SlideShare a Scribd company logo
1 of 52
Download to read offline
© Black Hills Information Security | @BHInfoSecurity
Tactics for Cracking
the GSuite Perimeter
Mike Felch
RED TEAM
© Black Hills Information Security | @BHInfoSecurity
Who Am I
•Mike Felch - @ustayready
•Pentest / Red team at BHIS
•OWASP Orlando Chief Breaker
•Host of Tradecraft Security Weekly
•Host of CoinSec Podcast
•EVSec Organizer
.. always been pretty curious
© Black Hills Information Security | @BHInfoSecurity
What We’re Covering
1. Preparation: OPSEC or Die Trying
2. External: Crack the Perimeter
3. SE: Exploiting Trust
4. Persistence: Hide in Plain Sight
5. Internal: Collateral Damage
6. Demo: Real-world Attack
7. Defending: Triage the Breach
8. Questions / Comments
© Black Hills Information Security | @BHInfoSecurity
Disclaimer: I <3 Google
We b up :( It’s o p te ...
Relationship Status
© Black Hills Information Security | @BHInfoSecurity
Preparation:
OPSEC or Die Trying
© Black Hills Information Security | @BHInfoSecurity
Preparation: Bad! :(
• Use your normal account for API keys
• Login to multiple accounts w/ the same IP
• Use the same browser w/ multiple sessions
How To Lose a Fight With Google SOC
© Black Hills Information Security | @BHInfoSecurity
Preparation: Good! :)
+ +
© Black Hills Information Security | @BHInfoSecurity
Preparation
• Prepaid Smartphone ✔
• Prepaid Credit Card ✔
• VPN Account ✔
• Clean Virtual Machine ✔
• New Google Identity ✔
• New Google API Keys ✔
• Don’t Cross-contaminate ✔
•
© Black Hills Information Security | @BHInfoSecurity
External:
Crack the Perimeter
© Black Hills Information Security | @BHInfoSecurity
Don’t move so quick!
• Don’t always need to go straight to shell
• Phishing w/ malicious docs are old
• Why go External -> Internal -> External???
• Decide on an attack path
• Strategically target victims
Creds are King!
© Black Hills Information Security | @BHInfoSecurity
Password Spraying
• Determine naming convention
• Search LinkedIn for users
• Generate email lists
• Try one password at a time
• Spray all the accounts
• Rotate IP addresses regularly
• Just need one account to start
© Black Hills Information Security | @BHInfoSecurity
Quick CredKing Intro
• Build on Amazon AWS Lambda!
• Unique IP per region
• Generates user/password pairs
• Multi-threading processing
• Supports all Amazon AWS Regions
• Quickly create new plugins
*disclaimer* Avoid using more then 15 threads with GSuite
© Black Hills Information Security | @BHInfoSecurity
SE:
Exploiting Trust
© Black Hills Information Security | @BHInfoSecurity
Google Group Ruse
• Create malicious group
• Change your display name
• Force add users
• Customize a message
• Don’t forget URLs...
© Black Hills Information Security | @BHInfoSecurity
Google Group Ruse
© Black Hills Information Security | @BHInfoSecurity
Google Hangout Ruse
• Remember this?
• Old invitation to chat in Gmail
• Apparently asking was too
much
© Black Hills Information Security | @BHInfoSecurity
Google Hangout Ruse
• Now default Google Hangouts settings
allow direct chat without warning
• Simply knowing the email address is all
that’s needed
• Pop a message box open to the target
spoofing another person
• Say hi, send link, capture creds and/or
shell
© Black Hills Information Security | @BHInfoSecurity
Google Hangout Ruse
• You can modify your default settings to
enforce sending an invitation
• But even then, spoofed accounts look good
• To require invites:
1) Browse hangouts.google.com
2) Click hamburger menu in top left
3) Settings -> Customize Invite Settings
4) Switch all to “Can send you an invitation”
• No global option for all accounts in org :(
© Black Hills Information Security | @BHInfoSecurity
Enumerate Open Accounts
• Accounts not requiring invites can be
enumerated easily
• Start new chat w/ via the Gmail chat menu
• If box says “Start a conversation with
<name>” then an invite is required
© Black Hills Information Security | @BHInfoSecurity
Google Doc Ruse
• What if you could get Google to send a phishing link for you?
