SlideShare a Scribd company logo
1 of 53
© Black Hills Information Security | @BHInfoSecurity
OK Google, How do I
Red Team GSuite?
Mike Felch & Beau Bullock
Attacking Google Suite Customers
© Black Hills Information Security | @BHInfoSecurity
Who We Are
• Mike Felch - @ustayready
• Pentest / Red team at BHIS
• Involved w/ OWASP Orlando & BSides Orlando
• Host of Tradecraft Security Weekly
• Host of CoinSec Podcast
• Beau Bullock - @dafthack
•Pentest / Red team at BHIS
• Host of Tradecraft Security Weekly
• Host of CoinSec Podcast
• Avid OWA enthusiast
© Black Hills Information Security | @BHInfoSecurity
Disclaimer: We <3 Google
We broke up :( It’s complicated...
Relationship Status
© Black Hills Information Security | @BHInfoSecurity
What We’re Covering
1. Preparation: OPSEC or Die Trying
2. External: Crack the Perimeter
3. SE: Exploiting Trust
4. Persistence: Hide in Plain Sight
5. Internal: Collateral Damage
6. Demo: Real-world Attack
7. Defending: Triage the Breach
8. Questions / Comments
© Black Hills Information Security | @BHInfoSecurity
Preparation:
OPSEC or Die Trying
© Black Hills Information Security | @BHInfoSecurity
Preparation: Bad! :(
• Use your normal account for API keys
• Login to multiple accounts w/ the same IP
• Use the same browser w/ multiple sessions
How To Lose a Fight With Google SOC
© Black Hills Information Security | @BHInfoSecurity
Preparation: Good! :)
+ +
© Black Hills Information Security | @BHInfoSecurity
Preparation
• Prepaid Smartphone ✔
• Prepaid Credit Card ✔
• VPN Account ✔
• Clean Virtual Machine ✔
• New Google Identity ✔
• New Google API Keys ✔
• Don’t Cross-contaminate ✔
© Black Hills Information Security | @BHInfoSecurity
External:
Crack the Perimeter
© Black Hills Information Security | @BHInfoSecurity
Don’t move so quick!
• Don’t go straight to shell
• Phishing w/ malicious docs are old
• Why go External -> Internal -> External???
• Decide on an attack path
• Strategically target victims
Creds are King!
© Black Hills Information Security | @BHInfoSecurity
Password Spraying
• Determine naming convention
• Search LinkedIn for users
• Generate email lists
• Try one password at a time
• Spray all the accounts
• Rotate IP addresses regularly
• Just need one account to start
© Black Hills Information Security | @BHInfoSecurity
Demo:
AWS Lambda Spraying
© Black Hills Information Security | @BHInfoSecurity
SE:
Exploiting Trust
© Black Hills Information Security | @BHInfoSecurity
Google Group Ruse
• Create malicious group
• Change your display name
• Force add users
• Customize a message
• Don’t forget URLs...
© Black Hills Information Security | @BHInfoSecurity
Google Group Ruse
© Black Hills Information Security | @BHInfoSecurity
Google Hangout Ruse
• Remember this? ----------->
• This was an invite to chat in
Gmail
• Apparently this was too
much work for some users
© Black Hills Information Security | @BHInfoSecurity
Google Hangout Ruse
• Now the default Google Hangouts settings
allow direct chat without warning
• Simply knowing the email address is all
that’s needed
• Pop a message box open to the target
spoofing another person
• Say hi, send link, capture creds and/or
shell
© Black Hills Information Security | @BHInfoSecurity
Google Hangout Ruse
• You can modify your default settings to
enforce sending an invitation
• But even then, spoofed accounts look good
• To require invites:
• Hangouts.google.com, click hamburger menu
in top left, Settings, “Customize Invite
Settings”, switch all to “Can send you an
invitation”
• There doesn’t appear to be a global option
for locking down accounts across an org
© Black Hills Information Security | @BHInfoSecurity
Enumerate Open Accounts
• Accounts not requiring invites can be
enumerated easily
• Simply start a new chat with them via the
Gmail chat menu
• If the box that pops up says “Start a
conversation with <name>” then an invite is
required
© Black Hills Information Security | @BHInfoSecurity
Google Doc Ruse
• What if you could get Google to send a phishing link for you?
