Conference Talks – August 2020

This month, NCC Group researchers will be presenting their work at the following conferences:

• Dirk-Jan Mollema, “ROADtools and ROADrecon,” to be presented at Black Hat USA 2020 (Virtual – August 1-6 2020)
• Chris Nevin, “Carnivore: Microsoft External Attack Tool” to be presented at Black Hat USA 2020 (Virtual – August 1-6 2020)
• Rory McCune, “Mastering Container Security v4” to be presented at Black Hat USA 2020 (Virtual – Training from August 3-4 2020)
• Dhruv Verma, “Bad Active Directory (BAD)” to be presented at DEF CON 28 Packet Hacking Village (Virtual – Training during August 6-9 2020)
• Jon Szymaniak, “Sinking U-Boots with Depthcharge: Effective Exploitation of Boot-Time Security Debt” to be presented via Hardwear.io Webinar series (August 24 2020, 11am CDT/ 6pm CEST)

You can preview each of the talk abstracts below. We hope you will join us!

ROADtools and ROADrecon
Dirk-Jan Mollema
Black Hat USA 2020 – Virtual
August 1-6 2020

ROADtools is a framework to interact with Azure AD. It currently consists of a library (roadlib) and the ROADrecon Azure AD exploration tool.

ROADlib is a library that can be used to authenticate with Azure AD or to build tools that integrate with a database containing ROADrecon data. The database model in ROADlib is automatically generated based on the metadata definition of the Azure AD internal API.

ROADrecon is a tool for exploring information in Azure AD from both a Red Team and Blue Team perspective. In short, this is what it does:

• Uses an automatically generated metadata model to create an SQLAlchemy backed database on disk.
• Use asynchronous HTTP calls in Python to dump all available information in the Azure AD graph to this database.
• Provide plugins to query this database and output it to a useful format.
• Provide an extensive interface built in Angular that queries the offline database directly for its analysis.

ROADrecon also provides a built-in plugin to export it’s data to a custom version of BloodHound with Azure AD capabilities.

Both ROADtools and ROADrecon are completely free and open source software.

Carnivore: Microsoft External Attack Tool
Chris Nevin
Black Hat USA 2020 – Virtual
August 1-6 2020

Carnivore is a username enumeration and password spraying tool for Microsoft services (Skype for Business, ADFS, RDWeb, Exchange and O365). It includes new post compromise functionality for Skype for Business (pulling the internal address list and user presence), and a new method for smart detection of the username format. Carnivore originally began as an on-premises Skype for Business enumeration/spray tool as, these days, organizations have often locked down their implementations of Exchange, however, Skype for Business has been left externally accessible, and does not seem to have received as much attention from penetration tests.

Training: Mastering Container Security v4
Rory McCune
Black Hat USA 2020 – Virtual Training
August 1-6 2020

Containers and container orchestration platforms such as Kubernetes are on the rise throughout the IT world, but how do they really work and how can you attack or secure them? The first take will look at key security concerns for Docker and other systems which make use of containerization. We’ll also be covering fundamental Linux security concepts such as namespaces, cgroups, capabilities and seccomp, along with showing how to secure (or break into) container-based applications. The course will then move on to the world of container orchestration and clustering, looking at how Kubernetes works and the security pitfalls that can leave the clusters and cloud-based environments which use containers exposed to attack. The course has core modules which we’ll cover as well as an array of bonus content which will be covered if there is time. The bonus modules focus on areas like Docker and Kubernetes security tooling, the details of prominent container security vulnerabilities and exploits and also look at the world of Windows containers. At the end of the two days we’ll have a range of systems to practice some of the skills learned during the course.

The areas we’ll be covering are:

Day 1 – Docker Kubernetes Baics

• Docker Basics – Review of basic Docker commands and how Docker handles networking.
• Creating Docker Images – Covering how to create Docker images with examples around security tool creation.
• Container Fundamentals – This delves into Linux container primitives, such as namespaces, cgroups, capabilities and seccomp filtering, essentially showing how container security is applied.
• Docker Security – This looks at primary security concerns around the use of Docker Engine, including common pitfalls and how to attack or mitigate them.
• Introduction to Kubernetes – Here we’ll cover the Kubernetes container orchestration platform and look at how it’s architected and composed. The goal is to familiarise students with how the platform operates so they can understand key areas of security concern/points of attack.

