Shopping Cart

No products in the cart.

Coercions and Relays: The First Cred is the Deepest

This webcast was originally published on September 16, 2022.

In this video, Gabriel Prud’homme discusses various techniques for NTLM relay attacks and their mitigation, focusing on the theory, demonstrations, and practical applications. He explains the vulnerabilities in network protocols and systems like LLMNR, SMB, and HTTP, and shows how these can be exploited using tools like Responder and NTLMRelayX. Prud’homme also covers defense strategies, emphasizing the importance of proper configuration and updates to prevent such attacks.

  • The webinar discusses practical techniques for exploiting vulnerabilities in network protocols and services using various demos.
  • It emphasizes the importance of blue teams implementing robust security measures to mitigate such vulnerabilities.
  • The webinar is designed to be educational for both beginner and intermediate levels, aiming to increase awareness and understanding of network security risks and defenses.

Highlights

Full Video

Transcript

Gabriel Prud’homme

So, bonjour. Coercions and Relays – The first cred is the deepest. So who am I? My name is Gabriel Prud’homme. I am a, pentester at black hills, fortunate enough to work for this company.

and I’ve got a few certs. the agenda for today, we’re going to see why make this talk. We’re going to talk a little bit about the theory of NTLM rally and method of caution, and we’re going to see which protocol can be relayed where.

then we’re going to touch on why does this work and how it works. This, talk is based on many demo, and at the end, if times permit, we’re going to have, questions.

So why this talk? First and foremost, it is fun. It’s a topic close to my heart. I used to work in a company where we ship until knock, and just drop on the network without any creme.

So this was my bread and butter, as far as I know. It’s not taught in certification. It’s, relatively easy to pull off and it’s highly effective. It’s applicable in real life.

I mean, it basically works if the blue team haven’t done any mitigation for it. And at the same time, we want to bring awareness to the blue teams. This talk is more geared towards beginner to intermediate.

But if your experience, I hope that you learn a thing or two. And if you notice any error, I’m sure I’m going to misspoke, some subject and make error here and there.

So, if you notice something is not accurate or if better way to do it, please reach out. We’ll all be better off at the end of the day. So here, is a demo of all the, sorry.

A list of all the demo that we’re going to do today. There’s 19 in total. Like Jason said, there’s gonna be a ten minute pause in between the two parts. And, those links are clickable.

So if you refer to it after, it, will be easier to find the technique that you’re looking for. And for each technique, there’s all the instruction, like basically the recipe and also, the cleanup procedure.

So why does this work? Actually, this is Microsoft, on prem active directory for the most part. and it just comes because Microsoft needs to make active directory work.

So it’s very open. They need to support legacy. so the topic that we’re going to touch there is Llmnr and BTNs, MDNs. Those are name resolution complementary to DNS.

And we can abuse and poison that. The volupad is the automatic proxy detection. I’m going to abuse that as well. LdAP s is not enabled or required.

and Windows have a preference for ipv six. SMB signing is not enabled except for the DC ADC’s.

HTTP endpoint m doesn’t come with HTTPs by default and the prim spooler service is enabled by default. The webdav client is present on workstation, although it is not stop.

And there’s a LDAP attribute for the domain called MSDS machine account quota by default this is set to ten. That means any low priv user can create fake machine account and those fake machine accounts are as good as any low priv credential.

And any low privileged user can query the active directory, they can query the username, the machine. They can do attacks such as Bloodhound, Kerberos and ADC’s.

So now we’re going to talk about coercion. and the first option is what we call poison, the network, the classic, the one that pretty much everyone knows is the LMNR and NBTNs.

You can poison that with tools such as responder for Linux and NV for windows. There’s a new kid around the block. It’s called pretender written in go class cross platform.

I haven’t the chance to try it. You can also poison DHCP offer and inject malicious WPad or DNS. Laurent Gaffier, who is the author of responder created a good blog about it right here.

We can also do rome DHCP IPV six with mannamental six and inveigh. This tool is from Diljan and there’s also another old school method called Arp poisoning.

This method you have to be careful because it’s a little bit more risky. You could crash the network essentially. So if we do that we need to, it’s better to target only one host at a time.

The second option to coerce is what we call coercion, on demand because we can generate immediate hash, requests from the host that we’re trying to compromise.

Usually those method they use RPC call. And the first time this come to my attention it was exploiting what we call the printer bug exploit by Lee Christensen.

And it basically asks a remote host hey, do you have something in your print spooler? Do you have a print to file or something like that? And we receive a machine hash in return.

A year and a half ago, I believe there was another big one by Lionel Gilles called petzpotam. And this changed everything because when at the time that it came out, you could course a domain controller without any authentication.

So when you mix that with other techniques it becomes very devastating. So like I said, it was patch. After that, Microsoft break the patch and now they patch it again.

But just know that it’s still doable with a low privilege account. Most recently there was another one called DF’s cores. And that one was for DC only, I believe.

And the thing is, even if Microsoft tried to patch it, or if you implement RPC on your firewall, the author, they always come with new RPC calls.

This is kind of a cat and mouse, game like most things are in Infosec. Previously there was also something similar, in the priv exchange by Derek John for the Exchange server recently, the guy at SpectreApps, they come up with a way to coerce SCCM and we’re going to see that later in the demo.

Finally, there’s a tool called Courser by Padalerius which combine all of them together. It’s all in one tool. Those slides, they were provided by a guy named Shaddan.

He graciously, accepted for me to use his slide. So if you’re not aware of this website, the Acura recipe, I highly recommend it.

It’s everything related to exploiting active directory, let’s say ADC’s, whatever you want. There’s all the command there and good explanation. I highly recommend that.

And so what we can see in this diagram is here we will have the, the protocol and the client side mitigation and then where to relay the protocol depending on the server and the mitigation on the server side.

And so for example here we can see, or we cannot relate if SMB or LDAP is required. If this is one thing that interests you, I also highly encourage you to go to Akando.

It’s another website by Pixis and it really goes in depth about all the details and it’s very, very detailed. and it’s kind of a university paper style explanation.

this slide is also from Shaddam. And this is basically a roadmap of what we’re going to discuss in this podcast. We have the method of coercion here and then we have the incoming SMB or HTTP here, the mitigation on the client side, the server side here it’s where we are going, and these are the post relay attacks, so we’re going to cover almost all of them.

And if you have one thing to remember about this slide is the SMB incoming hash are less powerful than the HTTP because the HTTP can go pretty much everywhere.

