Black Hills Information Security

Have you ever installed a Python tool / library only to then find out other Python based tools you’ve installed previously are now completely broken? Running Kali? Ever try installing a Python tool with apt-get and another with pip? Notice how some things don’t work anymore? Ever wondered if there was an easier way to install Python tools quickly without having to deal with dependency hell? If you’re using Python-based tooling on a regular basis (which most of the security community is) then odds are you’ve been in one of those situations multiple times. Turns out there are relatively simple solutions to all of these problems albeit some are “hidden” within the Python docs, not explained well, require a lot of effort to the point where people give up and/or not generally known outside of the hard-core Python development circles. In this Black Hills Information Security webinar, we’ll share a collection of “ez button” methods to correctly install Python tools/libraries without messing up your entire system along with the “why” and “how” behind them. Chapters & Links below, in the info. | BHIS Discord Community: https://discord.gg/aHHh3u5 Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/08/SLIDES_PrettyLittlePythonSecretsEpisode1.pdf 00:00 – PreShow Banter™ – Jokes Not Safe For Work 11:34 – PreShow Banter™ – Sponsorware for GitHub 20:15 – FEATURE PRESENTATION: Pretty Little Python Secrets 25:22 – 1st Circle of Hell: Managing Python Versions 31:01 – 2nd Circle of Hell: Python Dependencies 33:28 – Installing Python Tools/Libraries 39:26 – Isolate, Isolate, Isolate 46:37 – Pipx – The Easy Button 51:23 – Making Python Apps Semi-Portable 53:17 – ZipApps!

CJ and Bryan will share the knowledge they’ve accumulated, by helping 1,000’s of organizations determine what they need and don’t need when it comes to penetration tests and security assessments, over the years. Topics Covered: * Selecting the type of test * Selecting the company to test * When to test * Issues around conducting a test This webcast is for penetration testers and offensive security professionals to see behind-the-scenes of how scoping, Rules of Engagement, and client relations are established. For the defenders and Blue Team professionals, this webcast will help you understand what to expect when deciding if and when you want to test the defenses you’ve put in place. What to Expect When You Are Expecting…a Penetration Test by Larry Pesce and Suzanne Pereira: https://youtu.be/aJatJZI__V4 Join the Black Hills Information Security Discord Community: https://discord.gg/aHHh3u5 Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/08/SLIDES_WhatToExpect.pdf 00:00 – PreShow Banter™ – Look What I Can Do! 05:17 – And Now For The Expected Presentation 15:21 – What Kind of Test is Right for Me 27:04 – How Big Will It Get? 36:34 – How Much Will it Cost? 45:25 – What Are the Risks? 50:55 – The Big Day 54:00 – Post-Testum Depression 1:00:40 – May I Have Another?

Jordan Drysdale & Kent Ickler // Jordan and Kent are back again to continue strengthening organizations’ information security human capital (That’s all you folks!). Organization Leadership and Security Practitioners can gain understanding on the potential designed-to-fail Purple Teams initiatives never reached their full potential. The Duo reviews how systemic organizational career pathing created an insoluble Red vs Blue dichotomy. MORE IMPORTANTLY: The team is announcing a recipe for Purple Team Wins: The Atomic Purple Team (Lifecycle) Framework Organizations struggling to efficiently leverage the skillsets of all information security staff will benefit from considering the Atomic Purple Team Lifecycle Framework’s business-driven workflow. The workflow takes its roots from tested continuous improvement frameworks like ISO9001, ISO27001, Six Sigma, and the like. Watch how a methodical balance of risk analysis, attack, hunt and defend methodologies, and business considerations can effectively and continually improve an organizations’ security posture. As an added bonus, the framework incorporates concepts of Human Capital Management and knowledge-flow methodologies to encourage tacit knowledge exchange to further organic growth of the skillsets of all those involved in the Atomic Purple Team framework. But wait, there’s more! Budget headaches? Learn how the Atomic Purple Team framework’s methodical flow also aligns to natural business operations management and reporting. The framework provides a clear path to cabinet-approved Purple Team budget appropriations to ensure long term security posture improvement. Lastly, Jordan and Kent will demonstrate the Atomic Purple Team Lifecycle in action by running complete live Attack and Hunt/Defend lifecycle(s), all the way to risk management and budgetary thoughts. Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5 Need slides and much more — https://github.com/DefensiveOrigins/A… 0:00 – Family Stories 1:07 – Atomic Purple Team Framework

