BHIS Webcast: Weaponizing Corporate Intel. This Time, It's Personal!
Update: 2019-05-01
Description
Download slides: https://www.activecountermeasures.com/presentations/
2:05 Overview, Beginning guidelines for an attack, outside user access, owned domains, netblocks, and subdomains
11:49 Cloud Services as a point of attack, google services, Box.com, and Amazon AWS
21:02 What to do after gathering info on external attack structure, Active Portal Discovery, using EyeWitness, and Find-Fruit Powershell w/demo
27:18 Figuring out what info you can use from the internal network, utilizing small bits of info to facilitate your attack, PowerMeta, and potential problems trying to gain access to internal databases
35:51 Using FireProx as a solution, what it is and how it works w/demo
45:03 Social Trust Attacks, breaching servers with personal employee info, using breached data and personal email passwords, Detailing the flow of attack tactics used in this video, phishing attacks on employees
57:05 Closing thoughts and resources
Presented by BHIS Testers: Beau Bullock, Mike Felch, and John Strand
Strategically targeting a corporation requires deep knowledge of their technologies and employees. Successfully compromising an organization can depend on the quality of reconnaissance a tester performs up front. Often times testers only resort to using publicly available tools which can overlook critical assets.
In this one-hour BHIS webcast, we begin by examining some commonly overlooked methods to discover external resources. Next, we show how to discover employees of a target organization and quickly locate their social media accounts. Finally, we strategically identify and weaponize personal information about the employees to target the organization directly using new attack techniques.
Viewers will learn an external defense evasion method, a new process to gain credentialed access, and get a demo on a newly released tool — FireProx!
While the approach is designed to assist offensive security professionals, the webcast is informative for technical and non-technical audiences; demonstrating the importance of security-awareness for everyone
2:05 Overview, Beginning guidelines for an attack, outside user access, owned domains, netblocks, and subdomains
11:49 Cloud Services as a point of attack, google services, Box.com, and Amazon AWS
21:02 What to do after gathering info on external attack structure, Active Portal Discovery, using EyeWitness, and Find-Fruit Powershell w/demo
27:18 Figuring out what info you can use from the internal network, utilizing small bits of info to facilitate your attack, PowerMeta, and potential problems trying to gain access to internal databases
35:51 Using FireProx as a solution, what it is and how it works w/demo
45:03 Social Trust Attacks, breaching servers with personal employee info, using breached data and personal email passwords, Detailing the flow of attack tactics used in this video, phishing attacks on employees
57:05 Closing thoughts and resources
Presented by BHIS Testers: Beau Bullock, Mike Felch, and John Strand
Strategically targeting a corporation requires deep knowledge of their technologies and employees. Successfully compromising an organization can depend on the quality of reconnaissance a tester performs up front. Often times testers only resort to using publicly available tools which can overlook critical assets.
In this one-hour BHIS webcast, we begin by examining some commonly overlooked methods to discover external resources. Next, we show how to discover employees of a target organization and quickly locate their social media accounts. Finally, we strategically identify and weaponize personal information about the employees to target the organization directly using new attack techniques.
Viewers will learn an external defense evasion method, a new process to gain credentialed access, and get a demo on a newly released tool — FireProx!
While the approach is designed to assist offensive security professionals, the webcast is informative for technical and non-technical audiences; demonstrating the importance of security-awareness for everyone
Comments
In Channel
Download from Google Play
Download from App Store
United States00:00
00:00
x
