Joe Sarkisian

Okay. So you're like, oh, okay, cool. You got it set up. All right. I'll be right back. Let me get the guy.

Okay. So you're like, oh, okay, cool. You got it set up. All right. I'll be right back. Let me get the guy.

And do you remember his face when he saw his wife?

And do you remember his face when he saw his wife?

Mm-hmm.

Mm-hmm.

Yeah, my name is Joe Sarkisian. I work for Wolfen Company PC out of Boston. I do penetration testing of all kinds, internal, external, Wi-Fi, social engineering, advanced security assessments, things like that. So we have a... Client, not a big company, maybe like 20 people. And they contracted us to do your average assumed breach pentest, so to speak. So we're on the inside, we're given access.

Yeah, my name is Joe Sarkisian. I work for Wolfen Company PC out of Boston. I do penetration testing of all kinds, internal, external, Wi-Fi, social engineering, advanced security assessments, things like that. So we have a... Client, not a big company, maybe like 20 people. And they contracted us to do your average assumed breach pentest, so to speak. So we're on the inside, we're given access.

What would happen if somebody gets in there? So we send them a remote Dropbox, a little Raspberry Pi that we send them, they plug it into their network, and then we connect to that remotely. And it's kind of like we're sitting there in person. We've got on-the-wire access at that point on a subnet that they put us on. So I begin the test.

What would happen if somebody gets in there? So we send them a remote Dropbox, a little Raspberry Pi that we send them, they plug it into their network, and then we connect to that remotely. And it's kind of like we're sitting there in person. We've got on-the-wire access at that point on a subnet that they put us on. So I begin the test.

Typically, and here's the funny thing, is you'll look at pen test frameworks. You should start here. You should do this. You should do that. I would challenge you to find a pen tester that doesn't fire up Responder the second they get on a network and try to get creds and be off to the races as soon as humanly possible because that's what we do, quite frankly, on a lot of tests.

Typically, and here's the funny thing, is you'll look at pen test frameworks. You should start here. You should do this. You should do that. I would challenge you to find a pen tester that doesn't fire up Responder the second they get on a network and try to get creds and be off to the races as soon as humanly possible because that's what we do, quite frankly, on a lot of tests.

Well, that's the scary thing is our method is the same thing that any bad guy all around the world can do, right? We have an Amazon account, right? And we can spin up Amazon EC2 instances. So what we do is we spin up these Tesla GPUs on an instance. We have a couple of them. And we will take that GPU power to just blow through password ashes as fast as we possibly can based on that power.

Well, that's the scary thing is our method is the same thing that any bad guy all around the world can do, right? We have an Amazon account, right? And we can spin up Amazon EC2 instances. So what we do is we spin up these Tesla GPUs on an instance. We have a couple of them. And we will take that GPU power to just blow through password ashes as fast as we possibly can based on that power.

It's going to be a lot faster than doing it with Raspberry Pi or your local PC, unless your local PC has a ton of graphics cards in it, which ours is not. So yeah, we do that all in the cloud, relatively cheap, not super expensive to get done. And usually we get results pretty quick, within the first couple of hours.

It's going to be a lot faster than doing it with Raspberry Pi or your local PC, unless your local PC has a ton of graphics cards in it, which ours is not. So yeah, we do that all in the cloud, relatively cheap, not super expensive to get done. And usually we get results pretty quick, within the first couple of hours.

I'm going to go 90 plus percent. That depends. If we've been there before and they took our recommendations, it's going to take a lot longer. It's going to be a lot harder.

I'm going to go 90 plus percent. That depends. If we've been there before and they took our recommendations, it's going to take a lot longer. It's going to be a lot harder.

So we will probably get on average, I would say, and again, whether we've been there first or not, they're taking recommendations, we'll probably get 50 to 60% within the first like four hours.

So we will probably get on average, I would say, and again, whether we've been there first or not, they're taking recommendations, we'll probably get 50 to 60% within the first like four hours.

So we'll look for default passwords places. We'll look for null sessions on host. Can I access this host without a username or a password? Can I just get in there maybe on a domain controller? We still find this. You're able to quote unquote authenticate to a domain controller as nobody and start enumerating the domain.

So we'll look for default passwords places. We'll look for null sessions on host. Can I access this host without a username or a password? Can I just get in there maybe on a domain controller? We still find this. You're able to quote unquote authenticate to a domain controller as nobody and start enumerating the domain.

Now, if you can do that, you can get a list of users from a domain controller, right? And then take that list of users and start password spraying against that domain controller with that list of users, common passwords, right? And then maybe you get a hit on password 2023 exclamation point, right? Or a company name 2023 exclamation point, right? crazier things have happened.

