Just over a week ago some of our security consultants descended on the Security BSides hacker convention in Canberra. With a schedule jam-packed with the intricacies of cyber security, perhaps one of the most-anticipated parts of the convention was Operation Par00t which was a competition to hack a Physical Control Network.
Participants started on Friday by connecting through a VPN, WiFi, or ethernet, and then were left to their own hacking devices to navigate their way through the environment and compromise the network. The endgame was taking control of a remote-controlled drone, whoever was able to do that first, would win one.
Our Security Consultant, Matt Bush, started Friday afternoon and stopped a short while later. On Saturday morning he got back into it using a variety of Active Directory-related hacking techniques like credential theft, insecure group policy abuse, and pass-the-hash. Some of the more recognisable tools he used were Meterpreter, Mimikatz, Empire, PowerView, the Impacket Python library, and proxychains. Matt was able to:
1. Use spear phishing with a macro-enabled malicious Word document to gain access to the internal subnets hosting the CORP Active Directory domain
2. Escalate to Domain Admin privileges in the CORP domain
3. Compromise a jump box to gain access to a secure network housing the CTRL domain
4. Escalate to Domain Admin privileges in the CTRL domain
5. Locate the drone control server and compromise it
6. Take control of the drone, ultimately winning the competition.
It took Matt only 6 hours to reach his goal, finding a severe misconfiguration in Group Policy early on saved him hours of work which none of the other contestants were able to do. Matt achieved the goal with several thousand points ahead of the other contestants (which included hacking teams of up to four people) and was awarded first place.
Although this was a controlled scenario, each day people with the same skills as Matt try and compromise networks in the real world. Unfortunately, unlike Matt, they aren’t the good guys.
Matt is one of our several OSCP (Offensive Security Certified Professional) accredited staff who make up our security hacking team. Businesses engage our good guys to test the defences of their networks through red teaming, penetration testing and social engineering attacks. These services test your security stack, security team and the security awareness of your employees, discovering whether you’re ready for when the bad guys do come hacking.
Remember, as Cisco CEO John Chambers famously said, “There are two types of companies, those that have been hacked and those who don’t know they have been hacked.”