• Google Docs is perfect for this
• Create a Google Doc with clickbait name like “Critical Update Pending”
• Add content, then add a comment to the doc with your phishing link
• In the comment, type their email address prefixed with a + symbol
(i.e. +hacker@gmail.com) then check ‘Assign’
• Google will send the target an email from
<random-string>@docs.google.com
© Black Hills Information Security | @BHInfoSecurity
Google Doc Ruse
© Black Hills Information Security | @BHInfoSecurity
Google Doc Ruse
© Black Hills Information Security | @BHInfoSecurity
Google Calendar Ruse
• Needs to look legit
• Needs to trigger a response
• Needs to create urgency
• Needs to go undetected
• Needs to avoid red flags
Don’t email, inject event!
© Black Hills Information Security | @BHInfoSecurity
Calendar Event Injection
• Silently inject events into calendars
• Creates urgency via reminders
• Include link to phishing page
• Mass-exploitation w/o visibility
• Litter calendars for the future
• Remove traces by erasing the event
• Include GoToMeeting
• Don’t forget to record the meeting! :)
© Black Hills Information Security | @BHInfoSecurity
Calendar Event Injection
• Fun w/ the Google API
• Mark victims as ‘Accepted’
• Add comments for victims
• but.. they never receive an invite
• Bypasses setting for not auto-add
• Reported 10/9/2017
Google Isn’t Patching!
© Black Hills Information Security | @BHInfoSecurity
Personalized Phishing
© Black Hills Information Security | @BHInfoSecurity
Google 2FA Requirements
• SMS: Text Message
• TOTP: Google Authenticator
• Phone Prompt: Touch Phone
• U2F: Hardware Device
Username + Password + ...
Challenge Accepted!
© Black Hills Information Security | @BHInfoSecurity
Additional Points
• Might get asked for last location
• GeoIP it from IP during capture
• Immediately clear red alert bar
• Clear for one, clear for all
• Multiple failed phone prompts
• Disables phone prompt for few hours
• Automatically switches 2FA option
• May also contain attacker location/device
• Downgrades U2F to back-up option
• Older browsers don’t support U2F :)
© Black Hills Information Security | @BHInfoSecurity
Quick CredSniper Intro
• Fetch the profile image
• Google Picasa API
• JavaScript XMLHttpRequest()
• Ask nicely for the password
• Behind the scenes, authenticate
• Is 2FA present?
• No? Redirect them to GDoc agenda
• Doh! 2FA is enabled
• Which type? Extract information
• Ask for 2FA Token nicely
• Login w/ Username + Password + Token
© Black Hills Information Security | @BHInfoSecurity
CredSniper for teh win
Real
Or
Fake?
© Black Hills Information Security | @BHInfoSecurity
CredSniper for teh win
Real
Or
Fake?
FakeReal
© Black Hills Information Security | @BHInfoSecurity
Persistence:
Hide in Plain Sight
© Black Hills Information Security | @BHInfoSecurity
Generate App Password
• Backdoor password for account
• Under ‘My Account’
• Click ‘Sign-in & Security’
• Select ‘App-Passwords’
• Combine w/ 2FA backdoor
• Login as normal after triage!
© Black Hills Information Security | @BHInfoSecurity
Backup Codes
• Download alternative 2FA tokens
• Rarely get re-generated after breach
• Most don’t know they even exist
• Great combined w/ app passwords!
© Black Hills Information Security | @BHInfoSecurity
Enroll New 2FA Device
• Tie 2FA to your own device
• Generate legit 2FA tokens
• Commonly gets inspected after breach
• Nice when undetected though...
© Black Hills Information Security | @BHInfoSecurity
Authorized API Backdoor
• Sign-up a new project on cloud.google.com
• Enable API access
• When creating API client, add full scopes
• Sign-in to victim account and authorize backdoor app!
SCOPES = '
https://www.googleapis.com/auth/calendar
https://mail.google.com/
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/groups
https://www.googleapis.com/auth/admin.directory.user
'
© Black Hills Information Security | @BHInfoSecurity
Backdoor Android App
• Don’t Publish app in Play Store
• Login to victim account
