offense in depth a developer’s perspective on hacker tradecraft
TRANSCRIPT
![Page 1: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/1.jpg)
Offense in Depth
A Developer’s Perspective on Hacker Tradecraft
![Page 2: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/2.jpg)
Overview
• Introduction / Terminology• How to get a foothold• Identifying and Defeating Defenses
![Page 3: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/3.jpg)
The Take Away…
If you know how something works…you can defeat it
this applies to offense and defense
![Page 4: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/4.jpg)
Who am I?• Solo Entrepreneur
(I sell red team software)• Armitage and Cobalt Strike Dev• Previously… • DARPA CFT Performer• Red Team Svc to DoD agency• WordPress grammar checker• USAF Security Researcher
• Exercises• CDX, *CCDC, ISTS, etc.
• Primary Skill: Developer
![Page 5: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/5.jpg)
The Take Away…
If you know how something works…you can defeat it
this applies to offense and defense
![Page 6: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/6.jpg)
Attack Surface
• What can we, as attackers, manipulate or touch?
![Page 7: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/7.jpg)
• What is a client-side attack?–An attack against application used to view
attacker controlled content.• Why client-side attacks?
Client-side Attacks
![Page 8: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/8.jpg)
How to get a foothold
1. Map client-side attack surface2. Create Virtual Machine for testing purposes3. Use Virtual Machine to select best attack4. Configure and disguise the attack5. Email attack package to victim
![Page 9: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/9.jpg)
• A web application (target must visit it)• Discovers client-side applications• Discovers internal IP address
See: http://www.browserspy.dk
Reconnaissance: System Profiler
![Page 10: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/10.jpg)
Hacking with features?
![Page 11: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/11.jpg)
Features to abuse…
• Java Signed Applet• Disguise Windows Executable• Microsoft Office Macros
![Page 12: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/12.jpg)
Spear Phishing
1. Create a target list2. Create a template3. Choose mail server to send through4. Send the message…
![Page 13: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/13.jpg)
Spear Phishing Templates
![Page 14: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/14.jpg)
TemplatesClick Reply -> View message source
![Page 15: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/15.jpg)
Templates
![Page 16: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/16.jpg)
Sending the message…
telnet [ip address] 25HELO whatever.comMAIL FROM: [email protected] TO: [target email here]DATA[paste template file (remove headers first)].QUIT
![Page 17: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/17.jpg)
Now, walk this minefield…
![Page 18: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/18.jpg)
Defenses
• Mail Defenses• Host Anti-virus• Application Whitelisting• Egress• Payload Staging• Stay Low and Slow
![Page 19: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/19.jpg)
Sender Policy Framework
• Defense verify senders IP to detect email spoofing
• Attackget message to user regardless…
![Page 20: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/20.jpg)
Defeating SPF
• Register a typo of domain of interest• Use a webmail provider and send attack from
their servers• Spoof another domain
![Page 21: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/21.jpg)
Mail Anti-Virus Gateway
• Defense check messages for bad stuff before delivery
• Attacksend something that passes check
![Page 22: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/22.jpg)
Mail Defense Recon
1. Create an attack package2. Send it to a non-existent user3. Make sure MAIL FROM address is an address
you control4. Wait for non-delivery notice5. Review non-delivery notice for your
report card
![Page 23: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/23.jpg)
Non-Delivery Notices
![Page 24: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/24.jpg)
Host Anti-virus
• Defense check for known bad and stop it
• Attacksend unknown bad that passes check
![Page 25: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/25.jpg)
Defeat Host Anti-virus
1. Find out or guess which anti-virus is in use– DNS Cache Snooping – Information Gathering– Social Engineering
2. Put anti-virus on test Virtual Machine3. Select undetected attack or modify
existing attack
![Page 26: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/26.jpg)
DNS Cache Snooping?
See: http://tinyurl.com/rob-dixon-is-hot
The command:dig @server domain A +norecurse
![Page 27: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/27.jpg)
How does Anti-virus work?
• Check for known signature• Apply heuristic to detect bad behavior• Emulate binary to defeat packers and crypters
![Page 28: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/28.jpg)
Limitations
• False positives are bad • Non-intrusive(?)• Only checks file at certain points– When loaded in browser– When written to disk
![Page 29: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/29.jpg)
Getting Past AV
• Client-side Exploits…– Change strings in module– Write your own implementation of the attack
![Page 30: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/30.jpg)
Application Whitelisting
• Defense do not allow unapproved applications
• Attackget agent into memory using a white-listed application.
![Page 31: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/31.jpg)
Defeating App Whitelisting
• Powershell– https://github.com/mattifestation/PowerSploit
• MS Office Macro• Java– Create a DLL with your agent– Have program extract DLL– Call System.loadLibrary(“evil.dll”);
![Page 32: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/32.jpg)
Establish C2
![Page 33: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/33.jpg)
Establish C2
![Page 34: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/34.jpg)
Establish C2 – The Pain
• Deny all outbound traffic• Allow egress only through a proxy device– Attack traffic must conform to expected protocol– Must pass other checks as well…
• Attacker Limitation: Staging!
![Page 35: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/35.jpg)
Payload Staging…
![Page 36: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/36.jpg)
Payload Staging
• Stage 1– Must be small. Exploit used limits space– Encoded with Framework encoder
• Stage 2– Payload DLL goes over the wire as-is– Trivial to write IDS signature for
![Page 37: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/37.jpg)
Payload Staging
![Page 38: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/38.jpg)
Payload Staging
• windows/meterpreter/reverse_https– Staging process happens over SSL
• EnableStageEncoding and StageEncoder– Metasploit Framework option to encode stage
![Page 39: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/39.jpg)
Riddle me this… Batman
![Page 40: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/40.jpg)
Asynchronous C2
• Stay Low and slow– Target phones home, asks for tasks– Sleep time? 1 hour, 1 day, 1 year?– C2 tries to look like normal traffic
• Life line into a network– Use to execute commands– Upload / download files– Spawn “active” sessions to another server
![Page 41: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/41.jpg)
Asynchronous C2 - Beacon
![Page 42: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/42.jpg)
Asynchronous C2 – Bro RAT
See: http://tinyurl.com/bro-rat
![Page 43: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/43.jpg)
The Take Away…
If you know how something works…you can defeat it
this applies to offense and defense
![Page 44: Offense in Depth A Developer’s Perspective on Hacker Tradecraft](https://reader036.vdocument.in/reader036/viewer/2022062322/56649ccf5503460f9499af63/html5/thumbnails/44.jpg)
Summary…