Skip to main content
Right of Boom
January 30, 2025

Vulnerability Scanning & Exploitation

In this video, Jason Slagle and Bryson Medlock discuss the intricacies of vulnerability management and the importance of not relying solely on tools like RMM for security. They emphasize the need for MSPs to consider the security of all devices in their network, not just Windows systems, and to be aware of potential vulnerabilities in devices like cameras and IoT products. The discussion also highlights resources and tools available for learning more about penetration testing and ensuring a comprehensive security posture.<ul><li>MSPs often focus on client security but may overlook their own security, creating vulnerabilities within their systems.</li><li>Vulnerability management and patch management are distinct processes; not all vulnerabilities can be patched, and not all patches address security issues.</li><li>The importance of understanding and securing all network-connected devices, including IoT devices and networking equipment, to prevent exploitation.</li></ul>

Guests

Andrew Morgan

Video Transcript

Right. Alright, we are live for the final session of day one, and I want to introduce Jason Slagel of CNWR. Jason, how are you? I'm good. Yourself? Doing excellent. And, uh, you're looking very dapper there with that beer, by the way. Yeah, I, I I gotta grow hair where I can these days. If I could, I would, but I can't, so I won't. My other, uh, bearded, esteemed colleague, Bryson Medlock. How are you, Bryson? I'm good. How are you? Good. And thank you so much for joining.

Hey, we're gonna kick off your session really quickly. I just want to bring on Amit real quick from Cyber Phish. And for those of you out there that don't know Cyber Phish, they've been fantastic in terms of supporting all of our technical events throughout the year. So when we've had capture the flag, they've stepped up every single time and provided a ton of prize money for this. We didn't have a capture the flag this time, but we decided to do something a little different.

And that is, you are going to have a chance to win a session, two sessions total, two one hour sessions with Mr. Jason Slagel, um, and go through whatever kind of technical thing. No, but, but really probably around, you know, vulnerability management, web book exploitation. Um, but, um, we'll let you kind of curate that with Jason for winning that hour. It's sponsored by Cyber Phish. And, um, for those of you that know about Cyber Phish, it's a phenomenal email protection.

Uh, it does, um, uh, what's called, uh, visual detection. And the other reason I wanted to put, I put the, uh, call to action. So you can reg, you know, if you go there, put your name in, you'll be one of the registered people that can win with Bryson. But the really cool thing about cyber Phish that they're adding, um, in the next week or so, and Amit I'll just have you talk briefly about how you see Will Huffling, he's a huge fan.

I know he uses you quite a bit, Amit, um, is that you are bringing to market the first integrated, um, phishing campaign security awareness training. So let me just set the stage on me and then you'll tell everybody and then we'll get into it. Correct me if I'm wrong. So you guys stop millions of million. I mean, you have over 500 MSPs now in the, in the last year, millions of phishing attempts every single day, both within the MSPs and their customers.

Correct me if I'm wrong, instead of having to go to a third party solution, like a know before manage all the campaigns, et cetera, you guys will basically inoculate the phishing ca that, that, that, that you just ingested, detonate it. And then people can choose different types of campaigns, right?

From real phishing, turn them into campaigns, and then go fish their own cu you know, their customers right from your system, set it up, schedule it, no more creating content, and you're gonna notify, which I think is really big, notify the, in the integrated, in the PSA systems, you're gonna notify the help desk team that phishing is actually going on, which is a big misstep today because all of a sudden you get clients calling in to the help desk going, Hey, I think I got phished.

Meanwhile, they don't know a phishing campaign's going on. So maybe 30, 60 seconds. Can you give us some highlights about it? And I'll turn it over. 'cause I know they want to hear from Bryson and Jason, so thanks, ami. Yeah. So after you speaking address, you just shut up. You know, I, I can only do damages, but, uh, uh, but, but you're correct. We, we, we provide security and then we, we found out that, uh, that something is missing.

I mean, everyone wants to use some kind of, uh, you know, simulation training solutions, and they, they need to, to, to choose something else. And it's complicated, and they have to build campaigns and, and it's not updated. And we have the ability, we, we catch phishing all day long. So what we are doing, as you said, is actually we, we detonate them, change the links, move them back as phishing campaign.

So you, we, so you, you gain the ability to train your employees with original phishing emails that were originally directed to the same employees, right? But we, and you can build that campaign, configure that in a minute as an MSP in a minute, and everything is automated. So if, and if you click that link over there, we provide special, uh, special things to your, uh, to your, uh, audience here. So it's, um, you know, a few months without paying, uh, soc our SOC services.

And in addition, on top of all of these will help you, you know, move that forward. And, and yeah, it will take part, let's say in about two weeks, we are going to start out be faith with our own MSP partners. So I think in about a month, month and a half, it's gonna be released to the MSPs. Fantastic. I it's right below Ariel for those of you're asking, it's right below. Thanks Philip for putting it in there, but right below, yeah, you got it, Ariel.

Um, they have a Protect your House program for MSPs. They're doing all the right things and combining all those things less expensive than your typical phishing solution that I've already mentioned. So, with that, I mean, you're welcome to stay. I know it's late for you, but please hang out if you'd like. Jason Bryson kicks things off today. And, uh, yep. Let, let us know where we go from here. Uh, I need the ability to screen share. Okay.

So all you need to do and si uh, Crowdcast a little funky. Jace. Yeah. Hover over your face and you'll see a little, uh, computer. Oh, yeah. That's intuitive. Yeah. Ex Exactly. And, um, and then once you do, you're gonna expand, you'll see a little area tip. Yep. Yeah, I got it. I got it. You're a little technical Is what I want. Yeah. Is that, that did go, I think it went, maybe it Went. I quite yet. Go get it. Hold on. I'm, I'm on a Mac.

I gotta go like, give it my first born, so it can do this. Two, four minutes. Ami, what time is it there for you guys? And, uh, and is it it is, uh, it's early. It's, uh, 10:00 PM Oh, it's 10 early. Yeah. You're typically doing calls and Yeah. You know, one, two in the morning. So, thank you. Bryson, how did you guys fare, by the way? Um, with all the, uh, cold in, uh, Texas, Uh, well, it, it was cold, but, uh, I, I was one of the few people who never lost power, so, wow.