• Google Docs is perfect for this
• Create a Google Doc with clickbait name like “Critical Update Pending”
• Add content, then add a comment to the doc with your phishing link
• In the comment, type their email address prefixed with a + symbol
(i.e. +hacker@gmail.com) then check ‘Assign’
• Google will send the target an email from <random-
string>@docs.google.com
© Black Hills Information Security | @BHInfoSecurity
Google Doc Ruse
© Black Hills Information Security | @BHInfoSecurity
Google Doc Ruse
© Black Hills Information Security | @BHInfoSecurity
Google Calendar Ruse
• Needs to look legit
• Needs to trigger a response
• Needs to create urgency
• Needs to go undetected
• Needs to avoid red flags
Don’t email, inject event!
© Black Hills Information Security | @BHInfoSecurity
Calendar Event Injection
• Silently inject events into calendars
• Creates urgency via reminders
• Include link to phishing page
• Mass-exploitation w/o visibility
• Litter calendars for the future
• Remove traces by erasing the event
• Include GoToMeeting
• Don’t forget to record the meeting! :)
• How did we get here???
© Black Hills Information Security | @BHInfoSecurity
Calendar Event Injection
• Fun w/ the Google API
• Mark victims as ‘Accepted’
• Add comments for victims
• but.. they never receive an invite
• Bypasses setting for not auto-add
• Reported 10/9/2017
Google Isn’t Patching!
© Black Hills Information Security | @BHInfoSecurity
Personalized Phishing
© Black Hills Information Security | @BHInfoSecurity
Google 2FA Requirements
• SMS: Text Message
• TOTP: Google Authenticator
• Phone Prompt: Touch Phone
• U2F: Hardware Device
Username + Password + ...
Challenge Accepted!
© Black Hills Information Security | @BHInfoSecurity
Additional 2FA Points
• Might get asked for last location
• GeoIP it from IP during capture
• Immediately clear red alert bar
• Clear for one, clear for all
• Multiple failed phone prompts
• Disables phone prompt for few hours
• Automatically switches 2FA option
• May also contain attacker location/device
© Black Hills Information Security | @BHInfoSecurity
Quick CredSniper Intro
• Fetch the profile image
• Google Picasa API
• JavaScript XMLHttpRequest()
• Ask nicely for the password
• Behind the scenes, authenticate
• Is 2FA present?
• No? Redirect them to GDoc agenda
• Doh! 2FA is enabled
• Which type? Extract information
• Ask for 2FA Token nicely
• Login w/ Username + Password + Token
© Black Hills Information Security | @BHInfoSecurity
CredSniper for teh win
Real
Or
Fake?
© Black Hills Information Security | @BHInfoSecurity
CredSniper for teh win
Real
Or
Fake?
FakeReal
© Black Hills Information Security | @BHInfoSecurity
Persistence:
Hide in Plain Sight
© Black Hills Information Security | @BHInfoSecurity
Generate App Password
• Backdoor password for account
• Under ‘My Account’
• Click ‘Sign-in & Security’
• Select ‘App-Passwords’
• Combine w/ 2FA backdoor
• Login as normal after triage!
© Black Hills Information Security | @BHInfoSecurity
Backup Codes
• Download alternative 2FA tokens
• Rarely get re-generated after breach
• Most don’t know they even exist
• Great combined w/ app passwords!
© Black Hills Information Security | @BHInfoSecurity
Enroll New 2FA Device
• Tie 2FA to your own device
• Generate legit 2FA tokens
• Commonly gets inspected after breach
• Nice when undetected though...
© Black Hills Information Security | @BHInfoSecurity
Authorized API Backdoor
• Sign-up a new project on cloud.google.com
• Enable API access
• When creating API client, add full scopes
• Sign-in to victim account and authorize backdoor app!
SCOPES = '
https://www.googleapis.com/auth/calendar
https://mail.google.com/
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/groups
https://www.googleapis.com/auth/admin.directory.user
'
© Black Hills Information Security | @BHInfoSecurity
Backdoor Android App
• Don’t Publish app in Play Store
• Login to victim account
• Browse to app in Play Store
• Install to victims mobile device