But the SMB, it can only do that. It cannot go on LDAP unless it’s vulnerable to an older exploit called drop the Microsoft. If you are from the blue team, I want to attract your attention to all those cuts here.

This is basically what you have to implement to make sure that what we’re going to see is not possible in your environment. This is the last slide before the fun commence. I made a list of the recon tool that we use to know what mitigation are in place in the environment and the language, associated.

No further ado. We’re going to talk about the demo. There’s 19 demo. So we’re going to start slowly with the basic and we’re going to slowly ramp up to more complex stuff and we’re going to introduce new concept along the way.

So here we’re going to course the domain with Llmnr and we’re going to get SMB NTLM v two hash.

So what can we do with that? There’s two options. The first option is to crack it to cleartext password. And here it’s the list of the mode that ashcad can operate to crack the password.

Most likely what you’re going to see is net ntlm v one and net ntlm v two. And for the second demo we’re going to talk about relay it instead of cracking it.

So here on the left we’re going to run the tool responder with the basic no flag, no nothing. The first portion or the poison poisoner section.

And then you have the listener section after that. In the bottom we have other information such as our IP address. On the left I’m going to emulate someone trying to reach a server that doesn’t exist.

And we receive the hash from the Mercedes low as a low priv user. If you look in the folder logs we have captured hash into a file and it looks like that.

So we’re going to take that ash and we’re going to crack it with hashcat. You could use other tools such as John, but hashcat is the tool I prefer.

And then we can leverage the power of GPU and those really fast billion of attempts per second. This is a deep topic where you can also have rules and special word lists and things like that.

But let’s keep it simple for this demo. we crack it and we have the password in clear text. So that’s ideally what you want to do.

if it doesn’t crack, then we can relay it. And we introduce ntLM relay, which is a very good tool to relay those hash.

When you relay it to a target, if the context that you’re relaying it is elevated, then we can obtain remote code execution on that, on that target.

so we’re going to do the same thing here. Simulate someone trying to reach a resource that doesn’t exist. And we can see that this time the user, it gives us the clue because the user is workstation admin.

So the first thing we’re going to run crop map exec and identify hosts where SMB signing is disabled. With the generally flagship, the domain controller are always signing, enable.

So we have two hosts. Where is signing, false IP 200 and 205. Now we’re going to change the configuration of responder and we’re going to disable it from listening on SMB.

And the reason why we do that and HTTP, the reason why we do that is because we want NTLM relay x to be able to capture those incoming Ash and not responder.

We’re going to use responder only for the poisoning section and we put the SMB to support Ash is very important on modern OS.

Here you have the option for NTLM relay, dash target for an IP, TF for a target file interactive to jump in an interactive shell for SMB and LDAP.

There’s a lot of option where we’re going to cover a lot of them, but there’s so much stuff in there. Socks is one thing we’re going to see as well. And then you can do cross protocol like RPC, MsSQL, HTTP and DAP.

and there’s other attack like ADC’s and shadow credential. We’re going to see that as well. So target file, the file that we generated, restart responder.

And we’re going to simulate again someone who’s looking for a resource that has been decommissioned. For example, we saw that we received the incoming hash at workstation admin.

The first one fell. The reason is that you cannot relate to yourself. The 200 is the same machine. This has been patched a long time ago, but the second one was successful. And by default if you target to somewhere on SMB that you have elevated privilege, it will dump the Sam.

And these are the ash for the local admin accounts. So we have the administrator, NTLM hash and now we’re trying to get interactive shell on that host using I think WMI exec.

So this again, it’s not a domain account, it’s a local account. That’s why here we have the desktop instead of the name of the domain and we have an interactive shell.

We compromise those. For the third demo we’re going to talk about DHCP IPV six poisoning. We’re going to have a rogue DHCP IPV six server and we’re going to inject malicious double u, pad and this way we will receive an incoming hash.

So minimidal six the name of the domain and then NTLM.

Relax. Dash six, we forwarded to LDAP and we have a row wpad server. It could be anything because we’re going to poison it anyway.

It usually take a time for the network card to refresh. but here I’m just going to force it and sometimes it’s in stand, sometimes it takes time, it depends.

For example, we saw here we poisoned the server 2019, but the desktop came after we saw that. We inject and we have a request for the pac file on the attacker wPad.

And what happened is we forwarded to LDAP and we dump information about the domain. There’s more interesting stuff that we can do, but for now we just dump the information about the domain and it will give us information such as username, machine account policy group, et cetera.

So we have a better idea of which incoming ash might be elevated on certain server.

So it dumps it in many format. Let’s just open it. And this is the kind of information that we have.

For the fourth demo, we’re going to do something similar, except we’re going to simply inject the WPaD in the normal DHCP, not the IPV six.

And instead of just dumping the demand, we’re going to create a fake machine account. So we are forwarding it to LDAP to the DC and we add the flag, add computer and roam, the wPad again, responder with the DHCP option, we set the network card.

We have the DHCP request requesting the PaC file. And we see here we created the new fake machine account and it gives us the password.

So basically we control this object. Now we’re going to authenticate with this object and we’re going to query the DC.

What we’re going to do, we’re going to authenticate to the domain with this fake machine account. And we’re going to do the Kerberos request and fake machine account are actually all machine account.

They have a domain sign at the end. That’s how we can recognize them. We can see that we are authenticated as any low pref user.

Here you have the cleanup instruction if you want to remove this fake m machine account, but you need domain administrator and dash delete for the fifth demo.

Let’s say we are in a situation where there are no HTTP requests and we cannot crack the net NtLM v two hash. We are not local admin anywhere.

So we will identify hosts where SMB signing is disabled. We’re going to use the dash socks and it’s going to keep the connection open always so that we can run tool to the socks as much as we want and not lose the connection.

Because sometimes the connection might only happen one time during the night when it runs a certain script or something. And then we’re going to use this opportunity to run the, the script lookup sid and we’re going to dump the domain user and the local user.

So at least we will have something here. We change the responder config, make sure SMB and HTTP is disabled like we did before.

So we run responder here, we identify the OS where SMB signing is disabled. I’m going to forward that because we already see not to do that.

So here we do NtLm relay X with the option socks simulate the request.

And we have established socks proxy. And just to be clear, this socks proxy, it is not a socks proxy you would do on a c two or something like that.

It’s a socks proxy only for NTlM relay and it’s only for this specific host with this specific context, with this specific protocol.

So if we issue the command socks, we see that we have one on ip 200 as the low on protocol SMB.