I, I've actually got a full house right now. I've got some people who are still sheltering here. They, uh, uh, some family whose pipes burst and their house is getting repaired, so they're staying with me. So if you hear kids yelling in the background, uh, that's not usually how it is in my house, but it is this week. All right. Well, we really appreciate you and Jason coming out here and, you know, giving your time to the community.

Um, you guys know a lot and, um, let me let you both kick it on off. Ja, maybe if you could just as you, as you kick things off here, talk a, you know, just tell a briefly about your background and what you do, and as you guys talk through, it'd be great. Sure, sure. We'll, uh, uh, I'll go ahead and kick things off. So, uh, welcome everyone. Uh, we're here to hopefully teach you guys a tiny little bit about, uh, some vulnerability exploit stuff.

Uh, I tried to not make this too technical because I know this is a business focused crowd, typically. Uh, so we made it a little bit technical. Hopefully not too technical. We have a demo. Tomorrow's demo will be better. There's just more to show with the web stuff than there is with, uh, vulnerability scanning stuff. Uh, so here we are. Bryson, you wanna kick yourself off there? Sure, Sure. So I'm a senior threat researcher with, uh, with Perch now, ConnectWise, um, also the Dungeon Master.

I run our weekly d and d game. Um, I do malware analysis and collecting threat intel, uh, from different osint sources and threat hunting. Um, just a lot of different, uh, intel stuff, uh, as well as our weekly threat report. I'm the one who's been publishing those lately, so that's kinda what I'm doing. I've been in the industry for 20 ish years, something like that. You know, the, uh, first IT job I had, we were dealing with Y 2K, um, and, and did a lot of Linux admin stuff.

So mostly a Linux background, worked for a web hosting company. Um, and then I've been doing security for, specifically for about a decade or so. Got my OSCP back in like 2007, something like that. Cool. Uh, my name's Jason Slagel. I'm a VP of operations at CNWR. Uh, we're a small, medium-sized managed service provider in the Toledo, Ohio area. Uh, I too have been doing this for, uh, probably about as long as Bryson, uh, kind of an old IRC nerd, right?

So I kind of stumbled into security by running an IRC server, because if you ran an IRC server back in like 1999 and 2000, you were command and control, right? Like, so basically all of the original, uh, exploits and botnets and all those other things we're using IRC for commanded control. Uh, ran a LL net server and ran their exploits team for a while, right? So, uh, had some experience, uh, doing that for a while. Uh, moved back into the MSP space, I don't know, maybe eight, 10 years ago.

Uh, just been trying to build our security offering and get better at everything. Well, awesome. Thank, thanks, chase. Cool. We'll talk about why we're here for a little bit, right? So we've identified, essentially, or I've identified, and I think Bryson tends to agree that, uh, MSPs have a little bit of a blind spot when it comes to security. Uh, in particular, I often see that MSPs are blind to their own security, right? They're, they're not blind to their client security.

They take great care of their client security, but a lot of 'em, I'm seeing don't focus that same, uh, that same mindset and trust inward, right? So we want to talk about some of the things that are, uh, we see, or I've seen, and I'm sure Bryson has seen from both my own experiences at Ms.

P, looking at other MSPs, uh, from talking to others in the industry, and just things that coming from a non-traditional MSP background I've seen in the industry, uh, that I think are problems that we should look at. Uh, one of the big things that we're gonna focus on here is how tool heavy that MSPs are. Uh, we'll, we'll talk about that briefly here a little bit, right? Uh, we're very tool heavy, and we tend to rely on things like our RMM tools to keep us protected, right?

But sometimes those tools are not sufficient, right? So one of the big things we wanna focus on here that we're gonna get to in a second, is that those tools, uh, they can lie, they can make you feel like you're secure and they just generally aren't enough, right? So we want to focus on, uh, other things that you need to add into the tool, set another tool, if you would, uh, to basically fill those gaps, right?

And, and to try to expose some of those things that, you know, maybe you haven't thought about with regards to, uh, the things that you're running for both yourself and your clients. Uh, this is gonna be an overview. Uh, it's not focused. There's just not enough time to go into in depth on how to hack things or how to win a CTF or any of those sorts of things, right? So this is gonna be a 10,000 foot overview here. Uh, apparently I've somehow become a prize.

So, uh, if, if anyone finds this stuff super interesting and wants like a more, uh, hands-on, like, Hey, this is how you would solve this particular challenge thing, you know, we can obviously do that, or we can do, uh, whatever we're looking for, uh, as we go through that stuff. I'm gonna kick it over to, uh, Bryson here, and we're gonna talk a little bit about patching and vulnerability management. Yeah.

So first thing we wanted to talk about is the difference between patch manage and vulnerable vulnerability management. A lot of times, uh, people get those confused or they think they're the same thing, and they definitely overlap, but, but they're not the same thing. Um, so let's, let's talk about some of the differences. Let's go ahead and look at the next slide. All right. So, so first of all, one, one of the differences, uh, patch management, not all patches are security related.

Some of them are just bug fixes, so that you probably already knew that. So, patch Tuesday comes around, uh, you load all of your patches on your Microsoft servers and systems. Uh, some of those are security fixes, some of those are bug fixes, et cetera. Uh, but on the vulnerability side, um, not all vulnerabilities can be patched. Uh, some are misconfigurations.

Um, there's, there's a lot of other things that can be vulnerabilities rather than there was an exploit discovered in XXX software and the, uh, vendors released a new patch for it. So there's some overlap, definitely, but that's not the whole picture. Um, also, don't just patch your Windows systems. Everything needs patched. Everything has vulnerabilities. If it's connected to a network, any network anywhere, it could have vulnerabilities.

And, and one of the big things that, uh, Jason and I were talking about that, that a lot of people have a, a kind of a, a blind spot on our, uh, firewalls and all of your iot devices. Um, IO OT is huge and is constantly being exploited. And it's, it's, uh, in general, iot devices usually have pretty poor security. So there's a lot of things that you wanna do, even besides just patching.

