Every year there are presentations at DefCon that make you want to move you to a remote mountain cabin and disconnect from all forms of electronics. This year was no different.

Below I will detail five presentations that I personally attended and qualify for scariness. Several will have whitepapers released this week and we will update with links as they are released.

An ACE Up the Sleeve: Designing Active Directory DACL Backdoors https://www.defcon.org/html/defcon-25/dc-25-speakers.html#Robbins

This presentation showed how DACL manipulation can assist in persistence by hiding the unintentional, or adversary added administrative rights that a user may have. Usually found in nested rights granting, the presenter was able to show normal queries alerting an assessor to administrative rights that should be removed. However, using purposeful DACL misconfiguration, those queries were disabled, while the administrative rights persisted.

This causes a serious problem when an adversary gains credentials that might not be apparent to have AD administrative rights, but does. Now finding those privileged accounts and cleaning them up will be difficult, if not impossible. Using this, an adversary could gain administrative privileges through an account and go undetected for quite some time. Even the most common PAM (Privileged Access Management) system could be rendered useless in defense, if the attacker implements this technique correctly.

Get-$pwnd: Attacking Battle-Hardened Windows Server https://www.defcon.org/html/defcon-25/dc-25-speakers.html#Holmes

A Microsoft engineer that participated in designing PowerShell presented on how even hardened Windows Servers can be exploited. Specifically, systems thought to be hardened with configurations such as whitelisted commands and JEA (Just Enough Administration) may still be vulnerable. When the presentation was finished, the demonstration showed that commands that were thought to be restricted and not available on a system could still be executed, including administrative functions that would give attackers significant power.

WSUSpendu: How to Hang WSUS Clients
https://www.defcon.org/html/defcon-25/dc-25-speakers.html#Coltel

Many organizations believe that Air-Gapped networks are the answer. Pulling an entire network, with the most sensitive data, off the internet and creating your own intranet will protect you. The presenters offered a way to compromise a Windows Server Update Services (WSUS) in order to compromise the off-line network for, at the very least, major down time, possibly data loss.

First, the presenter showed how to convince the WSUS that a malware package was a valid Windows Update that was then pushed out to connected clients. Next, the presenters uploaded a second package, not divulging what was in it, in order to show that an air-gapped network that gets its windows update from the master WSUS server on the connected environment can be compromised the same way. The theory is that a CD or USB drive will be created from the online server and “sneaker-net” over to the air-gapped network.

When it was completed, he revealed that it was Ransomware that would have infected THE ENTIRE air-gapped network, encrypted every windows server and caused an outage while restores from backup are completed. Definitely scary!

‘Ghost Telephonist’ Impersonates You Through LTE CSFB https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Yuwei-Zheng-UnicornTeam-Ghost-Telephonist.pdf

This presentation was an even easier way to compromise an LTE phone than what previously was thought to require some heavy lifting of creating a fake tower and forcing the phone down from LTE. The presentation was based on a finding that there is an authentication step missing from towers when a cell phone drops out of LTE. Now, if you create a device that tells the tower that it is a phone that is in CSFB (Circuit Switched Fallback), the tower will assume it is the other phone and not ask for proof.

At that point, the attacker can intercept calls and SMS texts. As a demonstration, the presenter showed a phone used as an SMS 2FA (two factor authentication) for Gmail being compromised and the Gmail account being taken over, changing the password successfully, while the true phone showed no activity.

Google Authenticator/Okta/Duo anyone? https://en.wikipedia.org/wiki/Software_token

The Black Art of Wireless Post Exploitation
https://www.defcon.org/html/defcon-25/dc-25-speakers.html#Ryan

This presentation really had lots of goodies and a history of how wireless security has evolved. The part of the presentation that stuck out was when he was trying impress upon the audience that EAP-TLS wireless was worth it even with the painful administration. What the presenter explained is that a wireless NAC port-based access control is thought to contain any issues, so that “bad” systems may connect, but will have no access to the rest of the network. While connected in quarantine, they can be scanned, queried and resolved or rejected. This assumes that the unwanted system is foreign to the network. The technique presented showed that even a separate “sensitive” network that has a different connection method can be compromised via a carefully crafted “evil twin” attack. Once a legitimate system is connected to the evil-twin, a payload can be installed and then the system can be returned to the corporate wireless, now compromised. If done correctly, the NAC will not find the compromise and now the attacker can leverage the system to pivot throughout the internal network.

There were many more presentations with highly impactful vulnerabilities and attacks, these were the top four ones that I personally attended. Stay tuned for added links to the whitepapers associated to these presentations. Be careful out there!

About the author:

Jean-Paul Bergeaux, Federal CTO, GuidePoint Security

With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.