offense in depth
DESCRIPTION
Offense in Depth. A Developer’s Perspective on Hacker Tradecraft. Overview. Introduction / Terminology How to get a foothold Identifying and Defeating Defenses. The Take Away…. If you know how something works … you can defeat it this applies to offense and defense. Who am I?. - PowerPoint PPT PresentationTRANSCRIPT
Offense in Depth
A Developer’s Perspective on Hacker Tradecraft
Overview
• Introduction / Terminology• How to get a foothold• Identifying and Defeating Defenses
The Take Away…
If you know how something works…you can defeat it
this applies to offense and defense
Who am I?• Solo Entrepreneur
(I sell red team software)• Armitage and Cobalt Strike Dev• Previously… • DARPA CFT Performer• Red Team Svc to DoD agency• WordPress grammar checker• USAF Security Researcher
• Exercises• CDX, *CCDC, ISTS, etc.
• Primary Skill: Developer
The Take Away…
If you know how something works…you can defeat it
this applies to offense and defense
Attack Surface
• What can we, as attackers, manipulate or touch?
• What is a client-side attack?–An attack against application used to view
attacker controlled content.• Why client-side attacks?
Client-side Attacks
How to get a foothold
1. Map client-side attack surface2. Create Virtual Machine for testing purposes3. Use Virtual Machine to select best attack4. Configure and disguise the attack5. Email attack package to victim
• A web application (target must visit it)• Discovers client-side applications• Discovers internal IP address
See: http://www.browserspy.dk
Reconnaissance: System Profiler
Hacking with features?
Features to abuse…
• Java Signed Applet• Disguise Windows Executable• Microsoft Office Macros
Spear Phishing
1. Create a target list2. Create a template3. Choose mail server to send through4. Send the message…
Spear Phishing Templates
TemplatesClick Reply -> View message source
Templates
Sending the message…
telnet [ip address] 25HELO whatever.comMAIL FROM: [email protected] TO: [target email here]DATA[paste template file (remove headers first)].QUIT
Now, walk this minefield…
Defenses
• Mail Defenses• Host Anti-virus• Application Whitelisting• Egress• Payload Staging• Stay Low and Slow
Sender Policy Framework
• Defense verify senders IP to detect email spoofing
• Attackget message to user regardless…
Defeating SPF
• Register a typo of domain of interest• Use a webmail provider and send attack from
their servers• Spoof another domain
Mail Anti-Virus Gateway
• Defense check messages for bad stuff before delivery
• Attacksend something that passes check
Mail Defense Recon
1. Create an attack package2. Send it to a non-existent user3. Make sure MAIL FROM address is an address
you control4. Wait for non-delivery notice5. Review non-delivery notice for your
report card
Non-Delivery Notices
Host Anti-virus
• Defense check for known bad and stop it
• Attacksend unknown bad that passes check
Defeat Host Anti-virus
1. Find out or guess which anti-virus is in use– DNS Cache Snooping – Information Gathering– Social Engineering
2. Put anti-virus on test Virtual Machine3. Select undetected attack or modify
existing attack
DNS Cache Snooping?
See: http://tinyurl.com/rob-dixon-is-hotThe command:dig @server domain A +norecurse
How does Anti-virus work?
• Check for known signature• Apply heuristic to detect bad behavior• Emulate binary to defeat packers and crypters
Limitations
• False positives are bad • Non-intrusive(?)• Only checks file at certain points– When loaded in browser– When written to disk
Getting Past AV
• Client-side Exploits…– Change strings in module– Write your own implementation of the attack
Application Whitelisting
• Defense do not allow unapproved applications
• Attackget agent into memory using a white-listed application.
Defeating App Whitelisting
• Powershell– https://github.com/mattifestation/PowerSploit
• MS Office Macro• Java– Create a DLL with your agent– Have program extract DLL– Call System.loadLibrary(“evil.dll”);
Establish C2
Establish C2
Establish C2 – The Pain
• Deny all outbound traffic• Allow egress only through a proxy device– Attack traffic must conform to expected protocol– Must pass other checks as well…
• Attacker Limitation: Staging!
Payload Staging…
Payload Staging
• Stage 1– Must be small. Exploit used limits space– Encoded with Framework encoder
• Stage 2– Payload DLL goes over the wire as-is– Trivial to write IDS signature for
Payload Staging
Payload Staging
• windows/meterpreter/reverse_https– Staging process happens over SSL
• EnableStageEncoding and StageEncoder– Metasploit Framework option to encode stage
Riddle me this… Batman
Asynchronous C2
• Stay Low and slow– Target phones home, asks for tasks– Sleep time? 1 hour, 1 day, 1 year?– C2 tries to look like normal traffic
• Life line into a network– Use to execute commands– Upload / download files– Spawn “active” sessions to another server
Asynchronous C2 - Beacon
Asynchronous C2 – Bro RAT
See: http://tinyurl.com/bro-rat
The Take Away…
If you know how something works…you can defeat it
this applies to offense and defense
Summary…