• Browse to app in Play Store
• Install to victims mobile device
• Pop a shell!
• Pilfer, persist and pivot..
© Black Hills Information Security | @BHInfoSecurity
Re-configure Account
• Add email rules to delete alerts
• no-reply@accounts.google.com
• Add recovery email/phone
• Create email forwarder
• Monitor for global SOC emails :)
• Add calendar events for others
• Delegate account to another victim
• Locked out? Recover account!
© Black Hills Information Security | @BHInfoSecurity
Internal:
Collateral Damage
© Black Hills Information Security | @BHInfoSecurity
Target Company Directory
• Create contacts group from directory
• Export all the contacts
• Tailor your target list..
• More technical, more access!
• Create a LinkedIn doppelganger
• Side note.. file transfers
don’t have [EXTERNAL] tags like email
© Black Hills Information Security | @BHInfoSecurity
Search Gdrive/Gmail
• Search for files with ‘password’
• Download a zip of them all!
• Any VPN documentation?
• What 3rd party sites do they use?
• Files with ‘confidential’ in the title
• Credit card keywords...
• AWS access_key/secret_access_key
• MailSniper supported!
© Black Hills Information Security | @BHInfoSecurity
Find Google Groups
• Go to groups.google.com
• Groups might not be listed
• You can still can search!
• Look for keywords:
• access_key
• password
• root
• ...etc
• Tech staff LOVE groups for cron
© Black Hills Information Security | @BHInfoSecurity
Eat the whole elephant
• https://takeout.google.com
• Export all Google data from an
account
• Includes:
• All G-Drive files, full search history,
Hangouts message data, all emails,
all calendar events, Voice history,
etc…
© Black Hills Information Security | @BHInfoSecurity
Pop Google Admin
• Manage All Users
• Manage All Domains
• Manage All Files
• Manage All SSO/Auth
• Manage All Devices
Game Over!
© Black Hills Information Security | @BHInfoSecurity
Defending:
Triage the Breach
© Black Hills Information Security | @BHInfoSecurity
Reset Accounts
• Log out of all sessions
• Change user password
• Generate new backup codes
• Capture IoC for threat hunting
• … anything else? Glad you asked!
© Black Hills Information Security | @BHInfoSecurity
Look for Backdoors
• Remove app passwords
• Remove 2FA devices
• Remove authorized apps
• Remove email forwarders
• Remove email filters
• Remove bad recovery email/phone
• Remove bad Android apps
• Remove bad account delegations
© Black Hills Information Security | @BHInfoSecurity
Find Victims & Monitor
• Get familiar with Google Admin console
• https://github.com/jay0lee/GAM
• Search by IP address
• Don’t just change passwords
• Remove backdoors
• Look for rogue email forwards
• Generate a timeline
• Communicate better!
© Black Hills Information Security | @BHInfoSecurity
Finishing Up:
Questions for You
© Black Hills Information Security | @BHInfoSecurity
Question to GSuite Users
Does your BYOD policy give you the ability to test/audit security for
corporate email and files on personal devices? What about corporate
phones? Should it?
Are employees just trained on phishing/SE ‘red flags’ or are they taught
good user-behavior patterns?
How strong is your password policy or are you just trusting in Google?
© Black Hills Information Security | @BHInfoSecurity
Question to Google
•GSuite customers need a process that allows us to submit approval
requests for pentests engagements. Testing our configurations, users,
devices and data is important to us. Help us keep our engagements
transparent to you, above board, and without getting suspended for
alleged TOS violations.
Can you implement an engagement approval process?
© Black Hills Information Security | @BHInfoSecurity
Questions?
• Twitter
• Mike - @ustayready (don’t forget Beau! @dafthack)
• BHIS - @BHInfoSecurity
• Black Hills Information Security
• http://www.blackhillsinfosec.com/
• MailSniper
• https://github.com/dafthack/MailSniper
• CredSniper
• https://github.com/ustayready/CredSniper
• CredKing
• https://github.com/ustayready/CredKing