There's, there's some things you can do to kind of mitigate those vulnerabilities that you need to watch out for. We're gonna talk about that a little bit more. Um, that's, I think, uh, go back, go back to the slide. I don't think I was done there. So, okay. Uh, we talked about, uh, uh, some other differences. So patch management is limited in nature. And, and, uh, Jason, you, you put this in here about RMM. Did you have something you specifically about RMMs you wanna say? Yeah, Uh, yeah.

We've, I've definitely seen instances, and I wanted to call this out specifically, made myself a note to call it out. Uh, I'm gonna pick on one of the vendors here in particular that you may or may not indirectly work for, but they're not the only ones, right? They're just the most recent time I've come across this problem. Uh, you, this was a huge problem with Windows seven systems, right? Like your, your, uh, RMM software automated in this case.

But I believe, uh, I believe that N Central had the exact same problem. It would say you were fully patched on a Windows seven system, right? And, and the reality is, is you weren't patched, right? The, the Windows update agent, which is busted and didn't see any patches available, so you'd run Windows update and it would run Windows update, and it would say everything's good, right?

But the reality was you were months and months behind in patching, and, uh, it happens less frequently on Windows 10. And the vendors are starting to basically not rely on that, you know, built in Windows update agent to determine if you're patched, but it, you know, blindly following what your remote management, monitoring and management platform is saying, can oftentimes lead you down a road of thinking you're protected when you're not. Yeah.

And oth other things to watch out for, um, with, uh, vulnerability management, as you sometimes have false positives, you've gotta watch out for that. Um, red Hat in particular, if you're doing just a vulnerability scan against it, will produce a lot of false positives because they will patch things upstream without actually changing the version numbers of their software. So a vulnerability management tool, uh, for the most part, it's not actually trying to exploit anything.

It's usually just checking to see what software versions you're running, and then checking that against the database to see if that version is vulnerable. But with, with Red Hat, for, for whatever reason, they've decided to just patch things without upgrading the version number. And so you've gotta do a little bit of digging and, and look in the, the data.

Um, there's, there's an RPM command you can run, you know, to, to see, to, to, to look at all the notes related to all the, the particular applications that you're running, and see what they've been patched for. Um, what was, one of the things I've, I've done in the past, uh, as assist admin was, you know, related to PCI scanning and, and not as the scanner, but actually as, as someone who was being scanned.

And, you know, we'd get these reports back with like a list of all these vulnerabilities and, and we'd have to go through and like, pull out this information and show, okay, so we're, we're running this version of Red Hat and we've actually got this patch applied. Um, and you would, you know, pull out the, the information from RPM and like, show that this particular CVE, for example, was patched, even though it says it's this version.

And, and then the other thing you've gotta look out for, it's not just a matter of let's load all the patches, let's, let's get everything fixed. Um, but there's also risks involved. So sometimes a, a patch or an upgrade to your software may break things. Uh, it may be specific to your environment, it may be larger than that, but you've gotta kind of weigh the risks of that. You need to test your, your patches and, and your fixes. Um, and, uh, just, just another thing to kind of keep an eye on.

And so you need to keep that in mind. And when you build out your infrastructure and your customer's infrastructures, you know, think about, um, other things that you can do to help mitigate risks rather than just patch everything. And I think we'll talk about that a little bit more later. Yeah. They call patching, trading a known set of bugs for an unknown set of bugs. Yeah. Okay. Next slide.

And, and another thing we wanted to point out is just the difference between pen testing and vulnerability scanning. So, you know, vulnerability scanning, you are essentially just, just checking to see what versions of things you're running there. There's a couple of of other checks that might run depending on what scanning engine that you're, you're using. Uh, but it's just trying to find vulnerabilities. And it's comparing that against known vulnerabilities and, and known rules.

So it has a database of, uh, of rules that it's comparing things against. There's almost always gonna be a false positive. It's very rare that you'll run a vulnerability scan and it's just a hundred percent accurate. There's gonna be a false positive. So you kind of, kind of have a, uh, you want a good engine that's gonna give you some details and some things that you can test for. You know, I've seen some that'll actually include commands you can run to check to see if you're vulnerable.

Uh, so, so those kinds of things, you've always gotta check for those. And your vulnerability scanner is only as good as the database. Now, a penetration test, you've actually got, uh, a nerd behind a keyboard who's, who's kind of running the show. So they, they may use a vulnerability scan as part of their tool set, uh, but they're gonna do a lot more manual, uh, attempts.

They're actually gonna try to exploit things rather than just, you know, check the version or, or get a server response and assume you're vulnerable. They actually are going to attempt to get in, depending on the, the scope that you define, you know, when you actually do a penetration test, you've gotta, you've gotta define the scope, uh, but they're going to use that scope to determine how far they get in. Uh, but they're actually gonna try to exploit.

And then there's, there's some different variations, you know, red team versus purple team, um, and, uh, a penetration test. Usually very few people will have an internal team for this. It's usually an external team that's gonna come in and, and do this for you. And it's usually somewhat pricey, right? So this isn't a thing that you can necessarily see your small media business clients, you know, doing, right? Like they don't have the, uh, attack framework, right?

Or the footprint, or really warrant it. Or maybe it's infrequent. Uh, but if you're a medium to large size MSP, it's something I would certainly consider, right? Like, uh, uh, I can talk about when, when we get to the, what doest mean piece of this towards the end here. Some of the things that keep me up at night, uh, we can talk through some of those things. 'cause it's probably not what keeps other people up at night. Okay. Moving on.

So we, we've kind of touched on this here a little bit, like relying on your RM tool, right? And I think that Wes touched on this and, uh, maybe Chris earlier, uh, in the discussion, right? But your network is made up of so many things that aren't, uh, that just aren't Windows devices, right? And they're just not devices that your RM tool is gonna be able to touch, right?

