Much Ado About Credential Stuffing presented at CarolinaCon15 2019

by Maverick ,

Summary : My talk focuses on the art of credential stuffing, which uses usernames and credentials from previous breaches (think LinkedIn, etc.) to gain access to important systems. I will briefly cover the history of credential stuffing and how it has impacted the world of cybersecurity, from the "bad guy" point of view. I will then shift focus to practical uses of credential stuffing. The practical uses will come from real-world pentests I have performed and will demo a tool I built with Bash to gather these credentials. One example from a real-world pentest includes the use of credential stuffing to gain access to an external Lotus Notes server, which provided hundreds of usernames and passwords via a known Lotus exploit. From there, the found credentials created a massive username list, which allowed for password spraying and eventually gaining full network access into domain admin. The talk will end with discussions on how to mitigate these sorts of attacks from a blue team point of view. Overall, I hope to gain interest from both red and blue sides and provide them will useful attack and defense information.