offense in depth a developer’s perspective on hacker tradecraft

Offense in Depth

A Developer’s Perspective on Hacker Tradecraft

Overview

• Introduction / Terminology• How to get a foothold• Identifying and Defeating Defenses

The Take Away…

If you know how something works…you can defeat it

this applies to offense and defense

Who am I?• Solo Entrepreneur

(I sell red team software)• Armitage and Cobalt Strike Dev• Previously… • DARPA CFT Performer• Red Team Svc to DoD agency• WordPress grammar checker• USAF Security Researcher

• Exercises• CDX, *CCDC, ISTS, etc.

• Primary Skill: Developer

The Take Away…

If you know how something works…you can defeat it

this applies to offense and defense

Attack Surface

• What can we, as attackers, manipulate or touch?

• What is a client-side attack?–An attack against application used to view

attacker controlled content.• Why client-side attacks?

Client-side Attacks

How to get a foothold

1. Map client-side attack surface2. Create Virtual Machine for testing purposes3. Use Virtual Machine to select best attack4. Configure and disguise the attack5. Email attack package to victim

• A web application (target must visit it)• Discovers client-side applications• Discovers internal IP address

See: http://www.browserspy.dk

Reconnaissance: System Profiler

Hacking with features?

Features to abuse…

• Java Signed Applet• Disguise Windows Executable• Microsoft Office Macros

Spear Phishing

1. Create a target list2. Create a template3. Choose mail server to send through4. Send the message…

Spear Phishing Templates

TemplatesClick Reply -> View message source

Templates

Sending the message…

telnet [ip address] 25HELO whatever.comMAIL FROM: bounceaddress@whatever.comRCPT TO: [target email here]DATA[paste template file (remove headers first)].QUIT

Now, walk this minefield…

Defenses

• Mail Defenses• Host Anti-virus• Application Whitelisting• Egress• Payload Staging• Stay Low and Slow

Sender Policy Framework

• Defense verify senders IP to detect email spoofing

• Attackget message to user regardless…

Defeating SPF

• Register a typo of domain of interest• Use a webmail provider and send attack from

their servers• Spoof another domain

Mail Anti-Virus Gateway

• Defense check messages for bad stuff before delivery

• Attacksend something that passes check

Mail Defense Recon

1. Create an attack package2. Send it to a non-existent user3. Make sure MAIL FROM address is an address

you control4. Wait for non-delivery notice5. Review non-delivery notice for your

report card

Non-Delivery Notices

Host Anti-virus

• Defense check for known bad and stop it

• Attacksend unknown bad that passes check

Defeat Host Anti-virus

1. Find out or guess which anti-virus is in use– DNS Cache Snooping – Information Gathering– Social Engineering

2. Put anti-virus on test Virtual Machine3. Select undetected attack or modify

existing attack

DNS Cache Snooping?

See: http://tinyurl.com/rob-dixon-is-hot

The command:dig @server domain A +norecurse

How does Anti-virus work?

• Check for known signature• Apply heuristic to detect bad behavior• Emulate binary to defeat packers and crypters

Limitations

• False positives are bad • Non-intrusive(?)• Only checks file at certain points– When loaded in browser– When written to disk

Getting Past AV

• Client-side Exploits…– Change strings in module– Write your own implementation of the attack

Application Whitelisting

• Defense do not allow unapproved applications

• Attackget agent into memory using a white-listed application.

Defeating App Whitelisting

• Powershell– https://github.com/mattifestation/PowerSploit

• MS Office Macro• Java– Create a DLL with your agent– Have program extract DLL– Call System.loadLibrary(“evil.dll”);

Establish C2

Establish C2

Establish C2 – The Pain

• Deny all outbound traffic• Allow egress only through a proxy device– Attack traffic must conform to expected protocol– Must pass other checks as well…

• Attacker Limitation: Staging!

Payload Staging…

Payload Staging

• Stage 1– Must be small. Exploit used limits space– Encoded with Framework encoder

• Stage 2– Payload DLL goes over the wire as-is– Trivial to write IDS signature for

Payload Staging

Payload Staging

• windows/meterpreter/reverse_https– Staging process happens over SSL

• EnableStageEncoding and StageEncoder– Metasploit Framework option to encode stage

Riddle me this… Batman

Asynchronous C2

• Stay Low and slow– Target phones home, asks for tasks– Sleep time? 1 hour, 1 day, 1 year?– C2 tries to look like normal traffic

• Life line into a network– Use to execute commands– Upload / download files– Spawn “active” sessions to another server

Asynchronous C2 - Beacon

Asynchronous C2 – Bro RAT

See: http://tinyurl.com/bro-rat

The Take Away…

If you know how something works…you can defeat it

this applies to offense and defense

Summary…