We edit our proxy chain configuration. By default it used port 1080 either on socks four or socks five.

And we proxy chain do our lookup Sid with the flag domain, SIds and we dump the domain machine account groups and username.

So at least we have something like we can do password spray or something like that. After you can also dump the local admin just by removing the local user.

Okay, for the next technique, this is a pretty bad one, and the consequences is very bad. there’s a domain setting called land manager authentication.

I think there are six level and it needs, if it’s lower than level three, I believe. what will happen is that you will receive a net NTLm v one ash.

This is pretty bad because if you course a domain controller with the printer button or pittsbatam and he gives you a net NTLM v one hash, it can be cracked or downgraded to a regular NTLM and a regular NTLM can be used and pass the hash attack.

And so we can do Dc sync attack. what a Dc sync attack is, is basically pull off all the ash of the domain. Basically it’s a domain controller replication.

And after that we hold the key of the domain. So the first thing we need to do is change again in responder configuration.

The challenge, we’re going to put 11223 all the way up to eight. Eight. The reason is that it’s easier to crack.

And then we run responder. We notice our ip there, petspotam. this is our ip and this is the ip of the domain controller.

And it did not work. The reason it did not work it’s because it’s patch. so we need to provide low privilege user or any authentication.

It could be our fake machine account that we created earlier and we see that we receive net ntlm v one.

Now when you do that you usually you might want to run the LM or the disabled ess flag. I thought SSP was not able to be cracked, but it cracked that time.

I’m not 100% sure why. So we see that we have our hash here and then there is this website called crack sh that will crack that for you in a minute or two.

It uses FPGA and rainbow table, I believe before you had to pay for the SSP. But this time it crack it for me for free.

So I’m not too sure about what’s going on with that. You can also crack it on your own, with your own GPU ring. I think it will take around 30 days if I’m not mistaken.

So we put the ash in this format and I’m going to put an email, I’m going to forward it a little bit.

We receive the results here and it basically give us the NTLM.

Now we’re going to use this NTLM and proceed with the domain controller replication. The DC sync attack. We can target the same host because it’s the password, it mhm.

And we put the dash, flag, make sure to put semicolon in front and we DC sync the entire domain.

We hold all the keys of the domain. I’m going to take the hash for the domain administrator now we’re going to get an interactive shell as the domain administrator on the domain controller and for that we’re going to use WMI exec.

By the way, I never tried to be stealth in this demo. It’s just to demonstrate the impact. So bada bing, bada boom, we are on DC one.

The next attack came to me only recently by the guy at praetorians. And the way I understand it is if you have old installation of exchange, it’s overprivileged and I’m not sure if it comes by default or if it’s in the default documentation.

But what happened is there is this exchange trust subsystem group which the exchange are a member of. But this group is also admin to every exchange machine account.

So what happened is if you put spot down one of the exchange then you can relay it to the other exchange and dump the sum or whatever you want to identify that we have a blood on dump that allow us to see the permission relationship visually.

And we see we have exchange one of admin to exchange two. Another way is to run this cypher query and then we really see the relationship between the two objects.

What we’re going to do, we’re going to check if SMB signing is disabled on the exchange servers. Mhm.

Now we’re going to use pizza, using low privilege credential. on the first exchange and we receive the machine hash we see the dollar sign for exchange zero one.

Now we’re going to relay it to exchange zero two and by default NTLM relay use SMB protocol and we have a succeed authentication and we dump the Sam hash.

We’re going to use psexec and we’re going to use the local administrator to get an interactive shell on the host and we are system.

So the next demo is a little bit different and it helped me in case in the past where I couldn’t find anything else.

So this technique is called ldap passback attack on printers came to my attention by the gentleman at trusted Sec called Percx.

basically what we do, we identify a printer that use a default password. We identificate to it or maybe there’s a bypass that we can do.

Once we are logged in in the printer we locate the LDaP option and then we change the domain controller IP for our IP. And sometimes it’s possible to even lower, downgrade the authentication type and we find a way to provoke the authentication or if it’s not possible we wait and then we receive and capture the authentication with responder or we can even relate with NTLM relix.

At this point everything is a good option. I’ve seen situation in the past also where the printer will not spit his ash unless it’s bind to a real domain controller.

In this case we can use SocAT and dot forward to the real domain controller and intercept the ash with TCP dump or wireshark.

here what it looks like, I particularly like the recall model because they really have everything that we need here was the ip of the real domain controller.

I changed it for my ip. The port number sometimes it’s 389 but depending on the network segmentation you might want to change it.

The authentication here there was a job box from net Entelium V two to clear text authentication. Yes please. Thank you. And there’s a convenient test button here and here in our box we run netcat and in this case we receive dash in cleartext.

Just one thing to keep in mind is sometimes there’s a little bit of garbage in front and in the back. So you just need to be aware of that.

This is also an interesting attack. Sometimes low privilege users have access to MsSQl server. If they are misconfigured so they can log in into the MS SQL server they might not be elevated but it’s enough to run query.

And there’s interesting SQL query that we can run for example the XP zero three where we can course the server to identify back to us and then we can do all the things that we talked so far like relying the incoming ash to other SQL server or any host and do cross protocol as well.

We’re going to do that one from Windows. There is this interesting project called Powerapp SQL. I think it’s from Netspy.

So we import the project get SQL instance. We see we have two server SQL 2019 and SQL Zero two.

Then we use the instance domain. This was wrongly paste but we copy the SQL instance and we pipe it into GetSQl server info and it gives us more information.

So for example we can see in which context the service is running as we can see that this is using a local service. We can see that we are currently login as our user low and we are not sysnmin on that box.

Well not so interesting. The zero two. We can see that the service account is running as a domain service SQL account. So that’s more interesting for us.

We are login as our low and we are not sysamming on that box as well. So what we’re going to do, we’re going to use a tool called id similar to MSSQ studio.

We’re going to connect to that box using Windows credential.

And then once we are on that box we are going to run this Expedree command backslash backslash. The UNC is our IP, we run our trusty responder and we receive dash of the service SQL domain account.

So now what we’re going to do, we could crack it but we can also relay it. during the time that I was making this demo I noticed using the fully qualified domain m name didn’t work well.

I’m not sure why. So here I’m just taking the ip and we’re putting it in NTLM relay x. We’re targeting protocol SQL on the first SQL domain and we’re going to run this dash Q.

