Episode Summary: Talkin' Bout [Infosec] News – Attack Tactics Part 1

Podcast: Talkin' Bout [Infosec] News
Host: Black Hills Information Security
Episode: WEBCAST: Attack Tactics Part 1
Air Date: June 4, 2018
Main Hosts/Speakers: John Strand (B), Derek Banks (C), Sierra (A)

Episode Overview

This episode kicks off a new series on "Attack Tactics," focusing on the offensive side of web application assessments and red teaming. John Strand, with guests Derek Banks and Sierra, break down a recent BHIS penetration test to illustrate modern attack methodologies used against organizations, emphasizing tactics, tools, and real-world lessons learned. This part of the series is purely offensive—defensive strategies and detection methods will follow in Part 2.

Key Discussion Points & Insights

1. Structure of the Webcast Series

• The series alternates between offensive (attacks/techniques) and defensive (detectors/countermeasures) topics.
• Real test cases are drawn from BHIS engagements, with redacted details to protect client specifics.
• This episode’s test case: External assessment against an org with cloud-based email (Office 365), SharePoint, some VPNs—most critically, single-factor authentication (SFA).
• Slides are referenced but not included in the podcast; listeners are directed to YouTube for visuals.

2. Common Security Weaknesses Uncovered

• Single-factor authentication (SFA) is a persistent vulnerability.

  • “If we're ever doing an assessment for an organization and they do not have two-factor enabled, it's pretty much a bad sign for them.” — John [02:29]
  • SFA tied into Active Directory is especially problematic.

• Cloud services (Office 365 & Google Apps) increase attack surface.

  • Pen testing against these services is often discouraged.
  • Detection by providers (like Microsoft) is hit-or-miss or significantly delayed.
  • Credential reuse and cloud/on-prem authentication create dangerous links.

• Default credentials and exposed admin interfaces are rampant.

  • Many orgs leave interfaces unprotected or still using defaults, especially when third-party vendors are involved.

• Legacy technology and overlapping stacks increase risk.

  • Multiple VPN solutions (Cisco, Juniper, Softlayer) and exposed database servers multiply attack surfaces.
  • Old service accounts and outdated group policy artifacts (like GPP password files) still common in even large/modern orgs.

3. Attack Methodology Walk-through

Reconnaissance (Recon NG and OSINT) [03:01+]

• Using tools like Recon NG, Shodan, HaveIBeenPwned, Punk Spider to gather user info, breached creds, and exposed services without tipping off the target.

Password and Credential Gathering [04:48+]

• Finding immense numbers of leaked credentials online is still highly effective (“It's ridiculous to me how effective it still is for us to find credentials associated with a target organization online.” — John [08:44])
• Tools and resources: HaveIBeenPwned, Pastebin, custom APIs, password dumps.

Cloud & Hybrid Attacks [05:09, 07:21+]

• Credential reuse from third-party breaches leads to Office 365/Google Apps accounts compromise.
• Password spraying (using Burp Suite and related tools) is frequent.
• Detection by cloud providers is either slow or absent.

Password Policy and Hash Cracking [12:48+]

• Weak org password policies (8-character minimum still prevalent).
• Even with longer (15+) passwords, dictionary/rule-based hashcracking (Hashcat techniques) can still yield wins.
• Most clients haven't moved beyond short, easy-to-crack passwords.

Notable quote:
“The longer the password the better. But still to this day, the majority of our customers … still have an 8 character password policy because they couldn’t win the fight. Security did not win the fight against operations.” — Derek [13:30]

Default Credentials and Poor Decommissioning [18:21+]

• Many exposed management interfaces still use default credentials.
• Third-party, VOIP, and legacy admin panels are common culprits.
• Pen testers often gain access this way more than by exploiting software vulnerabilities.

Password Spraying Tactics [22:45+]

• Season-and-year type passwords (“Spring20”, etc.) remain very common.
• “Password spraying gets us into more organizations than just about anything.” — John [22:45]
• Spray attacks are now federated/distributed via tools like Proxy Cannon, Amazon Lambda, to evade simple IP-based blocking ([24:15+]).
• Blue teams often engage in IP-blocking battles, but attackers can throttle attempts and constantly shift IPs.

Credential Reuse and Lateral Movement [27:04+]

• Credentials from one compromised service (e.g., SharePoint) allow access to other linked services (e.g., Office 365, OWA, VPNs).
• Global Address Lists are harvested to expand the attack surface within the org.

Post-Exploitation Recon and Data Gathering [33:32+]

• Searching mailboxes (MailSniper) and SharePoint for internal docs, VPN setup instructions, and more credentials.
• Attackers seek to avoid dropping malware; living-off-the-land (abusing built-in tools/RDP/VPN) is preferred if possible to avoid detection.

