Presentation is loading. Please wait.

Presentation is loading. Please wait.

Offense in Depth A Developer’s Perspective on Hacker Tradecraft.

Similar presentations

Presentation on theme: "Offense in Depth A Developer’s Perspective on Hacker Tradecraft."— Presentation transcript:

1 Offense in Depth A Developer’s Perspective on Hacker Tradecraft

2 Overview Introduction / Terminology How to get a foothold Identifying and Defeating Defenses

3 The Take Away… If you know how something works… you can defeat it this applies to offense and defense

4 Who am I? Solo Entrepreneur (I sell red team software) Armitage and Cobalt Strike Dev Previously… DARPA CFT Performer Red Team Svc to DoD agency WordPress grammar checker USAF Security Researcher Exercises CDX, *CCDC, ISTS, etc. Primary Skill: Developer

5 The Take Away… If you know how something works… you can defeat it this applies to offense and defense

6 Attack Surface What can we, as attackers, manipulate or touch?

7 What is a client-side attack? – An attack against application used to view attacker controlled content. Why client-side attacks? Client-side Attacks

8 How to get a foothold 1.Map client-side attack surface 2.Create Virtual Machine for testing purposes 3.Use Virtual Machine to select best attack 4.Configure and disguise the attack 5.Email attack package to victim

9 A web application (target must visit it) Discovers client-side applications Discovers internal IP address See: http://www.browserspy.dk Reconnaissance: System Profiler

10 Hacking with features?

11 Features to abuse… Java Signed Applet Disguise Windows Executable Microsoft Office Macros

12 Spear Phishing 1.Create a target list 2.Create a template 3.Choose mail server to send through 4.Send the message…

13 Spear Phishing Templates

14 Templates Click Reply -> View message source

15 Templates

16 Sending the message… telnet [ip address] 25 HELO MAIL FROM: RCPT TO: [target email here] DATA [paste template file (remove headers first)]. QUIT

17 Now, walk this minefield…

18 Defenses Mail Defenses Host Anti-virus Application Whitelisting Egress Payload Staging Stay Low and Slow

19 Sender Policy Framework Defense verify senders IP to detect email spoofing Attack get message to user regardless…

20 Defeating SPF Register a typo of domain of interest Use a webmail provider and send attack from their servers Spoof another domain

21 Mail Anti-Virus Gateway Defense check messages for bad stuff before delivery Attack send something that passes check

22 Mail Defense Recon 1.Create an attack package 2.Send it to a non-existent user 3.Make sure MAIL FROM address is an address you control 4.Wait for non-delivery notice 5.Review non-delivery notice for your report card

23 Non-Delivery Notices

24 Host Anti-virus Defense check for known bad and stop it Attack send unknown bad that passes check

25 Defeat Host Anti-virus 1.Find out or guess which anti-virus is in use – DNS Cache Snooping – Information Gathering – Social Engineering 2.Put anti-virus on test Virtual Machine 3.Select undetected attack or modify existing attack

26 DNS Cache Snooping? See: The command: dig @server domain A +norecurse

27 How does Anti-virus work? Check for known signature Apply heuristic to detect bad behavior Emulate binary to defeat packers and crypters

28 Limitations False positives are bad Non-intrusive(?) Only checks file at certain points – When loaded in browser – When written to disk

29 Getting Past AV Client-side Exploits… – Change strings in module – Write your own implementation of the attack

30 Application Whitelisting Defense do not allow unapproved applications Attack get agent into memory using a white-listed application.

31 Defeating App Whitelisting Powershell – MS Office Macro Java – Create a DLL with your agent – Have program extract DLL – Call System.loadLibrary(“evil.dll”);

32 Establish C2


34 Establish C2 – The Pain Deny all outbound traffic Allow egress only through a proxy device – Attack traffic must conform to expected protocol – Must pass other checks as well… Attacker Limitation: Staging!

35 Payload Staging…

36 Payload Staging Stage 1 – Must be small. Exploit used limits space – Encoded with Framework encoder Stage 2 – Payload DLL goes over the wire as-is – Trivial to write IDS signature for

37 Payload Staging

38 windows/meterpreter/reverse_https – Staging process happens over SSL EnableStageEncoding and StageEncoder – Metasploit Framework option to encode stage

39 Riddle me this… Batman

40 Asynchronous C2 Stay Low and slow – Target phones home, asks for tasks – Sleep time? 1 hour, 1 day, 1 year? – C2 tries to look like normal traffic Life line into a network – Use to execute commands – Upload / download files – Spawn “active” sessions to another server

41 Asynchronous C2 - Beacon

42 Asynchronous C2 – Bro RAT See:

43 The Take Away… If you know how something works… you can defeat it this applies to offense and defense

44 Summary…

Download ppt "Offense in Depth A Developer’s Perspective on Hacker Tradecraft."

Similar presentations

Ads by Google