1 / 44

Offense in Depth

Offense in Depth. A Developer’s Perspective on Hacker Tradecraft. Overview. Introduction / Terminology How to get a foothold Identifying and Defeating Defenses. The Take Away…. If you know how something works … you can defeat it this applies to offense and defense. Who am I?.

davis
Télécharger la présentation

Offense in Depth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Offense in Depth A Developer’s Perspective on Hacker Tradecraft

  2. Overview • Introduction / Terminology • How to get a foothold • Identifying and Defeating Defenses

  3. The Take Away… If you know how something works… you can defeat it this applies to offense and defense

  4. Who am I? • Solo Entrepreneur (I sell red team software) • Armitage and Cobalt Strike Dev • Previously… • DARPA CFT Performer • Red Team Svc to DoD agency • WordPress grammar checker • USAF Security Researcher • Exercises • CDX, *CCDC, ISTS, etc. • Primary Skill: Developer

  5. The Take Away… If you know how something works… you can defeat it this applies to offense and defense

  6. Attack Surface • What can we, as attackers, manipulate or touch?

  7. Client-side Attacks • What is a client-side attack? • An attack against application used to view attacker controlled content. • Why client-side attacks?

  8. How to get a foothold • Map client-side attack surface • Create Virtual Machine for testing purposes • Use Virtual Machine to select best attack • Configure and disguise the attack • Email attack package to victim

  9. Reconnaissance: System Profiler • A web application (target must visit it) • Discovers client-side applications • Discovers internal IP address See: http://www.browserspy.dk

  10. Hacking with features?

  11. Features to abuse… • Java Signed Applet • Disguise Windows Executable • Microsoft Office Macros

  12. Spear Phishing • Create a target list • Create a template • Choose mail server to send through • Send the message…

  13. Spear Phishing Templates

  14. Templates Click Reply -> View message source

  15. Templates

  16. Sending the message… telnet [ip address]25 HELO whatever.com MAIL FROM: bounceaddress@whatever.com RCPT TO: [target email here] DATA [paste template file (remove headers first)] . QUIT

  17. Now, walk this minefield…

  18. Defenses • Mail Defenses • Host Anti-virus • Application Whitelisting • Egress • Payload Staging • Stay Low and Slow

  19. Sender Policy Framework • Defense verify senders IP to detect email spoofing • Attackget message to user regardless…

  20. Defeating SPF • Register a typo of domain of interest • Use a webmail provider and send attack from their servers • Spoof another domain

  21. Mail Anti-Virus Gateway • Defense check messages for bad stuff before delivery • Attacksend something that passes check

  22. Mail Defense Recon • Create anattack package • Send it to a non-existent user • Make sure MAIL FROM address is an address you control • Wait for non-delivery notice • Review non-delivery notice for your report card 

  23. Non-Delivery Notices

  24. Host Anti-virus • Defense check for known bad and stop it • Attacksend unknown bad that passes check

  25. Defeat Host Anti-virus • Find out or guess which anti-virus is in use • DNS Cache Snooping • Information Gathering • Social Engineering • Put anti-virus on test Virtual Machine • Select undetected attack or modify existing attack

  26. DNS Cache Snooping? See: http://tinyurl.com/rob-dixon-is-hot The command: dig @serverdomainA +norecurse

  27. How does Anti-virus work? • Check for known signature • Apply heuristic to detect bad behavior • Emulate binary to defeat packers and crypters

  28. Limitations • False positives are bad • Non-intrusive(?) • Only checks file at certain points • When loaded in browser • When written to disk

  29. Getting Past AV • Client-side Exploits… • Change strings in module • Write your own implementation of the attack

  30. Application Whitelisting • Defense do not allow unapproved applications • Attackget agent into memory using a white-listed application.

  31. Defeating App Whitelisting • Powershell • https://github.com/mattifestation/PowerSploit • MS Office Macro • Java • Create a DLL with your agent • Have program extract DLL • Call System.loadLibrary(“evil.dll”);

  32. Establish C2

  33. Establish C2

  34. Establish C2 – The Pain • Deny all outbound traffic • Allow egress only through a proxy device • Attack traffic must conform to expected protocol • Must pass other checks as well… • Attacker Limitation: Staging!

  35. Payload Staging…

  36. Payload Staging • Stage 1 • Must be small. Exploit used limits space • Encoded with Framework encoder • Stage 2 • Payload DLL goes over the wire as-is • Trivial to write IDS signature for

  37. Payload Staging

  38. Payload Staging • windows/meterpreter/reverse_https • Staging process happens over SSL • EnableStageEncoding and StageEncoder • Metasploit Framework option to encode stage

  39. Riddle me this… Batman

  40. Asynchronous C2 • Stay Low and slow • Target phones home, asks for tasks • Sleep time? 1 hour, 1 day, 1 year? • C2 tries to look like normal traffic • Life line into a network • Use to execute commands • Upload / download files • Spawn “active” sessions to another server

  41. Asynchronous C2 - Beacon

  42. Asynchronous C2 – Bro RAT See: http://tinyurl.com/bro-rat

  43. The Take Away… If you know how something works… you can defeat it this applies to offense and defense

  44. Summary…

More Related