Domain Recon, Privilege Escalation, and Hash Extraction [36:31+]

• Techniques: NetUser, NetView, PowerView, Bloodhound, DeathStar for mapping AD relationships.
• Kerberoasting: Cracking service account hashes retrieved via Kerberos ticket requests ([38:40+]).
• Group Policy Preference files (GPP): Still, years after patch, many orgs’ GPP XMLs contain crackable admin passwords ([41:09+]).
• Attackers dump hashes from DCs using safer methods (volume shadow copy vs. in-memory dump) to avoid crashes.

Password Policy Realities [47:39+]

• Easiest point of compromise: orgs stuck with 8-character password policies (often due to legacy apps/mainframes).
• Cultural and operational inertia (“If it’s not broken, don’t fix it”) keeps insecure defaults alive.

Attack Objectives and Adversarial Goals [48:50+]

• Real adversaries (or targeted pentests) have a specific data or privilege objective (not merely “domain admin” but often sensitive docs, IP, or financial data).
• Ownership of a large portion of creds generally equals organizational compromise.

4. Pen Testing Team Definitions [20:05+]

• Red team: Adversary simulation (planned duration, possibly all attack types).
• Black team: Surprise, open-ended testing—attack could happen anytime over many months.
• Purple team: Red (attackers) and blue (defenders) collaborate, sharing TTPs and detection/response learnings.

Quote:
“It’s basically a difference in timescale.” — John, on distinction between red and black teams [21:09]

Notable Quotes & Memorable Moments

| Timestamp | Speaker | Quote | |-----------|-------------|--------------------------------------------------------------------------------------------------------| | 02:29 | John (B) | “If we're ever doing an assessment for an organization and they do not have two-factor enabled, it's pretty much a bad sign for them.” | | 08:44 | John (B) | “It's ridiculous to me how effective it still is for us to find credentials associated with a target organization online.” | | 13:30 | Derek (C) | “The longer the password the better. But ... still have an 8 character password policy because they couldn't win the fight.” | | 18:21 | John (B) | “We have better success with default creds than actual remote exploits gaining access to systems.” | | 22:45 | John (B) | “Password spraying gets us into more organizations than just about anything.” | | 23:03 | John (B) | “A password like right now it'd be spring 20. That would be a password that would be used...” | | 24:15 | Sierra (A) | “When you attack, are you coming from one IP?...” | | 31:06 | Sierra (A) | “Do you find yourself making recommendations for stricter passwords for privileged accounts when you can't win the overall policy?” | | 48:50 | John (B) | “Anytime an adversary is coming at your organization and they’re a targeted adversary, they have a goal and objective.” |

Important Segment Timestamps

• Key Problem: Single-Factor Authentication in the Cloud — [02:03–03:01]
• Recon NG and OSINT Methods — [03:01–05:09]
• Cloud Service Exploitation & Detection Gaps — [05:52–08:44]
• Password Spraying & Credential Harvesting — [08:44–12:47]
• Hash Cracking & Password Policy Weaknesses — [12:48–15:38]
• Exposed Services & Default Credentials — [15:38–20:05]
• Pentest Team Definitions — [20:05–22:45]
• Password Spray Details & Defeating IP-Based Blocking — [22:45–26:24]
• Credential Reuse & Expanding Access — [27:04–29:41]
• Sensitive Data Search via MailSniper — [33:32–36:16]
• Active Directory Recon & Advanced Techniques — [36:31–41:09]
• Group Policy Password Extraction — [41:09–42:51]
• Hash Dumping via Volume Shadow Copy — [44:25–47:39]
• Password Policy History/Persistence — [47:39–49:30]
• Closing Themes & Next Episode Preview — [52:06–54:37]

Key Takeaways

• Credential management and authentication weaknesses remain the lowest-hanging fruit for attackers, despite years of warnings and tools available.
• Detection by cloud email/SaaS providers is inadequate or too delayed to be meaningful for many real attacks.
• Password spray, credential stuffing, and default creds trump exotic remote exploits for real-world red teams.
• The attack chain often combines OSINT, recycled creds, exposed interfaces, poor cleanup, and lateral movement, usually without any malware needed.
• Defense is multi-layered and can’t rely on a single technology or team. Upcoming episodes will address defense and detection strategies for each attack method discussed here.

Final Thoughts & Series Direction

The episode sets up a comprehensive, realistic view of how modern attacks against organizations unfold, focusing on actionable steps, real mistakes, and penetration tester perspectives. The next episode will shift focus to defensive measures, detection techniques, and practical advice for organizations to harden themselves against these attack tactics.

Useful Links:

• Black Hills Information Security YouTube
• Black Hills Information Security Website

[Note: All timestamps refer to the podcast episode audio.]