If you use that tool, I think Avi and a couple of the other demo, however you say that one, I think they do a good job or a reasonable job of, you know, pulling out, you know, firmer versions on some of these devices, right? But there's a bunch of others on top of that. Like, when's the, when is the last time you patched a switch? Right? Like, I, I can tell you, taking over clients from, uh, other MSPs, I have never walked in to switches that don't need patching, right?

Like, it's just not a thing people think of. Uh, Bryson, I think you have a good example of people not, uh, patching firewalls that you've been going through recently, Right? Yeah. Yeah. I, I forgot about that. Yeah. Um, yeah. Last week was talking with the, uh, the ConnectWise incident response team. And they've had a, some customers that had some ransomware issues. And in three cases in the past month, they've tracked them down to a, uh, specific FortiGate vulnerability, uh, from 2018.

So, so this is something that's been known, uh, FortiGate or Fortinet sent out notifications to everyone back in 2018 when it first came out. Uh, it was in the news again in, uh, November of last year. 'cause somebody, uh, did a, a mass scan across the internet and, and pulled up a list of devices. They had like 65,000 devices, uh, that were still vulnerable. Uh, and that list was, was published.

And again, Fortinet sent out another, uh, um, another sort of bulletin to, to all their customers, Hey, you need to patch this. It's a serious vulnerability. And then, you know, a few months later, we're, we're still seeing people that haven't patched their devices and are being exploited. Yeah, I mean, this, it is a constant problem. And what I tend to run into, so, uh, routers, right? Like obviously you see that, but cameras, right?

We just had an incident with a client of ours where some third party security vendor installs A DVR on the network, the DVR, they want some port forward forwards in, we're good about almost always they go outta DMZ 'cause we don't trust them. Uh, but the, the camera vendor wants some port forwards in so people can view from their cell phones that you put 'em in. The camera system ends up compromised, right? Uh, in almost every case so far we've seen it's just a botnet, right?

But there's really not a huge amount of difference between it being a botnet and it being a foothold that they could use to further infiltrate the network, right? So as we talk about things you can do to protect yourself later, that's a, uh, that's a thing to think about is, you know, you've got third party vendors that are putting like copiers, right?

Like, you know, I was sitting here earlier, our guys were complaining about some copier vendor recently that wanted us to turn SMBV one on how, how old is a firm on a copier that it needs s and BV one, right? Like, how many different ways can I exploit that copier and use it? I ex extract the ad credentials out of it that it's using to do scan a folder, use that to log into a server, right? It's probably allowed right? Go through. And now I'm into a server, right? Just go from there.

So when you start talking about pen testing and, and things like that and, and, and more advanced things, you start to think about the whole, the whole gamut of things that is security and not just, uh, individual like end workstations. Uh, same thing we've had, or, or I've seen over the years, uh, lights out management, right? So both ILOs on like hps, Dells ip, KVMs, stuff like that. Terrible, uh, I've seen multiple instances of those things.

They get owned, they have default credentials on 'em. They have back backdoor undocumented default credentials on 'em, right? And people just, they walk into 'em. And right now it's all mostly crime of crimes of opportunity where they're just botnets being used for amplification attacks, right? But, uh, it, it's, again, only a matter of time or, or if you're targeted, uh, those are things that people will be looking at to attempt to break into your network.

So there, there are things that you have to consider when you consider your entire, uh, security, uh, foothold there. Yeah. Just, just in the perch environment, what, what we, one of the things that we, we kind of track on the threat intel side are, um, just, just because we see so much of it, we see a lot of mosey, which is a Mariah variant, which is, it's all iot based, and it targets like a lot of NETGEAR stuff, a lot of DVRs, and it's, it's all a botnet, but there's so much of it.

We literally see between 50 to 60,000 unique URLs related to mosey every month. There's so much of it out there. So, you know, what can you do? There's fortunately, at the risk of adding potentially another tool to your tool set here, there are tools that you can use to help you find some vulnerabilities, right? Uh, there, there's tools to help you manage and document the risks and look at your vulnerabilities.

A lot of these tools are very commonplace in the, uh, enterprise world, but the MSP world and these small, uh, small media businesses are, uh, are, they're just late to the party, right? They're just not, they're not getting that, they're not doing the work.

Uh, so we will talk about a couple of 'em here, uh, as I give a demo of two in particular, one of, one of which is I think a product that Andrew's involved in, uh, that I think is good for everyday use for MSPs, and then another one that I personally use to do vulnerability scanning. But it's worth noting that, uh, these tools, uh, especially Nessus, which is the first one I'm gonna show, they require some base level knowledge.

There's, uh, a huge amount of false positives that these tools bring. And I'll show that, uh, I'll show you. Uh, I actually went through, I wanted to demonstrate something shiny. So I, I, I built a thing. We'll see if I can get the eight different screens I have to do to share, to properly be able to show it. Uh, but I, I wanted to show something shiny. So, uh, I went through a vulnerability of a system and, uh, I'll talk through when I get there. So, we'll, we're gonna move on to that.

We're going to try to do some screen sharing here and cross my fingers that it goes like, I think it will. How do I, okay, so if I click that, I think, Hey, look at that. It's magic, Jake. So I'm gonna go ahead and switch over to the browser tab. Now that has the first thing I want to show in it. Maybe thinking, Hey, look at that. So, uh, the first tool I wanted to show is, is just run a simple scan on, is a tool called Nessus. Uh, Nessus is one of the defacto, I think standards.

It's been around for literally years. Uh, it's one of the oldest ones that I've known about. Uh, and it's a vulnerability scanner, right? So what that means is, uh, it, it can go out, it uses, as Bryson said earlier, a canned list of plugins and checks that it does, uh, to, to scan a system, right? So I'm gonna go ahead and run a scan, and then we'll talk about what on one looks like. While this runs, uh, I've pre-configured this here. Uh, I have a number of VMs running here.

So no, no actual systems were harmed in the making of this. They're just VMs running infusion on my system. Uh, we're gonna scan this ip. Uh, I did give it credentials to log into the system with the, my test user here, just so we can go through them. Uh, so I'm gonna go ahead and save that and launch it. It's gonna take, uh, I don't know, probably five minutes to run here. So I wanted to get it started while we talked through some of the challenges that a tool like this can bring.