More Related Content

What's hot

SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Knative with .NET Core and Quarkus with GraalVM
Knative with .NET Core and Quarkus with GraalVMKnative with .NET Core and Quarkus with GraalVM
Knative with .NET Core and Quarkus with GraalVMMark Lechtermann
 
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud AppsSecure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud AppsVignesh Ganesan I Microsoft MVP
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 

What's hot (20)

SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Knative with .NET Core and Quarkus with GraalVM
Knative with .NET Core and Quarkus with GraalVMKnative with .NET Core and Quarkus with GraalVM
Knative with .NET Core and Quarkus with GraalVM
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud AppsSecure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
Secure your Access to Cloud Apps using Microsoft Defender for Cloud Apps
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWS
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 

Similar to Red Team Tactics for Cracking the GSuite Perimeter

Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)Beau Bullock
 
Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Beau Bullock
 
A Google Event You Won't Forget
A Google Event You Won't ForgetA Google Event You Won't Forget
A Google Event You Won't ForgetBeau Bullock
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team ApocalypseBeau Bullock
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Beau Bullock
 
Seven Simple Steps to Online Security
Seven Simple Steps to Online SecuritySeven Simple Steps to Online Security
Seven Simple Steps to Online SecurityConn Ó Muíneacháin
 
Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Luis Grangeia
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Security and Privacy Brown Bag
Security and Privacy Brown BagSecurity and Privacy Brown Bag
Security and Privacy Brown Bag501 Commons
 
WordPress Security 101 - WordCamp Nairobi 2019
WordPress Security 101 -  WordCamp Nairobi 2019WordPress Security 101 -  WordCamp Nairobi 2019
WordPress Security 101 - WordCamp Nairobi 2019stk_jj
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureBeau Bullock
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidErnest Staats
 
Be Cyber Smart! (DLH 10/25/2019)
Be Cyber Smart! (DLH 10/25/2019)Be Cyber Smart! (DLH 10/25/2019)
Be Cyber Smart! (DLH 10/25/2019)David Herrington
 
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger AuthenticatonGoogle Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger AuthenticatonFIDO Alliance
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19TechSoup
 
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
Don't Forget Your (Virtual) Keys: Creating and Using Strong PasswordsDon't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwordsrmortiz66
 
Online Self Defense
Online Self DefenseOnline Self Defense
Online Self DefenseBarry Caplin
 

Similar to Red Team Tactics for Cracking the GSuite Perimeter (20)

Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)Red Team Apocalypse (RVAsec Edition)
Red Team Apocalypse (RVAsec Edition)
 
Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!Weaponizing Corporate Intel: This Time, It's Personal!
Weaponizing Corporate Intel: This Time, It's Personal!
 
A Google Event You Won't Forget
A Google Event You Won't ForgetA Google Event You Won't Forget
A Google Event You Won't Forget
 
Red Team Apocalypse
Red Team ApocalypseRed Team Apocalypse
Red Team Apocalypse
 
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “f...
 
Seven Simple Steps to Online Security
Seven Simple Steps to Online SecuritySeven Simple Steps to Online Security
Seven Simple Steps to Online Security
 
Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...Man vs Internet - Current challenges and future tendencies of establishing tr...
Man vs Internet - Current challenges and future tendencies of establishing tr...
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Security and Privacy Brown Bag
Security and Privacy Brown BagSecurity and Privacy Brown Bag
Security and Privacy Brown Bag
 
WordPress Security 101 - WordCamp Nairobi 2019
WordPress Security 101 -  WordCamp Nairobi 2019WordPress Security 101 -  WordCamp Nairobi 2019
WordPress Security 101 - WordCamp Nairobi 2019
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
 
Harbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vidHarbin clinic iot-mobile-no-vid
Harbin clinic iot-mobile-no-vid
 
Be Cyber Smart! (DLH 10/25/2019)
Be Cyber Smart! (DLH 10/25/2019)Be Cyber Smart! (DLH 10/25/2019)
Be Cyber Smart! (DLH 10/25/2019)
 
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger AuthenticatonGoogle Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
 
Android attacks
Android attacksAndroid attacks
Android attacks
 
DECEPTICONv2
DECEPTICONv2DECEPTICONv2
DECEPTICONv2
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
 
Cyber security
Cyber securityCyber security
Cyber security
 
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
Don't Forget Your (Virtual) Keys: Creating and Using Strong PasswordsDon't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
Don't Forget Your (Virtual) Keys: Creating and Using Strong Passwords
 