Now, if you can do that, you can get a list of users from a domain controller, right? And then take that list of users and start password spraying against that domain controller with that list of users, common passwords, right? And then maybe you get a hit on password 2023 exclamation point, right? Or a company name 2023 exclamation point, right? crazier things have happened.

Yeah, I mean, to this day, I've been doing this, I don't know, about five years now. To this day, whenever I see that first hash flashing yellow across my screen when I'm on a pen test, I still get a shot of adrenaline, right? It's just like, here we go.

Yeah, I mean, to this day, I've been doing this, I don't know, about five years now. To this day, whenever I see that first hash flashing yellow across my screen when I'm on a pen test, I still get a shot of adrenaline, right? It's just like, here we go.

So now we have domain access as that user. So typically what we'll do, we'll look for some basic, you know, privilege escalation opportunities. And at the same time, we're looking for data, right? So let's say we're kind of poking for both of those things, right? We want to prove that risk that this basic user maybe has access to some data that they don't need access to.

So now we have domain access as that user. So typically what we'll do, we'll look for some basic, you know, privilege escalation opportunities. And at the same time, we're looking for data, right? So let's say we're kind of poking for both of those things, right? We want to prove that risk that this basic user maybe has access to some data that they don't need access to.

And if a bad guy gets access to this account as that person, they also get access to that data. And that's something you need to work on. So as we're rooting through file shares, what does this person have access to? We find this host. And it's like a Windows 10 host. And we have access to a couple of shares on this host. And we're rooting through.

And if a bad guy gets access to this account as that person, they also get access to that data. And that's something you need to work on. So as we're rooting through file shares, what does this person have access to? We find this host. And it's like a Windows 10 host. And we have access to a couple of shares on this host. And we're rooting through.

Typically, we're looking for things that are called like password.txt or like SSH, this, that, or the other thing, or SSN, right? We're looking for data that's going to prove a problem for the company. So I'm looking through. And I find this folder called, I believe it's called like MPEGs. So I'm like, that's interesting. I don't typically find something like that.

Typically, we're looking for things that are called like password.txt or like SSH, this, that, or the other thing, or SSN, right? We're looking for data that's going to prove a problem for the company. So I'm looking through. And I find this folder called, I believe it's called like MPEGs. So I'm like, that's interesting. I don't typically find something like that.

You know, just like a folder called MPEGs. That's different. I'm just curious what's in here. So I look in. Sure enough, there's a bunch of MPEG files. I'm like, okay, that's interesting. There's like maybe four or five of them. So I download one of the MPEG files. I get it locally, and I'm like, let's watch this file. I open it, and I see a camera feed.

You know, just like a folder called MPEGs. That's different. I'm just curious what's in here. So I look in. Sure enough, there's a bunch of MPEG files. I'm like, okay, that's interesting. There's like maybe four or five of them. So I download one of the MPEG files. I get it locally, and I'm like, let's watch this file. I open it, and I see a camera feed.

And the camera is just on a desk facing at someone's kind of where they would sit, right, in front of the computer. And I'm like, that's weird. You know, why would anybody put a camera on their desk, right? That's just strange. What are they recording? It doesn't make any sense. So all right, well, maybe there's something else to this.

And the camera is just on a desk facing at someone's kind of where they would sit, right, in front of the computer. And I'm like, that's weird. You know, why would anybody put a camera on their desk, right? That's just strange. What are they recording? It doesn't make any sense. So all right, well, maybe there's something else to this.

So I download the second one because they're going in order, one, two, three, four. Download the second one. It is the same camera. It is the same desk. And this time the camera is underneath it. And it was a lady's desk I found out later. The way the camera was angled was, yes, at their, you know, the front bottom half of their body. Let's put it that way.

So I download the second one because they're going in order, one, two, three, four. Download the second one. It is the same camera. It is the same desk. And this time the camera is underneath it. And it was a lady's desk I found out later. The way the camera was angled was, yes, at their, you know, the front bottom half of their body. Let's put it that way.

So I see this, and now I'm like, oh, God. Like, everybody, every pen tester has that, like... feeling that sooner or later, they're going to get this moment that is something like this. You find the proof that somebody's stealing from the company, or you find pictures you shouldn't, or whatever it may be. And this was the first time that I had found something like that.

So I see this, and now I'm like, oh, God. Like, everybody, every pen tester has that, like... feeling that sooner or later, they're going to get this moment that is something like this. You find the proof that somebody's stealing from the company, or you find pictures you shouldn't, or whatever it may be. And this was the first time that I had found something like that.