Uh, and I'll try to make this bigger. 'cause I have a feeling it's tiny. Get that. Yeah. That's, that's much better. Yeah. Yeah. It's not super responsive. So, so Jason, you wanna, uh, maybe explain the difference between a credential than a non-credentialed scan and why you wanna do both? Yeah, uh, actually I'll go through it here. 'cause, so I've previously run a scan, uh, and so we can go through this here, and I have both credentialed and non-credentialed results in it.

'cause I figured that was totally worth covering here, right? Uh, so I scan, I stood up as part of this, uh, exercise here, just for us to have something to talk about here. I stood up, what, four VMs here. And this is A-D-H-C-P server running on Fusion, uh, just to scan here, right? And, and two of these systems are credentialed scans, and we'll talk through those here in a second. And one of these systems is a non-credentialed scan.

Uh, and there's a particular reason I wanted to do the non-credentialed scan, which we'll get to here in a moment. So, we'll, we can go through here and look, right? So this system here is, is a Windows system, and I did a credentialed scan on it. Uh, this system is actually, if any of you sat through the, uh, hunters thing they did a while back, the hack it thing, this is actually the system I used to hack it, right? So it's, it's been sitting basically dormant since then.

Uh, so you can see that it found a bunch of things like, uh, uh, you know, a flash player still installed on it, right? It's, it's missing several security windows updates, right? So it can, you can see here that, uh, it's looking at the actual version of the NTOS kernel, right? So it's not trusting, uh, that Windows update says it's up to date, right? Uh, on top of that, this thing will give you, uh, risk scores associated with not patching these things.

It'll give you links to knowledge base articles. It'll give you links to CBEs, right? However you're like, oh, man, this thing's awesome. I totally need this thing. It, oh, I try to make it bigger. Uh, it false positives a ton. Uh, let me reload this page here to see if, uh, if it, if it gets, no, it doesn't, I was hoping it would get responsive. Instead, it just gets giant, uh, right?

So you can, you can see some of these knowledge base articles talking about things that the system is not actually vulnerable to. And we see that somebody called it out in the chat earlier. The other thing we tend to see are systems that, uh, are vulnerable, but the patch is installed, right? There's a, there's a number of windows of vulnerabilities that the patch isn't enough to mitigate them, right? They, they may require a patch and like a registry edit, or even worse, right?

Like you, you, a patch comes out for something, we'll call it, I don't know, zero login maybe, right? And, and you still have things that need that. So you push A GPO that turns that off, and then you just never revisit it. Like we, we, I'm going through a client now that still has, uh, some SMBV one that they thought was off. 'cause they were pushing it up via GPO and they, it's just in a giant GPO. And this is co-managed, right? We don't take care of it.

So, uh, we did a security scan for 'em, and I called out a hundred systems that were missing patches, uh, or missing basically the mitigation because GPO was turning it off. Uh, we see that, uh, with some UNC hardening stuff with GPOs, right? There's a number of things where, you know, you may be patched and you think you're good because you have the patch installed, but you're actually not.

But at the same time, we also see things like on this host, this is, uh, my Santos box that I stood up just for this, right? You can see that it's got a bunch of vulnerabilities here. Uh, what, what is it? 134 different vulnerabilities here, right? Including, and I, I would specifically wanna call this one out here, including the pseudo vulnerability for the recent, uh, pseudo, uh, I forget what it's called. Uh, it's CDE 2021 dash 1530, no, 36 51.

Uh, and I know that because I've been spent several hours in the last couple of days trying to exploit it so I can show you guys it, right? So it shows up as being vulnerable to that. But we'll see here in a second that it's not as vulnerable as it would initially seem. Uh, on top of that, here I have an Ubuntu box, uh, and that buntu box, this is a non-credentialed scan, right? So we're getting things that it can discover via the network. Uh, we're getting some backup file disclosures.

There's a get repo in there, right? We can, and then a bunch of default information. It's running MariaDB, right? It's running, uh, uh, an Apache web server tomorrow. We're actually covering, uh, web exploitation, right? And Bryson's gonna spend a lot of times talking through the OAS top 10, right? And, uh, uh, we're, we're gonna go through what that looks like. Uh, and I specifically wanted to scan this with the non-credentialed scan because this is running something called DVWA.

It's the damn vulnerable web app, right? Which is a playground you can use to do web exploitation testing. And it's vulnerable to literally hundreds of different web vulnerabilities. But nessus, as good as it is, finds what, three, four mediums, right? It, it doesn't find anything, right? And so we'll talk about, uh, if you have web properties and you're doing web stuff, how there are, there's an entirely different, uh, tool set that you have to tend to use to do these sorts of things.

Uh, we'll go back here and see if our scan is done running. Oops, I didn't mean to do that. Uh, uh, so this is again, me scanning that same CentOS box. I did update a couple packages, but it, it runs, I don't know, in, in 20, 25 minutes. I believe it's still running. Nope, it's done. Uh, it only found it 87 vulnerabilities this time. 'cause I ran, Nope, it's up to one 18. So it must actually still be running. Uh, it, Uh, we can see here. Yep, it's still running.

So it'll go and you can view live the vulnerabilities as they come in. It should, in theory, find all of the vulnerabilities that that other system found, because it's the same system. I patched one or two packages. Uh, but what I wanted to show is that these tools aren't the best thing ever. Uh, and the reason is they're wrong a lot, right? Like, they, they basically, they give you starting points to look at. So I ran a non-credentialed scan against, uh, this AUN two box, right?

So if you look at this AUN box, you're like, oh, man, it's in way better shape than the other box, right? But let me stop screen sharing here and go to my other console. I feel like I'm saying the word box too much. It's, uh, sounds fine to me. I I haven't, I haven't caught Anything. Yeah, it is, it is. I I have too many things running. Yeah, that's the one I want. Hey, look at that. Okay. Oops. Definitely didn't want to do that. Uh, oh. Plus plus, plus plus. Clear. Okay.

