White Lightning Sept 2014

Exploiting Browsers Like A Boss with

ThreatRoast • www.ThreatRoast.com

White Lightning!

Whoa, this isn't wood shop class?

Exploitation -  (Pen)Testing

Defense -  Threat Intel

About Bryce

2

Recipe Makes 1 Bryce - 1 oz Chewbacca - 2 oz Energy Drinks - 37 oz Rage Hacking SoCal Hacking - Twentythreedotorg - LA2600

Phishing Demo

3

Turtle Cavalry Attack! ☺

The Why…

4

- Christmas years ago - Can you hack me bro? - Totes out of date Java

SURE BRO! -  Redirected network -  iFrame to… -  Browser Autopwn -  Throws IE Exploits... -  at my Bro’s Mac Book -  """""""""""

Can You Hack Me Bro?

Hacker says: Just use BeEF... -  I love BeEF…

-  for XSS and… -  for interacting with user’s browser session

-  I hate waiting for a user to click a link… so… -  Auto-run an exploit… but which exploit? -  Build script with survey logic… but… -  Was painful to implement logic to run the best applicable exploit(s)

5

The Why…

Realized… Just use a… Crimeware Exploit Kit (EK) •  Fully Automated •  Selects the best exploit(s) •  Uses only 80/TCP HTTP •  Every exploit has to be ported •  Usually drops a binary to disk

–  (e.g. exe)

The Why…

6

Crimeware Exploit Kits (EK) •  Pros:

–  Fairly easy to setup, depending on the kit –  Will select the best exploit(s) to throw –  Usually uses only 80/TCP HTTP

•  Cons: –  Every exploit has to be ported to the EK –  Usually drops a binary (e.g. exe) to disk –  Potentially detectable by security products –  Costs $$ & Trust issues? ☺

Current Solutions -> Crimeware EK

7

Build your own custom solution with a mix of exploits and social engineering (SE) techniques

•  Pros: –  Tailor solution to current engagement –  You know your solution

•  Cons: –  Time to develop and refine operations –  Limited set of exploits and/or SE techniques –  Low chance of selecting the correct exploit –  Limited ability to leverage existing work

Current Solutions -> Custom Solution

8

Metasploit with selecting a single exploit

•  Pros: –  Easy to setup –  Metasploit is awesome for exploit development

•  Cons: –  Low chance of selecting the correct exploit

Current Solutions -> Metasploit with Single Exploit

9

•  Metasploit’s auxiliary/server/browser_autopwn

–  Pros: •  Easy to setup •  Much better now with “BrowserRequirements” options •  Metasploit is awesome for exploit development

–  Cons: •  Throws all exploits Metasploit thinks is applicable (20+) •  Needs the target endpoint to have loose egress filtering

Current Solutions -> Metasploit Browser Autopwn

10

TCP Ports Analysis for Metasploit’s Autopwn

11

80/TCP HTTP Exploit #1

80/TCP HTTP

80/TCP HTTP Exploit #2

80/TCP HTTP Exploit etc...

3333/TCP windows/meterpreter/reverse_tcp

6666/TCP generic/shell_reverse_tcp

7777/TCP java/meterpreter/reverse_tcp

TCP Ports Analysis for Metasploit’s Autopwn

12

80/TCP HTTP Exploit #1

80/TCP HTTP

80/TCP HTTP Exploit #2

3333/TCP windows/meterpreter/reverse_tcp

6666/TCP generic/shell_reverse_tcp

7777/TCP java/meterpreter/reverse_tcp

80/TCP HTTP Exploit etc...

Bryce’s Rule for Exploitation #? Whenever possible, reuse the same: •  Transport Layer Protocol (TCP, UDP, etc…) •  Port Number (80, 445, etc…) •  Application Layer Protocol (HTTP, SMB, etc…) •  And communicate through the same path including:

–  To the same IP address –  Using the same hostname and/or domain

Between the exploit and initial access to the endpoint

Exploitation Truth

13

If it worked for the exploit… It should work for your RAT too :)

What is White Lightning?

About White Lightning

14

What is White Lightning? -  Urban Dictionary

About White Lightning

15

What is White Lightning? -  Urban Dictionary -  A Burt Reynolds Movie

About White Lightning

16

What is White Lightning? -  Urban Dictionary -  A Burt Reynolds Movie -  Moonshine…

yeah but it is now also a

About White Lightning

17

What is White Lightning… -  Urban Dictionary -  A Burt Reynolds Movie -  Moonshine…

yeah but it is now also a

Platform for Browser Exploitation

About White Lightning

18

19

0%

20%

40%

60%

80%

100%

120%

Success Rate of Attackers

Auditor (10)

Script Kiddie (30)

White Hat Hacker (50)

Hacktivist (60)

Crime Orgs (80)

Espionage Orgs (90)

Publicly Available Tools

Why more tools?

20

0%

20%

40%

60%

80%

100%

120%

Success Rate of Attackers

Auditor (10)

Script Kiddie (30)

White Hat Hacker (50)

Hacktivist (60)

Crime Orgs (80)

Espionage Orgs (90)

Push It Publicly Available Tools

Why more tools?