• Pop a shell!
• Pilfer, persist and pivot..
© Black Hills Information Security | @BHInfoSecurity
Demo:
Malicious Android App
© Black Hills Information Security | @BHInfoSecurity
Re-configure Account
• Add email rules to delete alerts
• no-reply@accounts.google.com
• Add recovery email/phone
• Create email forwarder
• Monitor for global SOC emails :)
• Add calendar events for others
• Delegate account to another victim
• Locked out? Recover account!
© Black Hills Information Security | @BHInfoSecurity
Internal:
Collateral Damage
© Black Hills Information Security | @BHInfoSecurity
Target Company Directory
• Create contacts group from directory
• Export all the contacts
• Tailor your target list..
• More technical, more access!
• Create a LinkedIn doppelganger
• Side note.. file transfers
don’t have [EXTERNAL] tags like email
© Black Hills Information Security | @BHInfoSecurity
Search Gdrive/Gmail
• Search for files with ‘password’
• Download a zip of them all!
• Any VPN documentation?
• What 3rd party sites do they use?
• Files with ‘confidential’ in the title
• Credit card keywords...
• AWS access_key/secret_access_key
• MailSniper supported!
© Black Hills Information Security | @BHInfoSecurity
Find Google Groups
• Go to groups.google.com
• Groups might not be listed
• You can still can search!
• Look for keywords:
• access_key
• password
• root
• ...etc
• Devs LOVE groups for cron
© Black Hills Information Security | @BHInfoSecurity
Eat the whole elephant
• https://takeout.google.com
• Export all Google data from an
account
• Includes:
• All G-Drive files, full search history,
Hangouts message data, all emails,
all calendar events, Voice history,
etc…
© Black Hills Information Security | @BHInfoSecurity
Pop Google Admin
• Manage All Users
• Manage All Domains
• Manage All Files
• Manage All SSO/Auth
• Manage All Devices
Game Over!
© Black Hills Information Security | @BHInfoSecurity
Defending:
Triage the Breach
© Black Hills Information Security | @BHInfoSecurity
Reset Accounts
• Log out of all sessions
• Change user password
• Generate new backup codes
• Capture IoC for threat hunting
• … anything else?
© Black Hills Information Security | @BHInfoSecurity
Look for Backdoors
• Remove app passwords
• Remove 2FA devices
• Remove authorized apps
• Remove email forwarders
• Remove email filters
• Remove bad recovery email/phone
• Remove bad Android apps
• Remove bad account delegations
© Black Hills Information Security | @BHInfoSecurity
Find Victims & Monitor
• Get familiar with Google Admin console
• https://github.com/jay0lee/GAM
• Search by IP address
• Don’t just change passwords
• Remove backdoors
• Look for rogue email forwards
• Generate a timeline
• Communicate better!
© Black Hills Information Security | @BHInfoSecurity
Finishing Up:
Questions for You
© Black Hills Information Security | @BHInfoSecurity
Question to GSuite Users
Does your BYOD policy give you the ability to test/audit security for
corporate email and files on personal devices? What about corporate
phones? Should it?
Are employees just trained on phishing/SE ‘red flags’ or are they taught
good user-behavior patterns?
How strong is your password policy or are you just trusting in Google?
© Black Hills Information Security | @BHInfoSecurity
Question to Google
• GSuite customers need a process that allows us to submit approval
requests for pentests engagements. Testing our configurations, users,
devices and data is important to us. Help us keep our engagements
transparent to you, above board, and without getting suspended for
alleged TOS violations.
Can you implement an engagement approval process?
© Black Hills Information Security | @BHInfoSecurity
Questions?
• Twitter
• Mike - @ustayready
• Beau - @dafthack
• BHIS - @BHInfoSecurity
• Black Hills Information Security
• http://www.blackhillsinfosec.com/
• MailSniper
• https://github.com/dafthack/MailSniper
• CredSniper
• https://github.com/ustayready/CredSniper
• CredKing
• https://github.com/ustayready/CredKing