Can you see that at all? Uh, it's a little fuzzy, but yeah, I can see you just typed. SSH Okay, I'll make it even bigger. Why is it unclear when I do that? I don't know. We'll, We'll blame the crowd test. Okay. Yeah. So I wanted to actually log into that, uh, AUN two system. All right? So this is AUN two 20.04 system. Uh, it's, it's out date. If you can't tell, I'm, I'm looking at it here. It's got a hundred or 230 updates that wants to install, one of which is a security update.

You can probably go out on a limb and say what that security update is, uh, that it, that we wanna run here, right? So looking at this from Nessus on the, uh, on the top side of it, you would've thought that this machine isn't actually all that vulnerable. But if we call this, we're suddenly root, right? So this machine is definitely vulnerable to the pseudo, uh, pseudo vulnerability, right? It's a 2004 right outta the box that pseudo edit runs you. I'm in here. I'm, I'm in a root shell.

I don't know how many of you guys are familiar with, uh, Linux, uh, but I am basically administrator on this system now, right? And, and if you, if we looked at Nessus with an UN credentialed scan, you would've immediately thought that, uh, this machine was not vulnerable versus this machine, which is, uh, A Santos seven six box, right?

And I ran that same exact exploit on this machine, and I spent almost three hours last night attempting to use CVE 2021, uh, 3 1 5 6 on this machine to exploit it. And even with SC Linux off and a bunch of a SLR slides and stuff like that and tuning stuff, I was unable to compromise this machine using, uh, using that exploit, right? That's not to say that it's not vulnerable, but both research I did and my own testing indicated that it's not as easily exploitable as AUN of is, right?

So here we have an example of our exploit tool basic, uh, basically telling us that this is terrible and that this thing is a critical vulnerability that needs patched right away. And while it is, it doesn't necessarily mean that it, it's, it's something that is actually, uh, actionable. Uh, every another recent example of that, we have a bunch of Cisco gear in the lab here, and some of it's running some older iOS, right?

And it came back, it scanned WS and mp, it came back with a hundred different, uh, CBEs against it that all need patch, but almost every single one of them was for something called Cisco Energy Wise, right? So it's like, oh my God, you need to update iOS on this thing. Well, no, I don't run Cisco energy wise. I've actually, I had never heard of it. I had to research to find out what it was.

So the, the point I'm trying to drive home here with this is that these tools are only as good as the users behind them, right? Like, don't be an MSP that just goes out and buys Nessus, produces a report, and that just vomits the report on the end user going, here's your 9,000 page report of vulnerabilities on these systems. Uh, you need somebody that can go through and, and triage them and do the work to determine, uh, what's actually vulnerable and what's not.

And you, you should very much, uh, look to do something like this on your own networks. I'm gonna stop the share and go back, show one other tool along those lines. Uh, I'm actually, and I'm, I'm only gonna talk about this briefly because we're still, I'm still in the stages of demoing this tool, uh, but I feel I would be remiss if I didn't at least call it out. So, uh, our, our kind host Andrew here, uh, is involved with a company called, uh, cyber CNS.

And, and they, they have a, a, a tool that is entering this space. It's, it's relatively young, uh, but it does a very good job of repeatedly scanning, right? And, and for a lot of MSP use cases, it's likely good enough for day-to-day use. You can schedule it to scan, I think it scans by daily by default. And the awesomest thing I think about this is that when it finds vulnerabilities, it actually opens tickets in your, uh, in your PSA tool, right?

So it'll, it'll connect, uh, ConnectWise, it'll connect to Autotask, uh, and it will raise vulnerabilities on systems that it finds. Uh, I don't know that this right now is a one-to-one replacement for something like Nessus. Uh, it's, again, these tools are only as good as their databases are. Uh, but this is a very good tool that could supplement, uh, uh, periodic scans, uh, that you would do with a, uh, somebody that could do them for you if you didn't have the capabilities inhouse.

Uh, so I just wanted, I wanted to talk about that for a minute. Like, uh, I think Andrew, I don't know if he's had anyone on that's talked about it, but I think this tool shows a lot of promise. Uh, we're trialing it internally, and I've been tinkering with it. I've done a couple of feature, uh, requests back. Oh, look, he came back. I talked about his tool and he came back. Uh, I, I've done some speaking about it. Well, we Helped them with their go to market. Okay.

Um, But, um, but yeah, it's, it's, uh, we have, it looks like some of the folks on here are using it as well. And yeah. Area. Yeah, it's, it's, it's a good tool. Uh, I've been pleased so far, ag, again, I don't think it will displace Nessus for my use case, right? Uh, but it will definitely supplement it and especially, uh, it would allow me to displace something like rapid fire tools or something along those lines.

I feel, I feel like I can't trash talk to any vendors 'cause they're all sponsors. Uh, uh, but it would potentially allow me to displace something like that for assessments, right? With more of a security focus. Uh, let's see, back to slide deck. I feel like I kind of word vomited a lot there very quickly. Yeah. Tony had a good point that you also need to protect your vulnerability scanner because yes, when you run a credentialed scan, you know, you're, you're saving credentials. So yep.

If your vulnerability scanner gets hacked, then those credentials could be Exposed. Yeah. And I think that's like part of our next, uh, talking point here on the slides, right? Like what you can do out, uh, to do, to protect yourself, uh, is, I pointed out earlier, MSPs use a lot of tools. Uh, the security, uh, standing of a lot of those tools is somewhat suspect to me. A lot of these tools are very old legacy tools that haven't had a lot of security review.

Like, regardless of what the vendor wants to tell you, uh, you need to consider the security footing of every tool that you, well, they're not, they're, they're only the most recent. Uh, they're, you need to consider the security of every tool you bring into your network and whether the, uh, the footprint, the security footprint that you're giving to that tool to do its work is worth it, right? Like, I, I'm gonna pick generally here and not, and not name a tool by name, right?

