We can all agree that having single-factor remote access gateways (VPN, Citrix, Remote Apps, etc.) exposed on the internet is a poor decision and a large security risk. These portals, can allow for a direct connection into the internal corporate environment. Once there, an attacker can begin to identify internal vulnerabilities, move laterally, escalate privileges, persist, and hoover out all the data they want. Fortunately, these portals are increasingly behind a multi-factor solution (phone call, hard/soft token, certificate, etc.). While this does help to reduce the attack surface from a direct brute force (username and password), there are often overlooked options or misconfigurations that can allow an attacker to bypass this solution or directly disrupt business operations. In this talk we,ll be covering methods that we,ve used to bypass MFA solutions to obtain internal network access from the internet.

Dan Astor: Dan is a senior operator for Security Risk Advisors' Technical Assessment team. His focus is in red team operations, network penetration testing, password cracking, and spear phishing. He has been a speaker at BSides PGH and BSides NOLA. Chris Salerno: Chris oversees Security Risk Advisors, CyberSOC services. His background is in cybersecurity strategy based on NIST CSF, red and purple teams, improving network defenses, technical penetration testing and web applications. He has conducted and led hundreds of red team exercises and has been a speaker at RSA, BSides and SecureWorld.

Recorded at BSides Philly 2017