More Related Content

What's hot

BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, OsloBloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, OsloAndy Robbins
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for IdentityNikhil Mittal
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 

What's hot (20)

Bug bounty
Bug bountyBug bounty
Bug bounty
 
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, OsloBloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
BloodHound 1.3 - The ACL Attack Path Update - Paranoia17, Oslo
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege Escalation
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Phishing and prevention
Phishing and preventionPhishing and prevention
Phishing and prevention
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity0wn-premises: Bypassing Microsoft Defender for Identity
0wn-premises: Bypassing Microsoft Defender for Identity
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation  Red Pill2017How fun of privilege escalation  Red Pill2017
How fun of privilege escalation Red Pill2017
 
Vault
VaultVault
Vault
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 

Similar to OK Google, How Do I Red Team GSuite?

Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)Beau Bullock
 
Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Beau Bullock
 
A Google Event You Won't Forget
A Google Event You Won't ForgetA Google Event You Won't Forget
A Google Event You Won't ForgetBeau Bullock
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team ApocalypseBeau Bullock
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Beau Bullock
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureBeau Bullock
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Lessons Learned from the Top Four Cyber Security Breaches & How Your Company ...
Lessons Learned from the Top Four Cyber Security Breaches & How Your Company ...Lessons Learned from the Top Four Cyber Security Breaches & How Your Company ...
Lessons Learned from the Top Four Cyber Security Breaches & How Your Company ...BizLibrary
 
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger AuthenticatonGoogle Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger AuthenticatonFIDO Alliance
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?Precisely
 
Seven Simple Steps to Online Security
Seven Simple Steps to Online SecuritySeven Simple Steps to Online Security
Seven Simple Steps to Online SecurityConn Ó Muíneacháin
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidErnest Staats
 
How to manage your client's data responsibly
How to manage your client's data responsiblyHow to manage your client's data responsibly
How to manage your client's data responsiblyGabor Szathmari
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security TestingBlueinfy Solutions
 
Security and Privacy Brown Bag
Security and Privacy Brown BagSecurity and Privacy Brown Bag
Security and Privacy Brown Bag501 Commons
 
The Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutputThe Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutputSilas Cutler
 
Google Case Study: Becoming Unphishable
Google Case Study: Becoming UnphishableGoogle Case Study: Becoming Unphishable
Google Case Study: Becoming UnphishableFIDO Alliance
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19TechSoup
 

Similar to OK Google, How Do I Red Team GSuite? (20)

Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)
 
Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!
 
A Google Event You Won't Forget
A Google Event You Won't ForgetA Google Event You Won't Forget
A Google Event You Won't Forget
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team Apocalypse
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
 
Android attacks
Android attacksAndroid attacks
Android attacks
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Lessons Learned from the Top Four Cyber Security Breaches & How Your Company ...
Lessons Learned from the Top Four Cyber Security Breaches & How Your Company ...Lessons Learned from the Top Four Cyber Security Breaches & How Your Company ...
Lessons Learned from the Top Four Cyber Security Breaches & How Your Company ...
 
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger AuthenticatonGoogle Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
 
Seven Simple Steps to Online Security
Seven Simple Steps to Online SecuritySeven Simple Steps to Online Security
Seven Simple Steps to Online Security
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vid
 
Android secure coding
Android secure codingAndroid secure coding
Android secure coding
 
How to manage your client's data responsibly
How to manage your client's data responsiblyHow to manage your client's data responsibly
How to manage your client's data responsibly
 
iOS Application Security Testing
iOS Application Security TestingiOS Application Security Testing
iOS Application Security Testing
 
Security and Privacy Brown Bag
Security and Privacy Brown BagSecurity and Privacy Brown Bag
Security and Privacy Brown Bag
 
The Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutputThe Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutput
 
Google Case Study: Becoming Unphishable
Google Case Study: Becoming UnphishableGoogle Case Study: Becoming Unphishable
Google Case Study: Becoming Unphishable
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
 

More from Beau Bullock

Getting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingGetting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingBeau Bullock
 
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorTravelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorBeau Bullock
 
Red Team Apocalypse - BSides Peru (En español)
Red Team Apocalypse - BSides Peru (En español)Red Team Apocalypse - BSides Peru (En español)
Red Team Apocalypse - BSides Peru (En español)Beau Bullock
 
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsA Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsBeau Bullock
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagBeau Bullock
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to BlackBeau Bullock
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Pentest Apocalypse
Pentest ApocalypsePentest Apocalypse
Pentest ApocalypseBeau Bullock
 

More from Beau Bullock (9)

Getting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract AuditingGetting Started in Blockchain Security and Smart Contract Auditing
Getting Started in Blockchain Security and Smart Contract Auditing
 
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorTravelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front Door
 
Red Team Apocalypse - BSides Peru (En español)
Red Team Apocalypse - BSides Peru (En español)Red Team Apocalypse - BSides Peru (En español)
Red Team Apocalypse - BSides Peru (En español)
 
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsA Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
A Look Into Emerging Security Issues Within Cryptocurrency Ecosystems
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bag
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to Black
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Pentest Apocalypse
Pentest ApocalypsePentest Apocalypse
Pentest Apocalypse
 

Recently uploaded

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsZilliz
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 

OK Google, How Do I Red Team GSuite?