Online Self Defense
Online Self DefenseOnline Self Defense
Online Self Defense
 

Recently uploaded

Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Which standard is best for your content?
Which standard is best for your content?Which standard is best for your content?
Which standard is best for your content?Rustici Software
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationBuild Intuit
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 

Recently uploaded (20)

Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Which standard is best for your content?
Which standard is best for your content?Which standard is best for your content?
Which standard is best for your content?
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Dynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientationDynamical Context introduction word sensibility orientation
Dynamical Context introduction word sensibility orientation
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 

Red Team Tactics for Cracking the GSuite Perimeter

  • 1. © Black Hills Information Security | @BHInfoSecurity Tactics for Cracking the GSuite Perimeter Mike Felch RED TEAM
  • 2. © Black Hills Information Security | @BHInfoSecurity Who Am I •Mike Felch - @ustayready •Pentest / Red team at BHIS •OWASP Orlando Chief Breaker •Host of Tradecraft Security Weekly •Host of CoinSec Podcast •EVSec Organizer .. always been pretty curious
  • 3. © Black Hills Information Security | @BHInfoSecurity What We’re Covering 1. Preparation: OPSEC or Die Trying 2. External: Crack the Perimeter 3. SE: Exploiting Trust 4. Persistence: Hide in Plain Sight 5. Internal: Collateral Damage 6. Demo: Real-world Attack 7. Defending: Triage the Breach 8. Questions / Comments
  • 4. © Black Hills Information Security | @BHInfoSecurity Disclaimer: I <3 Google We b up :( It’s o p te ... Relationship Status
  • 5. © Black Hills Information Security | @BHInfoSecurity Preparation: OPSEC or Die Trying
  • 6. © Black Hills Information Security | @BHInfoSecurity Preparation: Bad! :( • Use your normal account for API keys • Login to multiple accounts w/ the same IP • Use the same browser w/ multiple sessions How To Lose a Fight With Google SOC
  • 7. © Black Hills Information Security | @BHInfoSecurity Preparation: Good! :) + +
  • 8. © Black Hills Information Security | @BHInfoSecurity Preparation • Prepaid Smartphone ✔ • Prepaid Credit Card ✔ • VPN Account ✔ • Clean Virtual Machine ✔ • New Google Identity ✔ • New Google API Keys ✔ • Don’t Cross-contaminate ✔ •
  • 9. © Black Hills Information Security | @BHInfoSecurity External: Crack the Perimeter
  • 10. © Black Hills Information Security | @BHInfoSecurity Don’t move so quick! • Don’t always need to go straight to shell • Phishing w/ malicious docs are old • Why go External -> Internal -> External??? • Decide on an attack path • Strategically target victims Creds are King!
  • 11. © Black Hills Information Security | @BHInfoSecurity Password Spraying • Determine naming convention • Search LinkedIn for users • Generate email lists • Try one password at a time • Spray all the accounts • Rotate IP addresses regularly • Just need one account to start
  • 12. © Black Hills Information Security | @BHInfoSecurity Quick CredKing Intro • Build on Amazon AWS Lambda! • Unique IP per region • Generates user/password pairs • Multi-threading processing • Supports all Amazon AWS Regions • Quickly create new plugins *disclaimer* Avoid using more then 15 threads with GSuite
  • 13. © Black Hills Information Security | @BHInfoSecurity SE: Exploiting Trust
  • 14. © Black Hills Information Security | @BHInfoSecurity Google Group Ruse • Create malicious group • Change your display name • Force add users • Customize a message • Don’t forget URLs...
  • 15. © Black Hills Information Security | @BHInfoSecurity Google Group Ruse
  • 16. © Black Hills Information Security | @BHInfoSecurity Google Hangout Ruse • Remember this? • Old invitation to chat in Gmail • Apparently asking was too much
  • 17. © Black Hills Information Security | @BHInfoSecurity Google Hangout Ruse • Now default Google Hangouts settings allow direct chat without warning • Simply knowing the email address is all that’s needed • Pop a message box open to the target spoofing another person • Say hi, send link, capture creds and/or shell
