize that i can't do it alone so therefore that's why i surround myself with a community of experts and people that help me and it helps me accelerate my knowledge as well so do find mentors out there if you're going down the path don't use this just to get the flag understand about what's working the background the vulnerability itself you can simply go and actually exploit the vulnerability but what i do is i actually go and recreate it and understand about why it's vulnerable um how to manually do it um and ultimately what's the configuration in the background as well uh just practice and simulations you know keep keep doing uh keep fresh keep running through don't be afraid to ask other people for help do your own write-ups that was one area that uh i kind of spent a lot of time is writing my own methods and perfecting those and i go back to my notes quite frequently um automation versus manual as i mentioned using things like win peas quick automation fast but learn how to do it manually yourself as well learn how to not depend on the tools but also learn how to do things manually and be patient this is something that you know to get good at it and to to practice it and and get it in your organizations and teams and and to get value out of it is something that you know comes over time you can get short wins but it's something that could be patient and and uh you know enjoy it so at that point of time we're right on the hour um i'm sorry it's game over i'll take a minute or two for additional questions but i i'm around for the rest of the event i need a team for the pub quiz tonight so uh if anyone wants a a hacker on their team uh reach out um i love pub quizzes any questions in the room i mean you've got everything answered you're all ready to go and be basically you know hacking gamers so i go bug bindings go make some money um so i hope this has been valuable i mean i i kind of for me this is something that's passionate about me and i was actually privileged you know to be able to come here um at some point in time i'd love to you know even many of us to go through and take one of the active machines and walk through it together uh and tackle it and you know come up with you know ideas collectively about how to to uh gain access um i hope you kind of can go back with the new fresh ideas about you know maybe things that can help you learning or things you can bring back to organizations um so i i really do hope this has been valuable one i was one of the really first early adopters for the flipper zero and i know uh pavel quite well um so so i've known flipper zero is not new it's a collective of multiple technologies into one device which is mobile which is great um but i've been into rfid hacking and prox marks and chameleons for many years um so for the flipper zero the question is the flipper zero have i have i played around with it i was one of the first people to get it so so yes i've used it for ethical hacking um mostly to open up my own garage door in my office and uh hotel uh keys and stuff so i don't have maybe get one hotel key you have to put it in that freaking electricity thing and you and you can't take you know with you if you want to charge something in the room clone the car with your flipper zero and you can then open up the hotel door um so yes i i've used it quite extensively um and it's it's fun um but it's it's yeah it's not new yeah did you have a question or are you just agreeing yeah yeah there's many many ways to do it but for me just having the flippers here in my pocket's a simple way so absolutely and that's only what it comes down to is ultimately we're here to try and make sure that what we put in place is uh removes friction and people get to you know do things in a secure way uh and and an easy way so this so but thank you um if i if you have questions i'll be around if you want to you know connect with me and send me a message if you want to get a voucher uh to go and play with some of the machines um and uh if you want to you know you know to to do some games together i'm here so stay safe take care enjoy the rest of the conference and thank you for being in the session today all the best