It’s a query where we say are we a member of the SyS admin? Because we want to know if we are elevated in the SQL server and we can see that the really the authentication was successful.

And for our SQL query we have a return of one meaning we are Sys admin in the SQL context on the other server.

Now what we’re going to do, we’re going to come back again with our dash socks because we want to keep the connection open so we can use other tool only one dash provoke the authentication again.

And this time it did not work. The reason it did not work and I leave it in the demo, it’s because I find it’s important to point out that if you forget this flag, it might not work.

And the flag that we’re missing is SMB two support.

And now we have the socks successfully established.

So now we’re going to use another m packet module called ms SQL client. First we make sure our socks proxy is well configured on 1080 and it is so mssql m client windows no pass.

Look at, we look at the command, we can see that we can enable XP command shell. We are elevated in the SQL server and after that we can run command.

So XP command shell and we can run command.

So we essentially pass from a low preview and we compromise the SQL server. The next demo for the 10th one is sccm client push installation.

This came to my attention by the guy at spectreups, Thomas Chris Thompson. And it’s very powerful where any low preview user can request authentication from the SCCM service.

And the condition is the configuration, it has to be enabled automatic site wide push installation and allow connection to fall back to NTLM.

So the tool that they released, it’s called sharp SCCM. This is a short demo.

The first command is we need to identify the tree letter of the SCCM server. In this case is roo.

And then we run it with invoke client push to ip. It takes about 10 seconds and we will receive the hash.

What’s interesting is we received two hash. The first hash is the service account and this hash have to be elevated because it for SCCM to do his job it needs to be elevated.

But the second hash is the SCCM machine account. So that’s a nice bonus. The next slide is the last slide for the first portion of this webcast.

This talks about files that you can put SMB share. Sometimes local views are they have write access to SMB share and anyone else who visits this SMB share will be coursed to identificate to us.

So here’s a few extension that I tested and the guys at MDSec, they wrote this really good blog about it and they also released a tool called firmer.

It helps you to generate those files. It helps you to inject malicious Unc Pat requests in office documents.

And there’s also a listener similar to responder or invade where you can capture the incoming ash. One thing that was also new to me when I read this blog is that ninja paranoid released that on Twitter where if you have a host based firewall and you’re not able to listen because you don’t have the permission, there is this Uri on port 80 that you couldn’t use.

So that was new to me. So now for the demo we’re going to use a tool called SMB map to identify the potential SMB server.

So the file that we’re going to upload, it looks like that and the icon reference point to us on our ip.

So now we’re going to sweep our subnet to see which SMB share that we have access to.

This tool might not be the best by the way, because if you have write access it will write a file. But if you don’t have the delete option, it doesn’t let you delete. So just keep that in mind and we can see that we have write, access on this.

Sure. Employee file. Now, just to check if it’s a good place to upload our malicious file, we’re going to browse and see what’s in there.

It looks like your typical business, folders. So we’re going to inject our malicious file right there.

First we start our friend responder. We upload our file and we immediately receive a hash.

The reason is because someone was already in there, but, this is completely transparent to the user. They have no idea this just happened on this host.

We’re going to simulate what happened when someone, browsed the file. We immediately received the hash, and we are already at the break. It’s a ten minute break.

Go, grab a drink, grab a snack, do whatever you have to do. we’ll come back, in ten minutes.

All right, so let’s continue. now that we put the kid in bed, let’s, do the fun stuff. And this is one of my favorite. It’s called, Webdav.

What is Webdav? Web dev is halfway, file server and an HTTP server. So why is it so fun? it’s because it will give us, HTTP ash.

This is what the UNC path looks like, backslash backslash, the Netbios, name of the machine at. And this could be any port, and then directory file.

So one, thing about Webdav is that the Webdav client, it’s, the service that is responsible for that is web client, and it’s present by default on workstation, although it is not start.

But there are ways to start it, even though if we cannot just pop the service and start it ourselves, there’s a way to coerce it. unfortunately, this service is not present by default on, server os.

It doesn’t mean it could not be installed, but by, default, it’s not there. Like I said, it produced HTTP hash. Then we can relate it to LDap and have a lot of fun. It can be any port.

There are a few, prerequisites. First, like I said, it needs to be the netbios name, and it must be in the local intranet, or at least it should be.

So how can we do that? We either need to create a DNS record. Maybe we already have, a DNS record for the machine we want to receive, or we can poison.

But this is only good for our subnet where we have visibility. One thing that my buddy Snowscan, bring to my attention lately is that it’s possible to create, a DNS a record that will point out to an external ip.

Often we will have network segmentation where we cannot receive the incoming ash. But with this technique and this tool called DNS tool made by Durjan, once again, thank you Durjan for that.

we can see that we add and we put external ip on the public Internet and then we wait a little bit that it replicates and we can ping it and it will assume that it’s in the Internet.

And then if we force the web dev query we can see that we received the ash over port 80 on the public Internet.

So that’s pretty cool. As far as the cleanup, basically the same tool, and dash a for action ldap delete and we can see that it deletes off the lDap server.

So now this one is a little bit hard to explain. I wish I made a diagram for it, but I’m just going to explain it as we go.

basically what we’re going to do, we’re going to use course a domain controller with pet spotam, receive the hash and I should say an unpatched domain controller, receive the hash, put it in a socks and we’re going to use the socks towards target that don’t have SMB signing enable.

Then we’re going to run the webdavclient scan scanner, see if webdev is client is present and started on those hosts.

Then we’re going to course those hosts webdav client to authenticate back to us and we’re going to get the machine account ash. Now with the machine account Ash, we’re going to authenticate, we’re going to relay it to LDAP and we’re going to change his own machine account, attribute called msds, allow it to act on behalf of other identity.

I should have said just before that we’re going to create a fake machine account. We’re going to put that fake machine account in this LDAP attribute and then at the end to close the deal we’re going to request a certificate in the name of the domain administrator on this specific m machine.

So it’s a mouthful. It’s a spaghetti. So the first thing that we do, we run responder, we see that it’s not batch and we receive dash.

but just for clarification we could totally use a low preview user for that part. So even if the DC was patch, it will work.

So what we’re going to do here, I’m running, run finger. It’s a tool that came in responder toolset similar to what we did earlier with crapmap exec to identify the host with signing false.

it is faster. And just one note on that tool, you can also query remote host to know when they were booted last time.

It might give you a clue on if they are patch or not. I think it might not work on all os, but it works on several os.

We use this to scan hosts where SMB signing is disabled. We have our list.