  • 18. © Black Hills Information Security | @BHInfoSecurity Google Hangout Ruse • You can modify your default settings to enforce sending an invitation • But even then, spoofed accounts look good • To require invites: 1) Browse hangouts.google.com 2) Click hamburger menu in top left 3) Settings -> Customize Invite Settings 4) Switch all to “Can send you an invitation” • No global option for all accounts in org :(
  • 19. © Black Hills Information Security | @BHInfoSecurity Enumerate Open Accounts • Accounts not requiring invites can be enumerated easily • Start new chat w/ via the Gmail chat menu • If box says “Start a conversation with <name>” then an invite is required
  • 20. © Black Hills Information Security | @BHInfoSecurity Google Doc Ruse • What if you could get Google to send a phishing link for you? • Google Docs is perfect for this • Create a Google Doc with clickbait name like “Critical Update Pending” • Add content, then add a comment to the doc with your phishing link • In the comment, type their email address prefixed with a + symbol (i.e. +hacker@gmail.com) then check ‘Assign’ • Google will send the target an email from <random-string>@docs.google.com
  • 21. © Black Hills Information Security | @BHInfoSecurity Google Doc Ruse
  • 22. © Black Hills Information Security | @BHInfoSecurity Google Doc Ruse
  • 23. © Black Hills Information Security | @BHInfoSecurity Google Calendar Ruse • Needs to look legit • Needs to trigger a response • Needs to create urgency • Needs to go undetected • Needs to avoid red flags Don’t email, inject event!
  • 24. © Black Hills Information Security | @BHInfoSecurity Calendar Event Injection • Silently inject events into calendars • Creates urgency via reminders • Include link to phishing page • Mass-exploitation w/o visibility • Litter calendars for the future • Remove traces by erasing the event • Include GoToMeeting • Don’t forget to record the meeting! :)
  • 25. © Black Hills Information Security | @BHInfoSecurity Calendar Event Injection • Fun w/ the Google API • Mark victims as ‘Accepted’ • Add comments for victims • but.. they never receive an invite • Bypasses setting for not auto-add • Reported 10/9/2017 Google Isn’t Patching!
  • 26. © Black Hills Information Security | @BHInfoSecurity Personalized Phishing
  • 27. © Black Hills Information Security | @BHInfoSecurity Google 2FA Requirements • SMS: Text Message • TOTP: Google Authenticator • Phone Prompt: Touch Phone • U2F: Hardware Device Username + Password + ... Challenge Accepted!
  • 28. © Black Hills Information Security | @BHInfoSecurity Additional Points • Might get asked for last location • GeoIP it from IP during capture • Immediately clear red alert bar • Clear for one, clear for all • Multiple failed phone prompts • Disables phone prompt for few hours • Automatically switches 2FA option • May also contain attacker location/device • Downgrades U2F to back-up option • Older browsers don’t support U2F :)
  • 29. © Black Hills Information Security | @BHInfoSecurity Quick CredSniper Intro • Fetch the profile image • Google Picasa API • JavaScript XMLHttpRequest() • Ask nicely for the password • Behind the scenes, authenticate • Is 2FA present? • No? Redirect them to GDoc agenda • Doh! 2FA is enabled • Which type? Extract information • Ask for 2FA Token nicely • Login w/ Username + Password + Token
  • 30. © Black Hills Information Security | @BHInfoSecurity CredSniper for teh win Real Or Fake?
  • 31. © Black Hills Information Security | @BHInfoSecurity CredSniper for teh win Real Or Fake? FakeReal
  • 32. © Black Hills Information Security | @BHInfoSecurity Persistence: Hide in Plain Sight
  • 33. © Black Hills Information Security | @BHInfoSecurity Generate App Password • Backdoor password for account • Under ‘My Account’ • Click ‘Sign-in & Security’ • Select ‘App-Passwords’ • Combine w/ 2FA backdoor • Login as normal after triage!
  • 34. © Black Hills Information Security | @BHInfoSecurity Backup Codes • Download alternative 2FA tokens • Rarely get re-generated after breach • Most don’t know they even exist • Great combined w/ app passwords!
  • 35. © Black Hills Information Security | @BHInfoSecurity Enroll New 2FA Device • Tie 2FA to your own device • Generate legit 2FA tokens • Commonly gets inspected after breach • Nice when undetected though...
  • 36. © Black Hills Information Security | @BHInfoSecurity Authorized API Backdoor • Sign-up a new project on cloud.google.com • Enable API access • When creating API client, add full scopes • Sign-in to victim account and authorize backdoor app! SCOPES = ' https://www.googleapis.com/auth/calendar https://mail.google.com/ https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/groups https://www.googleapis.com/auth/admin.directory.user '