This is a joint webcast between Black Hills Information Security and the Wild West Hackin’ Fest conference. We hate ransomware. Like a lot. This is because we feel this is the future of cyber attacks. If you look at the recent cases and the newish versions that involve extortion, there is nothing to like. Well, almost nothing. In this webcast, we cover what you can do to prepare (trust us, we have a newish twist on this) and what you can do to mitigate the damage. We also talk about working with brokers. There will be lots of memes to help this topic go down better. Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5 Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/08/SLIDES_WhatAboutRansomware_BHIS_.pdf 0:00 – Half-Witty Theme Music 0:53 – Welcome to the New Ransomware 9:44 – User Training 15:14 – ATT&CK Matrix 17:07 – We Should Be Emulating 21:36 – Open Source Tools 24:33 – (did we lose john?) 33:52 – Threat Emulation Warning 35:52 – Commercial Offerings 40:01 – PlumHound 45:33 – Don’t Focus On One Product 48:08 – Paying a Ransom?

So much information about testing webapps for security problems is old. Don’t get me wrong, the old stuff still works way more often than we’d like, but there’s more to webapp vulnerabilities than cross-site scripting and SQL injection. Take JWTs – JSON Web Tokens – for example. These are base64 encoded tokens that sometimes get written to your browser’s localStorage or sessionStorage and passed around in cookies or HTTP headers. They’re pretty common in authentication and authorization logic for web APIs. Because they’re encoded, they look like gibberish and it’s easy to skip over them during a test. For the same reason, they’re more complicated to attack. First, you have to notice them. Then you have to decode them. Then you need to interpret the decoded data inside them. THEN, you have to decide what to attack! Once you’ve done that, you still have to create your payload, make valid JSON out of it and rebuild the JWT before you can send it. It’s kind of a lot. In this Black Hills Information Security webcast – an excerpt from his upcoming 16-hour Modern Webapp Pentesting course – BB King talks about what JSON Web Tokens are, why they’re so controversial, and how to test for their major weaknesses. Then, using OWSAP’s Juice Shop as a target, he shows you a straightforward method for exploiting them that you can use on your own next webapp pentest. Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5 Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_WebApp_PenTesting_AttackingJWTs.pdf 0:00 – Good Morning! 1:50 – What Are JSON Web Tokens? 4:43 – Base64 Vs Base64 URL Encoding 7:58 – The Construction of a JSON Token 10:07 – Use Cases 13:03 – RFCs of Interest 13:26 – Encoded, Not Encrypted 19:58 – The Red Slide

Joff Thyer has dove into everything that is IPv6 and has so much to share about it. He gets really technical but in a way you’ll be able to understand. Google reports that over 30% of their systems access comes via the IPv6 protocol coming into 2020. Many Internet Service Providers have no remaining choice but to deploy IPv6 for simple lack of v4 address resources. The global Internet can already be thought of as balkanized into a split IPv4/IPv6 world based on historical v4 allocation. There will soon come a time whereby accessing IPv4 deployed resources will be considered legacy. Join Joff and the BHIS team to discuss security principles surrounding an Internet facing IPv6 deployment. Learn about fundamentals, known security issues, and appropriate infrastructure defenses which must be implemented. Enjoy a spirited discussion on how the v4 life support mechanisms of classless interdomain routing and network address translation are not required in a v6 world. It’s past time for IPv6 to become the norm. Fear not as we can do this! Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5 Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_SecurelyDeployingIPv6.pdf 0:00 – Inaudible, But Good Looking Banter 0:18 – Here We Are Now. Educate Us 0:56 – IPv4 And After 5:45 – What’s the Address For IPv6? 7:40 – What About IPv5? 8:31 – IPv6 Allocation 9:27 – IPv6 Packets 10:28 – IPv6 Address Types 13:26 – IPv6 Address Typecasting 14:55 – IPv6 Address Assignment 16:21

In this Black Hills Information Security webcast John breakdowns why he hates threat intelligence… Again… But, he breaks down some of the cool new projects that are focusing on durable threat intelligence. This is key because many intel feeds are nothing more than domains, hashes, and IP addresses. However, with durable threat intel, we see attack techniques that are highly effective, yet are not as easy to block. For example, application allow listing abuse, connection profiles (RITA!), PowerShell encoding are all examples of detects you can use that are not specific to a point in time attack methodology. John also shares some very cool open source projects that are approaching attacks in this way using ELK. Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5 Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_Durable_Ephemeral_Threat_Intel_Strand.pdf 0:00 – Be Excellent to Each Other 1:06 – Threat Intel: A Useless Rant 7:38 – Pyramid of Pain 10:55 – You Got Another String Coming 14:56 – Conversation With a Pompous John 19:10 – Hacking Ain’t Easy 22:21 – ATT&CK Bingo™ 24:33 – Emulation for Iteration 27:35 – Some Open Source Tools 32:03 – Threat Emulation Warning 36:59 – MITRE Scorecard 45:49 – A Bit of Perspective