Day 2 – Container Orchestration

• Kubernetes Networking – The way that Kubernetes handles networking is an important concept to fully understand when looking at securing and attacking clusters. This module will look at some the main ways this is approached and the underlying technologies used (e.g. iptables, eBPF)
• Kubernetes Basic Security – This module looks at three major threat models for Kubernetes clusters (external attackers, compromised containers, and malicious users) and walks through the likely attack paths that each would take, showing practical approaches to exploiting Kubernetes security weaknesses.
• Kubernetes Authentication Authorization – This module looks at how Kubernetes handles Authentication and Authorization, focusing on some of the weak points and common pitfalls which could allow attackers to compromise a cluster.
• Kubernetes Policy Security – This will focuse on some of the key policies which need to be implemented to have a secure cluster, covering Network Policies and Pod Security Policies. It will also look at some alternatives to the native Kubernetes options which are growing in popularity, such as OPA and k-rail.
• Kubernetes Ecosystem – There are a number of products which are very commonly deployed alongside Kubernetes (e.g. Helm, Prometheus, FluentD). This module will look at common security weaknesses in these products and how to address them. This module will also touch on some of the ways that service meshes like LinkerD and Istio are being used to secure Kubernetes deployments.
• Extras – Depending on how fast the students have been working through the day’s content, some extras can be covered, such as looking at the wider Docker ecosystem, alternative container runtimes Windows containers, common Kubernetes security tools and Kubernetes vulnerabilities.
• CTF – At the end of the day’s materials a number of clusters with security vulnerabilities will be available for students to practice the attacks described during the course.

Training: Bad Active Directory (BAD)
Dhruv Verma, Michael Roberts, and Xiang Wen Kuan
DEF CON 28 Packet Hacking Village – Virtual Training
August 6-9 2020

This is an introductory to intermediate level Windows active directory (AD) training. The training has two parts: a lecture component, where we’ll cover how active directory works and the core things you need to know to attack it effectively, and a series of hands-on labs modeled after real attacks we’ve performed on client environments. The training will be heavily lab focused, with each student receiving their own AWS environment to play with. The labs are based off of how real modern networks look, not example test environments, and successfully completing each lab involves chaining together multiple vulnerabilities in a realistic kill chain methodology to get domain admin.

This training will cover spoofing broadcast protocols using Responder, extracting and cracking Windows hashes, mapping out an active directory environment using Bloodhound, dumping credentials cached locally on Windows operating systems, exploiting common active directory misconfigurations  and running a DCSync attack. Attendees who are experienced with AD can spend more of their time attempting to gain Domain Admin in the environment without our help. At the end of the training, attendees new to AD exploitation will have a solid basis from which to learn more (we’ll provide a number of links for further research), and everyone will leave with a number of practical and effective exploit techniques for AD environments. This training will be a great introduction to those who have been wanting to do learn about hacking Windows active directory, but don’t know where to start.  The training is open to attendees of all levels. 

Sinking U-Boots with Depthcharge: Effective Exploitation of Boot-Time Security Debt
Jon Szymaniak
Hardwear.io Webinars
August 24 2020, 11am CDT/ 6pm CEST

A hardware hacker’s journey toward a rooted device typically includes only a brief sojourn within the U-Boot bootloader environment, which is often left unprotected and trivially abused. However, devices that attempt to bolt vendor-specific security mechanisms onto U-Boot offer exciting opportunities to pursue creative bypasses and explore underappreciated U-Boot functionality. This talk details how clever abuses of various aspects of U-Boot, including commonly overlooked memory access primitives and exported data structures, can be leveraged to analyze and attack devices. We will explore these in the context of NCC Group’s recently released “Depthcharge” toolkit, complete with an example of its use in a tethered root of a smart speaker that leverages secure boot functionality. By the end of this presentation attendees will be armed with the U-Boot hacking arcanum necessary to use and expand upon Depthcharge, enabling them to more effectively audit and exploit weaknesses in vendor-customized U-Boot builds.

Project Documentation: https://depthcharge.readthedocs.io
Source Code: https://github.com/nccgroup/depthcharge
Blog Post: https://research.nccgroup.com/2020/07/22/depthcharge

Webinar Details: https://hardwear.io/webinar/sinking-u-boots-with-depthcharge.php
Webinar Registration: https://hardwear-io.zoom.us/meeting/register/tJIvc-2przwuHNfPNAfUrRvppXksP5tsYBdv?timezone_id=America%2FChicago