  • 37. © Black Hills Information Security | @BHInfoSecurity Backdoor Android App • Don’t Publish app in Play Store • Login to victim account • Browse to app in Play Store • Install to victims mobile device • Pop a shell! • Pilfer, persist and pivot..
  • 38. © Black Hills Information Security | @BHInfoSecurity Re-configure Account • Add email rules to delete alerts • no-reply@accounts.google.com • Add recovery email/phone • Create email forwarder • Monitor for global SOC emails :) • Add calendar events for others • Delegate account to another victim • Locked out? Recover account!
  • 39. © Black Hills Information Security | @BHInfoSecurity Internal: Collateral Damage
  • 40. © Black Hills Information Security | @BHInfoSecurity Target Company Directory • Create contacts group from directory • Export all the contacts • Tailor your target list.. • More technical, more access! • Create a LinkedIn doppelganger • Side note.. file transfers don’t have [EXTERNAL] tags like email
  • 41. © Black Hills Information Security | @BHInfoSecurity Search Gdrive/Gmail • Search for files with ‘password’ • Download a zip of them all! • Any VPN documentation? • What 3rd party sites do they use? • Files with ‘confidential’ in the title • Credit card keywords... • AWS access_key/secret_access_key • MailSniper supported!
  • 42. © Black Hills Information Security | @BHInfoSecurity Find Google Groups • Go to groups.google.com • Groups might not be listed • You can still can search! • Look for keywords: • access_key • password • root • ...etc • Tech staff LOVE groups for cron
  • 43. © Black Hills Information Security | @BHInfoSecurity Eat the whole elephant • https://takeout.google.com • Export all Google data from an account • Includes: • All G-Drive files, full search history, Hangouts message data, all emails, all calendar events, Voice history, etc…
  • 44. © Black Hills Information Security | @BHInfoSecurity Pop Google Admin • Manage All Users • Manage All Domains • Manage All Files • Manage All SSO/Auth • Manage All Devices Game Over!
  • 45. © Black Hills Information Security | @BHInfoSecurity Defending: Triage the Breach
  • 46. © Black Hills Information Security | @BHInfoSecurity Reset Accounts • Log out of all sessions • Change user password • Generate new backup codes • Capture IoC for threat hunting • … anything else? Glad you asked!
  • 47. © Black Hills Information Security | @BHInfoSecurity Look for Backdoors • Remove app passwords • Remove 2FA devices • Remove authorized apps • Remove email forwarders • Remove email filters • Remove bad recovery email/phone • Remove bad Android apps • Remove bad account delegations
  • 48. © Black Hills Information Security | @BHInfoSecurity Find Victims & Monitor • Get familiar with Google Admin console • https://github.com/jay0lee/GAM • Search by IP address • Don’t just change passwords • Remove backdoors • Look for rogue email forwards • Generate a timeline • Communicate better!
  • 49. © Black Hills Information Security | @BHInfoSecurity Finishing Up: Questions for You
  • 50. © Black Hills Information Security | @BHInfoSecurity Question to GSuite Users Does your BYOD policy give you the ability to test/audit security for corporate email and files on personal devices? What about corporate phones? Should it? Are employees just trained on phishing/SE ‘red flags’ or are they taught good user-behavior patterns? How strong is your password policy or are you just trusting in Google?
  • 51. © Black Hills Information Security | @BHInfoSecurity Question to Google •GSuite customers need a process that allows us to submit approval requests for pentests engagements. Testing our configurations, users, devices and data is important to us. Help us keep our engagements transparent to you, above board, and without getting suspended for alleged TOS violations. Can you implement an engagement approval process?
  • 52. © Black Hills Information Security | @BHInfoSecurity Questions? • Twitter • Mike - @ustayready (don’t forget Beau! @dafthack) • BHIS - @BHInfoSecurity • Black Hills Information Security • http://www.blackhillsinfosec.com/ • MailSniper • https://github.com/dafthack/MailSniper • CredSniper • https://github.com/ustayready/CredSniper • CredKing • https://github.com/ustayready/CredKing