Kent and Jordan are back to continue their journey to make the world a better place. This time around, they will be reviewing a series of tools commonly used on pentests to identify flaws in Active Directory and general network design and implementation. You’ve probably heard of most of them, like BloodHound, ADExplorer, mimikatz…, wait, Mimikatz as a Blue Team? Yeah, it might be a bit of a stretch, but they’ll get there. Even better, with an introduction to various adversarial simulation frameworks, you can start your own journey of constant improvement. Nmap, CrackMap, BingMaps, and Domain Password Spray. (Re: BingMaps — just checking to see if you’re actually reading these, at this point, our response rate records keep getting shattered, and we just want someone to call us out – the BingMaps API is really cool though). In a world seemingly gone mad, come find some solace with these two as they share new discoveries, a tool drop from Kent (which will potentially change the BloodHound game), and more. Let’s help the world detect attacks at a higher rate! Let’s skew the Verizon DBR’s reported numbers! Let’s get better together! Thanks, as always, and we look forward to spending time with those of you who can join us Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_RedTeamToolsBlueTeamPerspective.pdf 0:00 – Big Fish 0:28 – Question & Enhance 2:51 – Executive Summary 3:58 – Executive Problem Statement 8:48 – Red Team Tools are Red Team Tools 13:39 – Optics(3) 16:22 – SIGMA and SIGMAC 22:13 – Red Team Tool : Responder 25:35 – Red Team Tool : CrackMapExec 29:57 – Red Team Tool : DomainPasswordSpray

Slides Job hunting? Looking for a career change? Still in college and want to know how to get started now in your career? If you answered yes to any of these questions, this might be the BHIS webcast for you. This webcast is an update to Jason’s popular recorded DerbyCon 2016 talk — How to Social Engineer Your Way Into Your Dream Job. If you don’t want to wait, you can watch that now. https://youtu.be/__lvS2pjuSg What is covered? * How to combine OSINT, marketing technology, and a hacker/social engineer mindset to job hunting * How to be a hunter of jobs… not just a seeker of jobs * How to write your resume during the job hunt * You might already have your dream job The hope of this webcast is that you’ll look at job hunting differently and apply the skills and techniques in an effective way to help you get the career of your dreams… or at least a job for now that will help you get to the career of your dreams in the next 5 years. Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5 Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_HowToJobHuntLikeAHacker.pdf 0:00 – Infosec Sad Plant’s Last Day 0:30 – Pandemic Prologue 2:34 – Time to Meet the Bobs 4:20 – Be Prepared 5:50 – Climbing the Walls of Awful 8:35 – Another Crack In The Wall 9:49 – whoami? 11:58 – Pitch Perfect 12:53 – Step 1: I Mean Set Your Requirements

Join the BHIS Discord discussion server: https://discord.gg/aHHh3u5 We’re really excited to have a close member of our BHIS extended family, Tim Medin from Red Siege InfoSec, here for a webcast on Kerberos & Attacks 101. Tim is the creator of Kerberoasting. Want to understand how Kerberos works? Would you like to understand modern Kerberos attacks? If so, then join Tim Medin as he walks you through how to attack Kerberos with ticket attacks and Kerberoasting. We’ll cover the basics of Kerberos authentication and then show you how the trust model can be exploited for persistence, pivoting, and privilege escalation. 0:00 – 45 Seconds of Banter 0:45 – The Creator Of Kerberosting 1:48 – What Is Kerberos? 4:49 – How It Works 9:23 – PAC: Privilege Attribute Certificate 12:27 – Service Ticket 14:12 – SPN : Service Principal Name 16:22 – Three Long Term Keys 23:39 – I Got A Golden Ticket 24:57 – Ticket Flow 27:49 – Skeleton Key 30:42 – Kerberoasting On an Open Firewall 33:23 – Extract and Crack

I like webapps, don’t you? Webapps have got to be the best way to learn about security. Why? Because they’re self-contained and so very transparent. You don’t need a big ol’ lab before you can play with them. You can run them in a single tiny VM or even tiny-er Docker image on your laptop. And so long as you’re attacking your own stuff, it’s easy to stay out of trouble. You’re up and running in the time it takes for a single download. And the transparent part? Ever since “view source” in the earliest web browsers, it’s been easy to see exactly what’s going on in a webapp and in the browser. Every webapp you ever use has no choice but to give you the (client-side) source code! It’s almost like there’s no such thing as a “black box” webapp pentest if you think about it… Anyhow – the Developer Tools in Firefox (and Chrome) are what happens when you take “view source” and add 25 years or so of creativity and power. We’ll look at the Developer Tools in the latest Firefox with a pentester’s eye. Inspect and change the DOM (Document Object Model), take screenshots, find and extract key bits of data, use the console to run Javascript in the site’s origin context, and even pause script execution in the debugger if things go too fast… Maybe we’ll convince you that you can realistically do a big chunk of a webapp pentest without ever leaving the browser. Join the BHIS Discord channel — https://discord.gg/aHHh3u5 Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_HowToDeveloperToolsWebappPentesting.pdf 0:00 – A Shady-White Slideshow with “FREE TOOLS!” On the Sign 0:38 – The Way Back Machine 11:00 – Always Be Learning 18:01 – The Path to the Developer Tools 24:37 – Console Separately From a Window 30:40 – The Network Tab 36:23 – Storage Tab 38:20 – All The Cookies