  • 1. © Black Hills Information Security | @BHInfoSecurity OK Google, How do I Red Team GSuite? Mike Felch & Beau Bullock Attacking Google Suite Customers
  • 2. © Black Hills Information Security | @BHInfoSecurity Who We Are • Mike Felch - @ustayready • Pentest / Red team at BHIS • Involved w/ OWASP Orlando & BSides Orlando • Host of Tradecraft Security Weekly • Host of CoinSec Podcast • Beau Bullock - @dafthack •Pentest / Red team at BHIS • Host of Tradecraft Security Weekly • Host of CoinSec Podcast • Avid OWA enthusiast
  • 3. © Black Hills Information Security | @BHInfoSecurity Disclaimer: We <3 Google We broke up :( It’s complicated... Relationship Status
  • 4. © Black Hills Information Security | @BHInfoSecurity What We’re Covering 1. Preparation: OPSEC or Die Trying 2. External: Crack the Perimeter 3. SE: Exploiting Trust 4. Persistence: Hide in Plain Sight 5. Internal: Collateral Damage 6. Demo: Real-world Attack 7. Defending: Triage the Breach 8. Questions / Comments
  • 5. © Black Hills Information Security | @BHInfoSecurity Preparation: OPSEC or Die Trying
  • 6. © Black Hills Information Security | @BHInfoSecurity Preparation: Bad! :( • Use your normal account for API keys • Login to multiple accounts w/ the same IP • Use the same browser w/ multiple sessions How To Lose a Fight With Google SOC
  • 7. © Black Hills Information Security | @BHInfoSecurity Preparation: Good! :) + +
  • 8. © Black Hills Information Security | @BHInfoSecurity Preparation • Prepaid Smartphone ✔ • Prepaid Credit Card ✔ • VPN Account ✔ • Clean Virtual Machine ✔ • New Google Identity ✔ • New Google API Keys ✔ • Don’t Cross-contaminate ✔
  • 9. © Black Hills Information Security | @BHInfoSecurity External: Crack the Perimeter
  • 10. © Black Hills Information Security | @BHInfoSecurity Don’t move so quick! • Don’t go straight to shell • Phishing w/ malicious docs are old • Why go External -> Internal -> External??? • Decide on an attack path • Strategically target victims Creds are King!
  • 11. © Black Hills Information Security | @BHInfoSecurity Password Spraying • Determine naming convention • Search LinkedIn for users • Generate email lists • Try one password at a time • Spray all the accounts • Rotate IP addresses regularly • Just need one account to start
  • 12. © Black Hills Information Security | @BHInfoSecurity Demo: AWS Lambda Spraying
  • 13. © Black Hills Information Security | @BHInfoSecurity SE: Exploiting Trust
  • 14. © Black Hills Information Security | @BHInfoSecurity Google Group Ruse • Create malicious group • Change your display name • Force add users • Customize a message • Don’t forget URLs...
  • 15. © Black Hills Information Security | @BHInfoSecurity Google Group Ruse
  • 16. © Black Hills Information Security | @BHInfoSecurity Google Hangout Ruse • Remember this? -----------> • This was an invite to chat in Gmail • Apparently this was too much work for some users
  • 17. © Black Hills Information Security | @BHInfoSecurity Google Hangout Ruse • Now the default Google Hangouts settings allow direct chat without warning • Simply knowing the email address is all that’s needed • Pop a message box open to the target spoofing another person • Say hi, send link, capture creds and/or shell
  • 18. © Black Hills Information Security | @BHInfoSecurity Google Hangout Ruse • You can modify your default settings to enforce sending an invitation • But even then, spoofed accounts look good • To require invites: • Hangouts.google.com, click hamburger menu in top left, Settings, “Customize Invite Settings”, switch all to “Can send you an invitation” • There doesn’t appear to be a global option for locking down accounts across an org
  • 19. © Black Hills Information Security | @BHInfoSecurity Enumerate Open Accounts • Accounts not requiring invites can be enumerated easily • Simply start a new chat with them via the Gmail chat menu • If the box that pops up says “Start a conversation with <name>” then an invite is required