And I was kind of just awestruck at first. And my head starts racing like, what do I do about this? And so the first instinct was pick up the phone and call my point of contact immediately. Now, the problem with that is this is a small company. I don't know anything more than this point of contact's name and the fact that I worked with him year over year. I don't know what he does personally.

And I was kind of just awestruck at first. And my head starts racing like, what do I do about this? And so the first instinct was pick up the phone and call my point of contact immediately. Now, the problem with that is this is a small company. I don't know anything more than this point of contact's name and the fact that I worked with him year over year. I don't know what he does personally.

I don't know what he's into. I don't know if he's the person that put this camera there. But he's the only point of contact I have, right? So he's the one I'm calling. So I pick up the phone and I get on the phone. I tell him, hey, just so you know, I found... under the desk camera footage of, and then he cuts me off completely and says, stop right there. I'm calling HR.

I don't know what he's into. I don't know if he's the person that put this camera there. But he's the only point of contact I have, right? So he's the one I'm calling. So I pick up the phone and I get on the phone. I tell him, hey, just so you know, I found... under the desk camera footage of, and then he cuts me off completely and says, stop right there. I'm calling HR.

And at that point, I had a kind of this wave of relief over me because at this point, I'm like, okay, well, he's probably not the one that put it there because he's wanting to call HR immediately. So HR gets on the phone. I explain it to them. They say, thank you very much. And that's the end of the call.

And at that point, I had a kind of this wave of relief over me because at this point, I'm like, okay, well, he's probably not the one that put it there because he's wanting to call HR immediately. So HR gets on the phone. I explain it to them. They say, thank you very much. And that's the end of the call.

You know, basically, you know, it's the typical stuff. Like you said, you know, we found this, we found that, you know, here's recommendations for fixing that. Okay, great. And we didn't feel like it was our place or appropriate to bring that up on that call. However, I did end up talking to that client a month later.

You know, basically, you know, it's the typical stuff. Like you said, you know, we found this, we found that, you know, here's recommendations for fixing that. Okay, great. And we didn't feel like it was our place or appropriate to bring that up on that call. However, I did end up talking to that client a month later.

And, you know, we were going over some remediation strategies for them and, you know... Basically, they're like, hey, how's everything else going? How you been? I'm like, I'm good. How about that other thing? I'm just curious about that other thing. This is a much more casual conversation. I'm just curious. Is everything okay with that other thing we found?

And, you know, we were going over some remediation strategies for them and, you know... Basically, they're like, hey, how's everything else going? How you been? I'm like, I'm good. How about that other thing? I'm just curious about that other thing. This is a much more casual conversation. I'm just curious. Is everything okay with that other thing we found?

And he kind of just gave me this look on the Zoom call. He's like, yep, that's been handled. And I knew not to push, but I knew that Whatever had to be done had been done. At least it seemed like it had. And it seemed like it worked out for them. I wasn't going to get pulled into court for having to testify for anything, which I was actually kind of ready for.

And he kind of just gave me this look on the Zoom call. He's like, yep, that's been handled. And I knew not to push, but I knew that Whatever had to be done had been done. At least it seemed like it had. And it seemed like it worked out for them. I wasn't going to get pulled into court for having to testify for anything, which I was actually kind of ready for.

I'm like, oh, this might be the first time. But it just didn't happen that way. So I got lucky.

I'm like, oh, this might be the first time. But it just didn't happen that way. So I got lucky.

It's, with no exaggeration, 95% of clients that we are able to do that with year over year.

It's, with no exaggeration, 95% of clients that we are able to do that with year over year.

It was a regional bank, and we were doing some more traditional audit work as well as pen testing. And I had one of our junior pen testers on that job with me. So this person was, you know, they came with a little bit of experience in the door. They'd been with us for, I don't know, four to six months at that point.

It was a regional bank, and we were doing some more traditional audit work as well as pen testing. And I had one of our junior pen testers on that job with me. So this person was, you know, they came with a little bit of experience in the door. They'd been with us for, I don't know, four to six months at that point.

So we started doing our thing, you know, like doing a little Responder stuff, whatever. And for whatever reason, this person's having a hard time with Responder. Like, their Python's not working. The tool's not working. I'm trying to help them through it. So, you know, I'm like, you know what? It's a teaching moment. I'm going to let them figure this out. Right?

So we started doing our thing, you know, like doing a little Responder stuff, whatever. And for whatever reason, this person's having a hard time with Responder. Like, their Python's not working. The tool's not working. I'm trying to help them through it. So, you know, I'm like, you know what? It's a teaching moment. I'm going to let them figure this out. Right?

Like, I'm not going to give them the answer. I'm not going to coach them to it. I want to see how they handle this.