Next we’re going to use NTLM relay X target file, SMB two socks. We’re going to output the file and we say no HTTP server.

That’s important because we don’t want to hold the port, we want to use it for the next step, attack. We’re going to course the DC with pizzpatan.

Now we see that we have our socks proxy established on the two targeted hosts in the name of the domain controller.

Once again, this step is optional, but I just find it’s cool that we could loop all those attacks together here. What we’re going to do, we’re going to do a bash loop into all those two hosts.

We’re going to proxy chain through that proxy and we’re going to use the WebdAV scanner in the name of the domain controller at those two hosts to see if WebdAv client is present.

Basically this is a WebdAV scanner. It’s made by our friend pixis and we can see that it’s running on those two hosts.

So now that we know that we’re going to run another instance of net NTLM relay X. But this time we’re going to forward it to LDAP s and we’re going to do the delegate access.

What it will do, it will create the fake machine account and it will, we are coming as the machine account of the two hash, target.

Like I said earlier, it will put this fake machine account in the msds allowed to act on behalf of other identity. This essentially is creating a resource based controlling delegation and it’s not working because raw server was enabled and it’s not present in this older version of impact yet.

By the way, I always prefer to use older version of impact to do that.

So I also run responder. The reason is that I’m going to coerce the web dev service and I don’t necessarily have a DNS, entry, so it will just search for anything.

I will poison it and it will come back to NTLM related responder is complaining about eknet. Listen on at and 445.

That’s normal. We are using those port with with our two ntlM relics session here in this bottom console here I’m using the printer bug.

It is similar to in the context of the domain controller hat all the target and we are doing a bash loop again.

And like I said we are targeting anything. It will be poisoned. It will come back here on port 80 and we can see that we receive the authentication here as the two machine account server 2019 and the workstation.

So first it create the fake machine account, give us the password so we control this object and then it puts it in the MSDs allowing back their identity and it does that for the two target.

And then it says this fake machine hash can impersonate user on the target. So the user that we’re going to impersonate since we can choose, we’re going to choose a domain admin but we need to make sure it’s active.

So in this case for sake of simplicity I’m just going to use the default domain administrator and then we use this impact yet module again get service ticket where we’re going to connect to the SPN SIF for the target SRV 2019 as the fake machine account.

And we’re going to impersonate the administrator and this will give us a Kerberos ticket using the s four u to proxy extension.

We export the Kerberos ticket in our Linux environment variable and then we run secrets dump on the host and we dump the Sam and the LSA secret.

So basically we could use those hash and compromise the host. So that’s that, that was on remotehost webdam service. But if we could do remote host why can’t we do localhost and use that for privilege escalation?

In this next demo we’re going to basically do the same thing except we’re going to coerce the host from the internal so that we can do local privilege escalation.

And this time we’re going to do it remotely from a digitalocean and we’re going to establish two ssh. First we’re going to establish a reverse Sox proxy and second we’re going to do port forward on the port 8080.

So I’m just going to run the demo and we’ll talk to it. So on the left we have our digitalocean console.

First we’re going to establish the reverse socks with the R 1080 if you notice, I also put the server, ssH server on port 80.

Sometimes, port 22 might be block outbound.

The second ssh connection we’re going to do, we’re going to do the port for lesson on localhost 8080 and we forward it to localhost 8080 on the digitalocean.

After that we set up our socks proxy, make sure it’s at 1080. And it is.

We need for this attack, we need to have a, JPeG file. It could be any JPeG file because we’re going to serve it to the host, to the Windows host.

So, NTLM relay x we forwarded to ldap s on the DC. We’ll change our HTTP port for 8080 and then we use the serve image to our, JPeG file.

Once again, we do the delegate access so it will create a fake machine account and put it in again. MSDs allow to act on behalf of other identity to create the resource based concerning delegation here, we’re going to change our image profile and it’s going to force the machine account to connect to the Webdav UNc path.

At first we receive the hash from the low privilege account, but as soon as we serve the wallpaper, we will see, we will receive the machine account hash right here, windows ten active.

So the authentication is succeeded. We created the fake machine. Ash. We do the resource based constraint delegation.

So only now we only have to do the s four u part and request the kerasticket. Same thing as before.

So we have this, kerrose ticket for administrator. We’re going to put it in our environment variable and we’re going to finish it with, psexec on the box to get the interactive shell.

Hey, Gabriel.

Jason Blanchard

Yeah. I had a quick question. Any specific reason you’re using Kali 2019 except older packet version? Why older impact version better?

Gabriel Prud’homme

Yeah, because I found when doing that it did not work well for this type of attacks. it might be something I’m not doing right.

I know the newer version of impact yet they have something called multi relay and I think it breaks it. For a while I thought they fixed it, but, for me it just worked best with the old version. It depends what type of attack.

But for those, resource based constraint delegation, I always prefer to use the one you can find on impact, it’s zero, two four. All right, so at the end we got our, reverse shell.

Not reverse shell, an interactive shell, I should say. And we compromised the host. we are system on the box. We establish local privilege escalation.

So as far as cleanup, if you want to clean up, the msds allowtoact, blah blah blah blah. you can use this tool, RBCD py as the machine account.

No need to be da. And action flush. And that’s it. So the next slide, it’s a similar attack, except it’s called shadow credential.

It use a thing called ADC’s active directory certificate services. This is Microsoft flavor of PKI. It’s used for create certificate, could be client certificate, server certificate, certificate for smart card and other stuff.

But let’s say we are in a situation where the blue team, they put msds machine account quota to zero. So we cannot create fake machine accounts. So we cannot do resource based controlling delegation.

Although the machine account, they have another attribute called MSDs key credential and they can put a machine in there and request a certificate.

Similar technique, different LDAp attribute. This time we’re going to do it remotely, from SC two. So we will need to find a way to start the webdam service because earlier in the previous demo the web NAS services was not started, but when we requested the profile picture it started the service in the background.

So this time we have Beacon established on our c two, for cobol strike we establish our Socs five proxy and we do our port for at just like before we did in the ssH client.

Now if we look at the webdav client service, it is stuck. We look at our this file to course type of file we use earlier in the SMB share, but this time it’s a different type of file.

It’s a search connector ms and if we notice it has a unc for webdav.

So I locked my screen for some reason. Thank you vmware.

So we upload this coursing file to the desktop.

I’m going to set my NTLm relay right now on at. That’s what was inside the coursing file forwarded to ldap on the domain controller.