21

0%

20%

40%

60%

80%

100%

120%

Success Rate of Attackers

Auditor (10)

Script Kiddie (30)

White Hat Hacker (50)

Hacktivist (60)

Crime Orgs (80)

Espionage Orgs (90)

Push It, Real Good Publicly Available Tools

Why more tools?

•  Server side exploitation, the good old days •  Exploits vulnerability in a service running on a port (traditional hack) •  Instant on demand access •  Services tend to crash during exploitation •  Becoming less prevalent

Server-Side Exploitation, The Good Old Days

22

Script Kiddie Exploit

Web Server Database Server

Exploit

Firewall all the things!

23

So what are we to do?

Firewall all the Things!

24

Unfortunately our Castles, A.K.A. Security Technology Stack Ends up being like this…

And…

Real attackers know this and…

They Exploit our Browsers! … To gain Initial Access into Protected Networks •  Move past the hard outer wall & defenses •  Collect data from the initial endpoint •  Collect credentials and other tokens •  Pivot to other workstations & servers

–  Lather, rinse, repeat

Why Exploit Browsers

25

Why Exploit Browsers

Hacker

Email w/ Exploit

Database Server

Jump Server Admin

Web Server

SSH w/ Creds

SSH w/ Creds

SSH w/ Creds

Client-Side •  Wait for user interaction •  Malicious documents exploits •  Browser exploitation •  Trojan binaries •  Java applet •  VBScript infections

Pros: •  Extensible framework for exploitation

–  Platform for easy customizations •  Future proofed for new exploits

–  Elegant back-end for interaction with Metasploit –  Easily supports the latest exploits

•  Harder to defend against before it solves egress port problems –  Designed to only use 80/TCP w/ all valid HTTP requests –  Selects the best exploit(s) to throw –  Sets the number of exploits to throw, including survey only mode

•  Payload never touches disk ( unless you really want it to ☺ ) •  Fairly easy to setup & 100% FREE ☺

Now Publicly Releasing -> White Lightning!

27

Exploit

Overview of White Lightning Management

Management

Create

Tasking

Creates

Unique URL

Hits User visits URL

Throws Uses an exploit

Survey

User Loads Software Installed

Click

28

Demo of White Lightning’s User Interface

29

Sticking w/ Bryce’s Rule for Exploitation #?

30

Survey 80/TCP HTTP

Exploit 80/TCP HTTP

Command & Control (C2) 80/TCP HTTP

How to…?

31

How to…? - Valid HTTP Requests - only on TCP port 80 - Integrate Multiple Tools - Use on same endpoint

…?

! Extremx !

Overview of Apache Reverse Proxy

32

80/TCP HTTP e.com

Metasploit Listening on TCP port 805

Apache Reverse Proxy

80/TCP HTTP sub.e.com

80/TCP HTTP

White Lightning

805/TCP HTTP

Overview of White Lightning’s Front-End & Back-End

33

80/TCP HTTP e.com

Front End Survey for… OS Version

OS Architecture (x86, x64) Browser Version

Browser Plugins Versions etc…

Back End Process Survey Data

Exploit Selection Logic MSGRPC to Metasploit

Return iFrame

Survey Data

iFrame

Detailed Overview of White Lightning’s Survey Process

e.com 80/TCP

Front End

80/TCP HTTP

Database

Back End

XMLHttpReq

Metasploit

iFrame iFrame iFrame 80/TCP

34

Detailed Overview of White Lightning’s Exploitation Process

Metasploit

sub.e.com 80/TCP 805/TCP HTTP

Exploit Exploit 80/TCP

35

Payload

Detailed Overview of White Lightning’s Load Process

Database

e.com 80/TCP 80/TCP

Payload Payload

36

•  exploit/windows/browser/adobe_flash_pixel_bender_bof •  exploit/windows/browser/ms13_022_silverlight_script_object •  exploit/windows/browser/adobe_cooltype_sing •  exploit/windows/browser/adobe_flash_avm2 •  exploit/windows/browser/apple_quicktime_marshaled_punk •  exploit/windows/browser/ms14_012_textrange •  exploit/windows/browser/ms14_012_cmarkup_uaf •  exploit/windows/browser/ms13_080_cdisplaypointer •  exploit/windows/browser/ms13_059_cflatmarkuppointer •  exploit/windows/browser/ms13_055_canchor •  exploit/windows/browser/ms13_037_svg_dashstyle •  exploit/windows/browser/java_cmm use •  etc… (mainly focused on exploiting Windows 7 & 8 workstations)

Exploits Supported

37

Overview of Client-Side Exploitation

38

Demo of White Lightning’s Exploitation

39

Overview of Client-Side Exploitation

40

Demo of WL Deploying TB

41

Unhappy Campers ☺

42

Source code on GitHub:

https://github.com/TweekFawkes

Source Code

43

Training at BlackHat EU! Dark Side Ops:

Custom Penetration Testing

Training

October 14th & 15th in Amsterdam!!! ☺

Community Project! Road Map for future features… •  Select what exploits to use per tasking •  Add alternative iFrame methods •  Easily convert a reflective dll into a WL load •  Easily select & store payloads

Road Map

45

The End

Running Since 1791

The End

Twitter: @TweekFawkes

The End

Running Since 1791