Like, I'm not going to give them the answer. I'm not going to coach them to it. I want to see how they handle this.

I have a 30-minute client call with another client I need to take. So I want to be over here. I'm like, you know what? You take the reins on this. It's the beginning of the test. What can go wrong? So I'm on the call and he's doing his thing. And I don't know, like five, 10 minutes go by, I'm on this call. And I started noticing there's a lot of, like, phones ringing in adjacent offices.

I have a 30-minute client call with another client I need to take. So I want to be over here. I'm like, you know what? You take the reins on this. It's the beginning of the test. What can go wrong? So I'm on the call and he's doing his thing. And I don't know, like five, 10 minutes go by, I'm on this call. And I started noticing there's a lot of, like, phones ringing in adjacent offices.

Sorry.

Sorry.

I get off my call. I'm like, I'm sorry, what's going on? He's like, everything's down. We can't reach anything. The core, oh my God, nothing works. We're like, okay. So to the junior guy, whatever you're doing, stop. So he stops. Maybe like five, 10 minutes go by and things kind of quiet down. We check in with the point of contact. He's like, yeah, whatever that was, don't do that ever again.

I get off my call. I'm like, I'm sorry, what's going on? He's like, everything's down. We can't reach anything. The core, oh my God, nothing works. We're like, okay. So to the junior guy, whatever you're doing, stop. So he stops. Maybe like five, 10 minutes go by and things kind of quiet down. We check in with the point of contact. He's like, yeah, whatever that was, don't do that ever again.

He's obviously upset, understandably so. So in the process of figuring out what happened, I'm talking to the junior tester, and I say, what were you doing? What kind of test were you doing? He's like, you know, I was running Responder, whatever. Okay, cool. Well, what else were you doing? Well, you know, I figured I'd save time, and I would run, you know, like a port scan.

He's obviously upset, understandably so. So in the process of figuring out what happened, I'm talking to the junior tester, and I say, what were you doing? What kind of test were you doing? He's like, you know, I was running Responder, whatever. Okay, cool. Well, what else were you doing? Well, you know, I figured I'd save time, and I would run, you know, like a port scan.

Like, okay, what would you use for that? And he says, well, I always use MassScan. And I'm like, okay, not Nmap? He's like, no, no, no, mass scan's faster.

Like, okay, what would you use for that? And he says, well, I always use MassScan. And I'm like, okay, not Nmap? He's like, no, no, no, mass scan's faster.

I'm like, oh, I'm aware mass scan is faster. show me the command you ran with Mascan. So he shows me the command you ran with Mascan, and when you run Mascan, you have the option of how many packets per second you want to run that at. He had added like two or three zeros to the default, which means he was blazing across all of their submats running Mascan and doing a port scan.

I'm like, oh, I'm aware mass scan is faster. show me the command you ran with Mascan. So he shows me the command you ran with Mascan, and when you run Mascan, you have the option of how many packets per second you want to run that at. He had added like two or three zeros to the default, which means he was blazing across all of their submats running Mascan and doing a port scan.

And that is what brought their network to its knees for five to ten minutes, is that he was careless and If you want to kind of step back from that, I was careless as the quote-unquote tester in the room at that point in time.

And that is what brought their network to its knees for five to ten minutes, is that he was careless and If you want to kind of step back from that, I was careless as the quote-unquote tester in the room at that point in time.

So we end up with like this big call. He didn't necessarily like break anything. He just slowed the network down to a crawl because he was shoving so much traffic through it that nothing else could get where it needed to go. So the CIO, chief information officer on the call, a lot of big muckety mucks. And basically they're like, tell us why we shouldn't fire you from this right now, essentially.

So we end up with like this big call. He didn't necessarily like break anything. He just slowed the network down to a crawl because he was shoving so much traffic through it that nothing else could get where it needed to go. So the CIO, chief information officer on the call, a lot of big muckety mucks. And basically they're like, tell us why we shouldn't fire you from this right now, essentially.

And we had to go through the whole rigmarole with them and explain like, look, you know, It was a typo on a screen. We didn't do it on purpose. We're very sorry. We won't do it again. Yada, yada, yada. And luckily, like, they came around. But I'm pretty sure we don't have pen testing work at that bank anymore. So, yeah, that was not fun. We've had to change our procedures since that's happened.

And we had to go through the whole rigmarole with them and explain like, look, you know, It was a typo on a screen. We didn't do it on purpose. We're very sorry. We won't do it again. Yada, yada, yada. And luckily, like, they came around. But I'm pretty sure we don't have pen testing work at that bank anymore. So, yeah, that was not fun. We've had to change our procedures since that's happened.