Use the flag shadow credential and the shadow credential target is the host. We are trying to perform local privilege escalation and mhm obviously proxy chain in front.

So when we browse to the desktop we see we have the request as the low previews are, but the attack doesn’t work. This is expected because the looprefuser cannot write the attribute of the machine account, but it’s enough to start the webdav client service so now we’re going to restart our NTLM again.

We know the webdav client service has started and we’re going to finish the job with pet spot amp and we’re going to request a unc webdav path.

So petzblatam localhost on port 88 and we authenticate. We give it authentication of our low pref crab and it does not work.

when you do Webdav requests you need to wait two, three minutes in between the requests. It’s just the way it is.

So we’ll just run it again. This time it will work. We receive the hash from the machine account and we create a certificate.

We put the machine account itself in his MSDs key credential ldap attribute so we can create this certificate for itself.

So now we’re going to run another tool by der John in his pk init toolset. It’s called get TGT. We’re going to use the certificate and we’re going to swap it for Kerberos ticket.

Make m sure I’m using the right pfx file. That’s the certificate file.

It helps if I’m in the right directory also. And so we get the TGT but as a bonus we get the as rep encryption key.

This key can help to retrieve the NTLM password. so you can get two things out of this technique.

Export the machine certificate to our Linux environment variable.

Now this is optional but we’re going to use the m ae’s rep encryption key. I believe this technique is called unpacked. And we will retrieve the NTLM hash.

As we saw earlier, this is almost as good as the password because it can be used and pass the hash attack.

Now we use the Kerberos ticket for the machine account and we’re going to do the s for you to get to impersonate the domain administrator similar to what we did with resource based constraint delegation.

No output but it did work. We put the Kerberos file in our environment variable once again and we wmi to the box we have our interactive shell.

So that was shadow credential to do the cleanup. we can use this tool called certify by Oliver Liac if I’m not, if I pronounce his name correctly.

awesome tool. Very good to exploit ADC’s. I can’t say enough good about it. So at first, we run in the context of the machine account itself and then we do the list option it will give us this device ID that we put in the MSDS key credential as Dapp attribute.

Then we run the clear and that’s the cleanup. So for the next demo, this is our small contribution that my colleague Bradley Kunsella and I did.

We found that something was lacking, in our opinion in NTLM relaix, where if you want to dump lsas in the option right now you need to dump it with LDAP and this require HTTP, incoming requests.

The way we found to dump it is we take a SMB incoming hash and we relate it to HTTP. It won’t give you as much detail as the LDAP option, but at least with this option it dumped the template that you can see.

For example as a user, sometimes the company, they don’t use the default template. So this might give you an idea and then you might end up with a certificate.

So at least it could be your first crud. So earlier if we look at the LDAP attribute, the dump adcs, but us, we add this dash dump here in the ADC’s ATT and Ck module and it dumped the user template via web.

So NtLM relay target the adcs server with this uri, adcs dom.

We’re going to simulate the request we poison with responder and we dump the user that are available.

We dump the template that are available for the user. There’s only one called user. custom demo.

Now I’m going to use certipy instead of NTLM relix to do the relay. It’s very similar thing. Specify the template as well, do it again and we dump the certificate for the low preview.

We’re going to use certipy once again to authenticate with the certificate. It gives us the TGt, it gives us the NtlM all at once.

And we use the Kerberos ticket to do the Kerberos attack, prove that we have identification on the domain.

So the next attack, it came to my attention by the guy at Spectre ops will Schroeder and Lee christensen when they released an amazing white paper on ADC’s exploitation.

And this was combined with the work of topotam for pets patam. when it came out it was really disastrous, for the blue team because you put spotam DC, you get the hash because it’s unauthenticated and then you relay the hash to the ADC’s on the template domain controller.

You get a certificate for the domain controller. Change that for kerberos ticket and you can DC sync in this demo. We will also perform this attack from a compromised, windows host, meaning we cannot listen on port 445 because it’s used by Microsoft.

So what we’re going to do, we’re going to use this tool by praetorian called Portbender where it taps on tcp 445 and it forwards it to any port that you want.

In this case, we’re going to redirect it to 8445. And so basically we can do this attack from this compromised host. So we have our cobol strike c two.

Here we establish our socks five reverse socks proxy.

We do port forward from 855 on the host to our digitalocean localhost 445.

We proxy chain. Instead of using NTLM relix, we use certipy. We forward it to the ADC’s server using the template domain controller.

Now we’re going to upload the windiver driver. That’s the one that do the magic with the tapping on port 445, we run port bender.

We redirect 445 to 8445. We already did the port forward so it’s going to end up in our digitalocean.

And now we printer bug for a change. Instead of using pizza, we printer bung to cores the DC two.

Using our low pre auth authentication we can see that the forward was successful.

We have the request from DCC two forwarded to ADC’s and we got the DC two, certificate still using certify.

We’re going to authenticate with it. We get the TGT, we get the NTLm. The last piece of the puzzle is just to DC sync to emulate, the main controller replication like we did earlier using secrets.

And this time instead of using the Kerberos ticket, we’re just using the NTLM and we dump the domain.

The next attack, it’s made by two, nice gentlemen from Italy that always share cool stuff. Splinter, code and decoder. It’s called remote, potato zero.

Basically what it do is let’s say you compromise, a Citrix or you just compromise a host that have access to a Citrix box.

this does some DCoM portion internally and then elevate the system and steal the access or the token, impersonate the other people that are on the box.

And then what we’re going to do is using those accounts, we’re going to forward it to LDAP s. So here if we do query user, we see that we have ourselves in the console as low but we also have administrator, the main domain administrator who’s logged in via RDP, RDP session in the ID number two.

So we simply nTLm relay X to the domain controller on LdaP X.

Here we use SoCAT because by default remote potato zero, it needs to do a oxid resolver.

By the way there’s a PR on impact by Master L 98 that do this on the Linux side instead of the server side.

we’re going to run remote potato zero and forward it to our Linux host. The mode zero, I should have said remote potato. There is many type of attack that it can do but this is mode zero, our IP, our IP and 999 for the oxid resolver to come back to us and the session session two.

So it did the forward and we received the authentication as the domain admin. And by default what NtLM relay X does, it creates a new user and it gives it the the permission called replication get change all, which basically gives the right to do the DC sync attack to the new created user.

So the last piece of the puzzle, we’re going to DC sync once again as this newly created user and bada Bing, bada boom, that’s done.

We got all the keys of the domain until this, all the exploit, the abuse I should say that we’ve done. It was all on NTLM, relay.