  • 20. © Black Hills Information Security | @BHInfoSecurity Google Doc Ruse • What if you could get Google to send a phishing link for you? • Google Docs is perfect for this • Create a Google Doc with clickbait name like “Critical Update Pending” • Add content, then add a comment to the doc with your phishing link • In the comment, type their email address prefixed with a + symbol (i.e. +hacker@gmail.com) then check ‘Assign’ • Google will send the target an email from <random- string>@docs.google.com
  • 21. © Black Hills Information Security | @BHInfoSecurity Google Doc Ruse
  • 22. © Black Hills Information Security | @BHInfoSecurity Google Doc Ruse
  • 23. © Black Hills Information Security | @BHInfoSecurity Google Calendar Ruse • Needs to look legit • Needs to trigger a response • Needs to create urgency • Needs to go undetected • Needs to avoid red flags Don’t email, inject event!
  • 24. © Black Hills Information Security | @BHInfoSecurity Calendar Event Injection • Silently inject events into calendars • Creates urgency via reminders • Include link to phishing page • Mass-exploitation w/o visibility • Litter calendars for the future • Remove traces by erasing the event • Include GoToMeeting • Don’t forget to record the meeting! :) • How did we get here???
  • 25. © Black Hills Information Security | @BHInfoSecurity Calendar Event Injection • Fun w/ the Google API • Mark victims as ‘Accepted’ • Add comments for victims • but.. they never receive an invite • Bypasses setting for not auto-add • Reported 10/9/2017 Google Isn’t Patching!
  • 26. © Black Hills Information Security | @BHInfoSecurity Personalized Phishing
  • 27. © Black Hills Information Security | @BHInfoSecurity Google 2FA Requirements • SMS: Text Message • TOTP: Google Authenticator • Phone Prompt: Touch Phone • U2F: Hardware Device Username + Password + ... Challenge Accepted!
  • 28. © Black Hills Information Security | @BHInfoSecurity Additional 2FA Points • Might get asked for last location • GeoIP it from IP during capture • Immediately clear red alert bar • Clear for one, clear for all • Multiple failed phone prompts • Disables phone prompt for few hours • Automatically switches 2FA option • May also contain attacker location/device
  • 29. © Black Hills Information Security | @BHInfoSecurity Quick CredSniper Intro • Fetch the profile image • Google Picasa API • JavaScript XMLHttpRequest() • Ask nicely for the password • Behind the scenes, authenticate • Is 2FA present? • No? Redirect them to GDoc agenda • Doh! 2FA is enabled • Which type? Extract information • Ask for 2FA Token nicely • Login w/ Username + Password + Token
  • 30. © Black Hills Information Security | @BHInfoSecurity CredSniper for teh win Real Or Fake?
  • 31. © Black Hills Information Security | @BHInfoSecurity CredSniper for teh win Real Or Fake? FakeReal
  • 32. © Black Hills Information Security | @BHInfoSecurity Persistence: Hide in Plain Sight
  • 33. © Black Hills Information Security | @BHInfoSecurity Generate App Password • Backdoor password for account • Under ‘My Account’ • Click ‘Sign-in & Security’ • Select ‘App-Passwords’ • Combine w/ 2FA backdoor • Login as normal after triage!
  • 34. © Black Hills Information Security | @BHInfoSecurity Backup Codes • Download alternative 2FA tokens • Rarely get re-generated after breach • Most don’t know they even exist • Great combined w/ app passwords!
  • 35. © Black Hills Information Security | @BHInfoSecurity Enroll New 2FA Device • Tie 2FA to your own device • Generate legit 2FA tokens • Commonly gets inspected after breach • Nice when undetected though...
  • 36. © Black Hills Information Security | @BHInfoSecurity Authorized API Backdoor • Sign-up a new project on cloud.google.com • Enable API access • When creating API client, add full scopes • Sign-in to victim account and authorize backdoor app! SCOPES = ' https://www.googleapis.com/auth/calendar https://mail.google.com/ https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/groups https://www.googleapis.com/auth/admin.directory.user '
  • 37. © Black Hills Information Security | @BHInfoSecurity Backdoor Android App • Don’t Publish app in Play Store • Login to victim account • Browse to app in Play Store • Install to victims mobile device • Pop a shell! • Pilfer, persist and pivot..