It's a tool I actually like and we use internally, but it brings node onto systems, right? And it, it, it's, I don't know that in every case, it's worth bringing node js onto a Windows box, right? For the value that that thing brings me. 'cause now I have a whole nother attack footprint that I've opened up, but I think that you should just assume you're breached all the time. We've been, the, the, the entire day has been kind of, uh, kind of preaching that.

Assume you're breached, act as if you're breached, protect your things, right? Consider every device in your network, right? Don't just consider your Windows boxes. So what do you do if you, uh, what do you do if you assume you're breached? You segregate, right? Like, does it, do you have to have, uh, do you have to have cameras on your main network? Do your, does your voice network need to talk to your servers?

Does your, uh, is there any reason for anyone other than a jump box or something to talk to an IO, right? Like, does your VMware management interface need to be, uh, exposed to everyone on the local network, right? Like, there's, these are all things that we should think about as MSPs, uh, to try to increase the security footing of ourselves, uh, on top of our own customers. Uh, secure your own house, right? Like, if, if you can't, we're as MSPs again, I think we client focus a lot, right?

Like, but it took us a long time to dog food, right? To basically eat our own dog food and, and start bringing those same things that we're doing for our clients in house. And I think that's a bad approach to take. And you have to start internally. Uh, and, and only one year secure can you, can you attempt to secure your customers? Uh, you don't want to be the next, uh, news item of an MSP that's breached.

Uh, I can tell you, being in a community or an m was breached, your competitors getting breached seems like a great idea, but it makes the entire community afraid of MSPs, and that's not good for anyone. Uh, and then the last message is, you know, there's, there's people that can help, right? It's like there's, there's a number of people on these various cyber calls.

There's people in the community, there's, uh, there's people on Reddit, there's Facebook groups, there's 9,000 unofficial peer groups right now of people that are willing to help you, uh, either in paid or un paid engagements just because they want to see the entire community get better. Bryson. Um, yeah. So we just wanted to talk real quickly about some other resources that are out there to help you learn a bit more specifically just about exploits.

So once you've done your vulnerability scan, how do you actually check to see if you can, you know, exploit what it says you're vulnerable to? And that's where some of that red team stuff comes into play. So there's a lot of great resources for that. One of them is, or CTFs. Now, we've, uh, through Perch, I've put together a few, uh, I think we did five last year, um, through, uh, some of the cyber call events and through IT Nation and then like at ichan.

Um, so, so those, those are great opportunities to learn some new tools and learn some tactics in a fun sort of gamified way. Um, but you don't just have to do the ones we're sponsoring. There's, there's literally probably two to three CTFs, uh, happening every week. Uh, so there's a site called CTF time.org. Uh, if you go there, you, you can see what's coming up. There's actually like a league. Uh, so all that's happening, some other resources.

There's, there's a couple of sites you can try out Hack the Box or try hack the, uh, they, they have, um, just a lot of different security challenges. Uh, some, some red team, some blue team, uh, tri Hackney in particular has like a lot of different topics that kind of cross the entire range of all things security. Uh, and they've got a, actually, they have labs set up, so it's not just go watch a video. These are hands-on experience that, that you can, you can learn.

Um, and they, uh, I think, I think Hack the Box is pretty much more of here's just some, some different environments you can hack away at by try Hack Me. They have all these different rooms that, uh, frequently actually have tutorials that go hand in hand with these, uh, these virtual machines that you can fire up and, and, uh, you know, get this hands-on experience. Um, we, uh, Jason mentioned earlier DVWA, so that's something you could do, you know, internally, but also meta exploitable.

But these are virtual machines that are specifically designed to be vulnerable so you can test out, uh, your skills and kind of learn how some of these vulnerabilities work. Uh, and then there's a lot of people who are producing content online about security and hacking and vulnerabilities. Uh, John Hammond is one he works for Huntress, uh, Huntress has worked with Perch on some of the CTFs that we've done. Um, I've, I've, John and, and I have done some videos together as well.

I think Jason's done some with them too. Uh, CTF and Cigars, that's, that's me. That's the, uh, Twitch show that, that I've been doing on the weekends. Uh, Saturday mornings at 10:00 AM Central where I light up a cigar and I talk about CTFs and hacking and other security related topics. Uh, so, so there's, there's some of the resources out there. There's, there's so much about this topic on the internet, there's so many things that you can look up.

Uh, and there's some links as well to, yeah, Nessus and Cyber CNS and, uh, the, uh, CEH Certified Ethical Hacker is, it's a good place to get started Starting point. Yep. Yeah, they, they, uh, uh, CEH they, they basically just kind of expose you to all the different tools that are available, uh, so you can get some basic familiarity with them and, and the techniques behind this ethical hacking, uh, concept. Cool. So questions, I'll take questions kind of.

We got, We got one in the, uh, poll here from Dennis who knows a few things about vulnerability scanning and management. He says, uh, do you ever actually exploit SSL bowls like poodle or Sweet 32? No. I, I mean, somebody asked earlier in the chat about, uh, about like, do I trust a website that doesn't, that the SSL doesn't have SSL on the login page. And the thing is, they're, they're not, we can, we can learn a lot about a company at this point that is letting you log in without SSL, right?

However, SSL is only information disclosure, and that may or may not be a big thing, right? Like you may or may not be able to grab credentials. Uh, but for internal tools and things like that, good luck getting, uh, VMware to, you know, run TLS 1.2 only on like a, you know, a vSphere six five appliance, right? Like, there's, there's a bunch of things you can do it. Uh, let me know how that goes. It's not great.

Uh, that being said, if you have regulatory requirements like PCI that require you to do those things, then obviously you need to do them. Uh, all of the tools will flag on those things all of the time, right? And my experience is, uh, those are almost all internal tools, and they're, they're not transiting a network that I necessarily care about, right? Like, I, I don't necessarily care if the connection between, uh, the server and the drac can be sniffed, right?

Because you have to get into the path between the server and the drac. And if you're into the point of doing that, then you're already compromised anyways. Okay. Can we do a d and d campaign around a tabletop with you as the dm? I don't know if Oh, that would be awesome. Uh, I don't know. I've, I've got, I've got a couple of, uh, existing campaigns that I've been doing with for, for a while. Um, my schedule's pretty full, but yeah, maybe we, we could do something sometime.