But this year, earlier this year James Forshaw, who’s an amazing researcher in this domain proved that it was possible to do it over Kerberos.

And then Dirk Jan once again released a blog where he used menamelo six to poison and force the DNS of the client to authenticate back to you and forward that on Kerberos.

So this is similar to what we did earlier with men ML six except that we use kerb relay x instead of NTLM relay X forwarded to the DC.

And we’re going to mix that with the ADC’s attack. The template is the machine template.

We’re going to use minimal six.

We’re going to force a refresh on the network card.

We see that we have our authentication and we send the SOA, that’s to force the DNS to the client to authenticate to us.

And we have created, we have done the certificate for the machine and it’s dump in base 64.

So we’re going to dump that in a file. And once again my screen locked.

Thank you vmware I’m not too sure why it does that. So we’re going to use git GT like we did before.

Specify. the PFX is base 64 for the machine account. You give us the TGT, export the TGT to the environment variable, do the s four, impersonation.

Once again we use the default domain account domain administrator, I should say.

And with the WMI exec on the box and we have complete local privilege escalation. So this is the last demo.

All those techniques that we demonstrate. There is a tool that was released by Dec one and earlier there was a similar tool released by QM Zero x Zero.

It basically do all the shadow cred or the RBCD but automatically. And it also used UAC bypass by James Forshaw.

So all in that included in one package, bada being badaboom and it relates it to cover ups. So at first we’re going to use the mode.

I’m going to wait, I don’t remember on top of my head we’re going to use the mode shadow creds and with the dash, foreshadow creds flush the MSDs key credential link and it pops a shell as system as a result.

For the second part where it locks again where I think it’s something with the l or typing l too fast in an RDP session.

For the next part we’re going to do the same thing but with restorative based controlling delegation mode. Make sure that the create new account.

The computer name, it’s a different one than the one I did previously. So same thing, very simple, very fast, pubs, shell assistant and finally you can do the same thing but create a services that point to a binary, as a payload and in this case it’s a cobalt strike payload.

And we will receive a beacon elevated assistant. So this completed all the demo I had for you today. Special mention to our friend and colleague at Black Hills, Justin angel who created a tool called Eve’s art.

If everything that you’re trying to do, it doesn’t work because everything is patching. What this tool does is that it looks for Arp request and it tells you maybe there’s a decommissioned server or something that’s not there anymore, you can take over his ip and hopefully receive something from the server.

So that’s a last resort, option. That’s for you. Justin made a webcast and there’s a blog about it on our Black Hills website as well.

Now we’re going to touch briefly on mitigation. How can you mitigate all of that? first of all disable llmnr, nbtns and mdns.

Disable IPv six if it’s not in use. Set MSDS machine account quota to zero so that you cannot create fake machine account. monitor an alert on those event id matching msds act two act on behalf of other identity.

Monitor and alert the same for MSDS key credentials. Monitor and alert for this id for picking it authentication.

Enable and require LDAp and SMB signing. Also implement EPA for HTTP and LDAP ensure to enable localhost firewall.

Implement network segmentation. This is very hard for us when there’s a good segmentation to move laterally. Consider disabling the webdaf client service so that you cannot do all those shannon again, implement RPC firewall rule and monitor unmalicious RPc activity.

This is to prevent pets patam for example. Although we know they always come up with new RPC call. Consider disabling the print spooler so you cannot be affected by the printer bug, especially on the DC.

It’s not always available for the workstation. We understand configure privilege escalation as account is sensitive and cannot be delegated.

Same thing for protector user group. This will reduce a lot possibility. for those attack we consider removing the ADC’s HTTP endpoint so that web enrollment so that it cannot be really there.

And consider manual manager approval step for the template on ADC’s where they make sense so that even if someone requests a certificate it has to be approved before it’s generated.

And lastly with your ADC’s template and servers permission you can use spectrehub’s white paper on that. this is a very clear path to straight to the a.

We see it a lot in the environment. Here are some mitigation reference I want to take a second to thanks all of those users that were so generous to share their knowledge and their store.

Without them this couldn’t be possible. So every single one of you these are the reference from all the technique of what we talked today.

And basically this is the end. thank you for listening and if you are a blue team or if you want to hire us, we do all type of assessment from internal, external, active directory assessment, cloud Wi Fi, web app, physical wi Fi, phishing phishing, social engineering.

don’t hesitate to reach out to us at Black Hills. All right.

Jason Blanchard

Caught me off guard yet again, Gabriel.

Gabriel Prud’homme

Yeah, I’m finishing a little bit earlier. Sorry about that.

Jason Blanchard

Yeah, you can do that up in Canada. So we had a series of questions, and pretty sure they were at a period of time where you covered so many different things.

So what I’m going to do is if anyone still has questions, like, this is the opportunity, because sometimes when people ask a question, I don’t want to interrupt you because I don’t know if you’re about to answer it, but then you covered so many different tools and topics and everything, I think.

So, what I’d like to do, first of all, great job. Great job. Very well done.

Gabriel Prud’homme

Thank you.

Jason Blanchard

Good job. For your first time, how do you feel?

Gabriel Prud’homme

You, I feel better because it’s done. Yes.

Jason Blanchard

So if we have any questions, now’s.

Gabriel Prud’homme

The time to ask.

Jason Blanchard

So, some white guy said, seldom do I see many demos that work through an entire talk. And what you did was record them and then speak over them.

Gabriel Prud’homme

Yeah, absolutely. Because the chance of something going wrong is way too high for that. But I made the webcast so that people can use it and turn around and use, it as a reference with the command and the cleanup and the video.

So that could be useful for blue team and attackers.

Jason Blanchard

Yep. So, a question here is, hi, about SMB relay. If we have a SMB relay with socks via NTLM, relax. Can we use the same relay to run other tools like SMB map?

I know we can run impact tools, but running other tools via the relay.

Gabriel Prud’homme

Yeah, I get, I get the question. It’s a good question. the answer is yes. You can proxy other tools. it might work. Sometimes it doesn’t work. I think it depends on the authentication of the tool work, but, in most of the case, it should work.

It needs to be on the same host, on the same protocol, and, using the same context.

Jason Blanchard

so today’s presentation is a different flavor. I like it. Yeah. so sometimes we just get in, but you just walk right through each and everything that, happened.

So can’t play with the demo. God stays present. Is it possible to share the virtual machines set up so that we can practice it in our, in our own environment?