  • 38. © Black Hills Information Security | @BHInfoSecurity Demo: Malicious Android App
  • 39. © Black Hills Information Security | @BHInfoSecurity Re-configure Account • Add email rules to delete alerts • no-reply@accounts.google.com • Add recovery email/phone • Create email forwarder • Monitor for global SOC emails :) • Add calendar events for others • Delegate account to another victim • Locked out? Recover account!
  • 40. © Black Hills Information Security | @BHInfoSecurity Internal: Collateral Damage
  • 41. © Black Hills Information Security | @BHInfoSecurity Target Company Directory • Create contacts group from directory • Export all the contacts • Tailor your target list.. • More technical, more access! • Create a LinkedIn doppelganger • Side note.. file transfers don’t have [EXTERNAL] tags like email
  • 42. © Black Hills Information Security | @BHInfoSecurity Search Gdrive/Gmail • Search for files with ‘password’ • Download a zip of them all! • Any VPN documentation? • What 3rd party sites do they use? • Files with ‘confidential’ in the title • Credit card keywords... • AWS access_key/secret_access_key • MailSniper supported!
  • 43. © Black Hills Information Security | @BHInfoSecurity Find Google Groups • Go to groups.google.com • Groups might not be listed • You can still can search! • Look for keywords: • access_key • password • root • ...etc • Devs LOVE groups for cron
  • 44. © Black Hills Information Security | @BHInfoSecurity Eat the whole elephant • https://takeout.google.com • Export all Google data from an account • Includes: • All G-Drive files, full search history, Hangouts message data, all emails, all calendar events, Voice history, etc…
  • 45. © Black Hills Information Security | @BHInfoSecurity Pop Google Admin • Manage All Users • Manage All Domains • Manage All Files • Manage All SSO/Auth • Manage All Devices Game Over!
  • 46. © Black Hills Information Security | @BHInfoSecurity Defending: Triage the Breach
  • 47. © Black Hills Information Security | @BHInfoSecurity Reset Accounts • Log out of all sessions • Change user password • Generate new backup codes • Capture IoC for threat hunting • … anything else?
  • 48. © Black Hills Information Security | @BHInfoSecurity Look for Backdoors • Remove app passwords • Remove 2FA devices • Remove authorized apps • Remove email forwarders • Remove email filters • Remove bad recovery email/phone • Remove bad Android apps • Remove bad account delegations
  • 49. © Black Hills Information Security | @BHInfoSecurity Find Victims & Monitor • Get familiar with Google Admin console • https://github.com/jay0lee/GAM • Search by IP address • Don’t just change passwords • Remove backdoors • Look for rogue email forwards • Generate a timeline • Communicate better!
  • 50. © Black Hills Information Security | @BHInfoSecurity Finishing Up: Questions for You
  • 51. © Black Hills Information Security | @BHInfoSecurity Question to GSuite Users Does your BYOD policy give you the ability to test/audit security for corporate email and files on personal devices? What about corporate phones? Should it? Are employees just trained on phishing/SE ‘red flags’ or are they taught good user-behavior patterns? How strong is your password policy or are you just trusting in Google?
  • 52. © Black Hills Information Security | @BHInfoSecurity Question to Google • GSuite customers need a process that allows us to submit approval requests for pentests engagements. Testing our configurations, users, devices and data is important to us. Help us keep our engagements transparent to you, above board, and without getting suspended for alleged TOS violations. Can you implement an engagement approval process?
  • 53. © Black Hills Information Security | @BHInfoSecurity Questions? • Twitter • Mike - @ustayready • Beau - @dafthack • BHIS - @BHInfoSecurity • Black Hills Information Security • http://www.blackhillsinfosec.com/ • MailSniper • https://github.com/dafthack/MailSniper • CredSniper • https://github.com/ustayready/CredSniper • CredKing • https://github.com/ustayready/CredKing