Um, thanks for that Ryan. Ryan Weeks said, Hey, Ryan, put his, uh, disclosure program out there from Datto. They're very open to feedback on disclosure. Um, really appreciate what he's done there. With that, Go ahead, Ryan. I, I have a question to you. Do you have a, do you do a bug bounty program, right? Like, I feel like a lot of these vendors, uh, could benefit from doing that. Uh, just generally it takes a lot of time and effort, right?

Like, if I could pay the bills doing, doing some of this stuff, it would go a lot, lot longer way towards me, you know, spending the hours and hours to come up with the proof of con accept and stuff like that. Hey, came back. Yeah, here I am. I'm gonna drop the q and a. There we go. There we go. Yeah, no, I, I, I caught, I, I came in at the end where you're talking about like, yeah, some vendors' products say they're secure, but they're not that secure.

And like, you know, we, we work really hard to find vulnerabilities in our products and get them fixed, but the reality is, is you guys are the power users. Like sometimes you're gonna find stuff and like, we need your help. Vendors need your help. Uh, as crazy as that sounds, right? And so, like we have a vulnerability disclosure program. I know some of our competitors have bug bounty programs.

Like if you find them, leverage those vehicles to get those vulnerabilities to us so that we can get them fixed, you're doing yourself in the community service by doing that. And if you find a really good one, we might actually pay you for it. Yeah, that's what I, that's what he was asking. I don't know if you heard it. Yeah. As you came up J Yeah, so we, you know, we, we call it a reward because we're not necessarily gonna pay everybody money. Yeah.

But, you know, for, for one that meets kind of our criteria, you know, legal will send you a T-shirt, but like a really good one. Um, you know, that, that one we might actually pay out money for. Alright. Um, let's see. Uh, would you recommend, uh, CYSA plus certification? Uh, I'm gonna let, I, I don't know it, so I'll let Bryson cover it. It's, it's a CompTIA certification. I mean, the, the thing about CompTIA is, is they're all entry level certification.

So if, if you're brand new starting out, um, they're, they're great way to get your foot in the door and get some basic exposure. Um, but if you've been doing this for a few years, you're probably already beyond what, what they're, they're doing. I mean, most, most of their certifications, they actually advertise for somebody who's been, you know, zero to six months experience. So they're definitely entry level certs. So I guess it just depends on where you are in your own career. Yeah. Yeah.

I mean, if you're like, already beyond the CEH, you could look at the G pen or the G wept, um, from Sam's. And if you're kind of already there and you're looking, looking for like next level, like elite status, uh, OSCP or OSCE is kind of the, the, the pinnacle. Um, and, and I actually have a requirement on my team that every member of my team must, uh, within a year of their employment, uh, obtain the OSCP. Yeah. And then there's the more business CI I-S-S-P-C-I-S-M kind of focused ones too.

Yeah, Yeah, yeah. The ones, I have Nothing wrong with those, right? Like that's, I'm probably gonna go get my CISM 'cause that's more relevant these days to what I'm actually doing than CEH or OSCP. Yeah. I like making this stuff accessible because a lot of people think you need to be like a certain type of individual and there's a certain shroud of mystery around it. And like all it really takes to be a pen tester, it's curiosity And persistence.

Uh, I'll tell you, winning, winning the various CTFs is it's like 30% experience and 70% persistence and not giving up A lot of Red Bull too, Jason. Yeah. Lot of something. A lot of staying up too late. Yeah. Almost everyone I know who has OSCP failed it the first time they took it, including myself. Uh, it's, that's normal. Yeah, it is. It is definitely no joke though. Lab portion is, it's like, uh, going for your CCIE for those people that understand network system.

For those who aren't familiar with it, it's, it's a hands-on pin testing certification. The test is, uh, a, a lab environment and they give you 24 hours to hack all the boxes you can. Wow, That sounds fun. I might have to do that. A hacker from, uh, way back. We got Gary P back with us. Gary, Hey, we're big timing Gary. Really awesome guys. I mean, thank you so much. Like, uh, today I think we had something for everybody, Andrew. Yeah. We really did.

Um, and, and, and Jason and Bryson again, um, as Gary was saying to Mike Ard and Chris, you guys give up your time. Um, you don't get anything for this. Um, I, I try, I thought Getting paid Beard wax say you get paid in beard wax. I was gonna say, every time I try to, you know, do something for you guys, you don't want anything, you're, you're truly awesome. Um, but, uh, in closing, uh, just again, if you, uh, wanna win, uh, that hour, there's gonna be two of them with, with Jason.

Um, you can go to the cyber fish, uh, site or if you're like not comfortable with that, you can always email me, um, at Andrew at the Cyber Nation. I'll just write it in here for you guys.com. In closing, Gary, we'll be back tomorrow and, uh, we'll start things off with the tabletop. Yep. So we'll have Chris, la and Wes running through actual tabletop. Dave Seabert, awesome to see you.

One of the, um, I was gonna say one of the old timers, that'll make me an old timer too, Dave, but Gary and I have known Dave for years. Welcome. Uh, good to see you Dave. Um, uh, and, and so, um, and then we'll go to go to market. We'll do go to market with you. Yep. And then we'll be back with Jason and, and Bryson and, um, on the top 10, uh, web attacks and a lot of that going on.

I think one of the, in closing, one of the really cool things that you've said, Jason and Bryson, is that think about your tools. Think about every tool, almost every tool you use right. Has a web presence. Yep. Um, yeah, Ryan's probably afraid that we're gonna get a bunch of people trained up on Zap that are gonna start aiming it at his tools. So, um, but anyway, I know you all have to run. I appreciate everybody's time. Um, we're all in this together.

Um, Gary Pika, thank you for all you guys do, Ryan, Jason, Bryson, and, and again, the entire community. We'll look forward to seeing everybody right back here tomorrow, and, uh, make it a a great day. Everybody. Take care.

Related Videos