This is a joint webcast from Black Hills Information Security and Active Countermeasures. How many of us have tried some new configuration option, utility, or hardware on a production environment, only to crash a critical piece of the business? (me raising hand…) It’s amazing how quickly we learn not to do that! Now we have to decide – do we stop trying out new things because we’re scared of causing problems, or do we come up with a safe way to play and learn? We’re going to cover how to set up a Home Lab – an isolated environment where you can test new hardware, programs, and applications. By keeping this totally separate from everything else, you get free rein to play without risk to your other systems – and without risk of breaking any company policies! We’ll cover how to set this up, the equipment needed, and how to configure these. Best of all, you can use throwaway hardware to do it! Join the new Threat Hunting Community Discord discussion server: https://discord.gg/JmXpQFD Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_HowToBuildHomeLab.pdf 0:00 – You’re In Charge 2:06 – Ok. But Why? 7:18 – The Network Layout 9:43 – (John’s Spaghetti) 20:38 – Project Hardware 26:06 – Firewall 29:21 – Switch 30:53 – Wireless AP 36:49 – Sentinel 38:33 – File and Drive Image Transfer

What does it mean to work from home across your corporate VPN? What exactly is VPN? Is your home office prepared? How can you improve and better secure your home network? Is your corporate network ready for the change in IT environment network access? Join us to explore these topics, and describe some potential actions you can take to improve your home office and network environment. Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5 Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_PandemicParadigmShift.pdf 0:00 – We’re Not In Normal Anymore 2:04 – Viral Pandemic Networking (VPN) 7:34 – Home Office Runner 11:16 – What’s Your Frequency, Kenneth? 17:17 – It’s Always DNS 19:12 – Secure The Perimeter 23:34 – Game Recognizes Game 27:55 – Master of Your Domain 43:36 – Solutions, Solutions, Solutions 47:20 – Remote Workers Unite! Individually In Your Own Homes!

The team at Black Hills Information Security and Wild West Hackin’ Fest had to pivot from doing an in-person information security conference in San Diego to a 100% virtual conference with 6 days of notice. We had a little bit of experience doing a hybrid in-person/virtual conference in November 2019 (with 10 days’ notice). The response from the 400+ attendees about the virtual conference was overwhelmingly positive. We did it and you can do it, too. In this webcast, we discuss how it all happened, including how we ended our agreement with our venue. We talk about all the things we learned and what we’d do differently next time. Join the Black Hills Information Security Discord discussion server — https://discord.gg/aHHh3u5 Slides for this webcast can be found here:https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_HowWeRunVirtualConference.pdf 0:00 – Trust Us, We’re Not Experts 0:40 – Suddenly Virtual 3:15 – Venue Vámonos 11:58 – What Now? 18:58 – Let’s All Go To The Lobby (and have ourselves a chat) -LobbyCon/Discord 32:24 – A Stream of Logistics 43:29 – The Calm 46:07 – The Storm 51:48 – The End Credits Scene 56:40 – Any Questions? Ready to learn more? Level up your skills with affordable classes from Antisyphon!

In this webcast, we will cover what we can do if we think there is a breach on our network. We will cover live forensics, cool PowerShell scripts, network, and event log analysis, cool IR spreadsheets, and checklists. We will also be covering the status of our ELK project for reviewing Event ID 3 from Sysmon. So, a lot… Yep… A crazy amount. Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_ThinkYoureCompromised.pdf 00:00 – Intro 00:47 – “Ok, But Why” 02:17 – Have It The Wrong Way 04:35 – Have It The Right Way 06:58 – Lego My Incident Response 08:25 – Monologging On Mute 11:57 – Wouldn’t Be Prudent 14:29 – “Better Than Bad, It’s Good” 21:33 – A Van Full of Free Tools 44:10 – CSI: Memory 45:01 – We Got Cheat Sheets if You Want Some Cheat Sheets 47:20 – Overlapping Venn Diagrams 49:46 – Questions in the Wild 59:15 – Sucking at Capitalism Want to level up your skills and learn more straight from John himself?You can check out his classes below!