Gabriel Prud’homme

Well, some colleague, suggests maybe we can do a, pay what you can course and, we’ll see.

Jason Blanchard

Somehow I’m not seeing the link to the slides. Can you link again? Yeah, so if you’re in discord you can always go over to the slides resources channel and if you’re not in discord, I will go ahead and grab the file and drag it into the chat and then you’ll be able to grab it directly from the chat.

Paul said that would be cool if we could do a pay what you can class.

Gabriel Prud’homme

They want you to wear hide hats. Thank you, Paul.

Jason Blanchard

at what, at what point do you think I’m going to switch to Kerbalax instead of NTL? Relax on this test?

Gabriel Prud’homme

I don’t know, it seems to be very like when Pittsbatam came out, Microsoft said, we won’t fix it. This is intended by default.

Disable NTLM in your environment. And this is almost sure it’s going to break something. And it’s, I wouldn’t say impossible, but it’s very hard to do. But I guess as more time pass, we will pivot towards, Kerberos.

Jason Blanchard

Got a question here. Says I dabbled in proposing changes to our environment similar to these. The pushback I get is the dependencies that, that disabling the services are unknown.

Gabriel Prud’homme

Any insight where there’s a, will, there’s a way, hire us and we’ll make a good report for your customer.

Jason Blanchard

Well, so recently we had a thing and I was like, well, what happens if we like disable it will break stuff. And I was like, well, I mean, if we disable it, we’ll find out exactly what’s broken by disabling it.

All right, let’s see. Any other questions? he said, our team is nervous on breaking services.

Gabriel Prud’homme

It’s totally understandable. It’s not easy to apply those mitigation, to be honest, but it’s highly effective.

Jason Blanchard

All right, I think that’s it. I think that’s it. Are there risk to networks by poisoning wpad?

Gabriel Prud’homme

potentially, yes, depending on the environment that they have. All those, network poisoning, there’s always a little bit of risk.

So I would suggest practicing in your lab. And by the way, you can build all those labs for free. Microsoft, they provide the ISO, you can use an old computer, you have laying around.

And I built all this lamp for free, except for, cobalt strike c two.

Jason Blanchard

Does using cloud negate most of these.

Gabriel Prud’homme

Attacks depend, on how your cloud is, interconnected? It’s a little bit short answer, but yeah.

Jason Blanchard

I just want to put it out loud. It was a really awesome talk. I know this talk didn’t cover much about OpSec, but how can we make this whole testing a bit more or less verbose so the blue team will catch us.

Gabriel Prud’homme

every environment is different. I would say, at the end, in the final step, obviously don’t use psexec. Maybe try to use a, more, stealth, lateral movement does defender for identity.

Jason Blanchard

Pick this attack.

Gabriel Prud’homme

I am not sure when setting up.

Jason Blanchard

Your lab, is all the images on one laptop or set up on a desktop.

Gabriel Prud’homme

Well, I have an old gamer machine that I don’t game and I just RDP to it and there’s a bunch of VM in there. Just have enough ram, I would say 16GB minimum and one or two SSD and you’re good to go.

Jason Blanchard

So one of the things I noticed listening to your talk is that you pick up so many different techniques from so many different sources. What is like, how did you find, like, what is your normal routine to learn attacks from other people?

Gabriel Prud’homme

Yeah, I usually you get a lot of the new stuff that comes out on, Twitter. And also I would encourage you to hang out in the discord or the slack of different, infosec company so that you can learn about that and just like, have your routine of blogs and just basically it’s just, how bad do you want to learn?

And the rest will come.

Jason Blanchard

Is there anyone on Twitter you would say, follow?

Gabriel Prud’homme

definitely. those guys I mentioned earlier, dirgen forshaw, Armjoy, elad Shamir. I did not mention it, but he did discover half of that.

Yeah, it’s on the slide in the credit page.

Jason Blanchard

Okay. Can you share the architecture and the services that you had to configure to make this demo?

Gabriel Prud’homme

Just, come back to, we’ll see if there’s enough requests, maybe for a pay what you can course.

Jason Blanchard

Okay. And, this originally started like, you were in a pods meeting, right at work and talked about some of these things. And then someone said you should turn it into a blog.

And you’re like, wait, no, I want to do a two hour webcast. So, like, how did all this come about? Like, how did we get here today?

Gabriel Prud’homme

Yeah, well, I’ve been like, following, John for like over a decade, and, I end up having the luck to be hired by him.

So thank you, John, for that. And we have team meeting. That’s what he’s referring as pod meeting. And we exchange our, test and idea and technique. And my colleague were like, this is so cool, you should put it in a blog.

And I just hate writing, so, for me, seeing is believing so I was like, okay, I’m going to make the demo the way I want people to make demo with all the command, all the video so that they can turn around and use it.

So that’s how this came to fruition.

Jason Blanchard

And I’m going to give you the same last question that I gave Tim last week. So this is your first black Hills webcast. You’ve been on the other side watching these for a long time, and now you’re here.

What made you want to make that transition? And I’ll have a follow up after that?

Gabriel Prud’homme

Well, I didn’t really want to make this podcast, to be honest. but, I’m glad I did. And it’s just weird to talk to you guys because, like I said, to you before, it feels like I’m talking to the tv like in a crazy movie.

But, no, I did it like to help the company, to share my knowledge, like so many have shared to me. bring your nest to the blue team and hopefully, attract business, for our company.

All good things.

Jason Blanchard

Sure. All right. Any final words, Gabriel?

Gabriel Prud’homme

merci. salue, enzo.

Jason Blanchard

Uh-huh. Okay. You’re welcome. All right, everybody, thank you for joining us today on this Black Hills information security webcast. We had Gabriel and tim. Deb was here, Brian was here, but mainly it was Gabriel.

Like, it was Gabriel here today. we appreciate you being here. If hopefully you can hear me, because people say my mic’s low, but, yellow. Yeah, I’ll just yell, like, right into it. if you’d like this, join us next week we have an active channel managers webcast, and then the week after that, we have, like, a four hour roundup from wild west hack and fest.

And then if you want to come to wild west hack and fest, we’re doing that in October, so it would be great to see you there. we do this all the time. If this was your first time, we hope you come back. And if this was, like, your 40th or 50th time, thank you so much because we do this because of you.

you bring us joy because we get a chance to help guide you in the security world. And we can’t wait to meet you in person. So we’ll see y’all next time. Brian, kill it with fire.

Gabriel Prud’homme

Fire.