defcon 24 - Notes for Saturday 2016-8-06

Here are my notes from Defcon 24 for Saturday 2016-8-07.

You should check out the new Bloodhound graph tool for analyzing MS AD architecture. From the Empire folks. Wow! See my notes below for more details and the link.

Managed code rootkits for Java runtime environments

Need admin/root privilege
Compromises *every* pgm using the modified runtime.


  • Usually code reviews, audits do not look at runtimes.
  • Platform-independent rootkit
  • Full-featured libraries available
Previous work: Erez Metula Defcon 17
  • ReFrameworker to modify .NET runtimes
  • Explored implications of MCRs

Possible strategies

  1. Modify bytecode: Complex
  2. Decompiled Source: Hard problem since decompilers are not perfect, resulting code is unreliable
  3. Intermediate Representations
  • Can be decompiled into “halfway” source
  • Then recompile into bytecode.
  • The best compromise sln


His tool.


An open source Eclipse plugin
  • Write rootkits in Java source
  • Export modules are Eclipse Java pgms
  • Extend object that want to manipulate in the Runtime.
  • No incremental compiler yet Future enhancement.

Annotation Types

@Define replace object
@Merge Keep old function and extend it.


  • Showed how could modify private field of RE object
  • Took 2 yr old exploit. Refactored it to obfuscate: CVE-2012-4681
  1. Reflective invocations for sensitive APIs
  2. Simple XOR packer of whole class. 0/56 on VirusTotal
  • “Reverse Bug Patch” to unfix the patch for the old CVE vuln
    • This also got 0/56 on VirusTotal.
    • Great for backdoor.
    • People don’t look for vulnerabilities but rather exploits.


  • Inserting new method will change line numbering (unless attacker is really stealthy)
  • Look at file hash, file size change
  • “jref_” method rename (can be changed in preferences)
  • Class / Method / Field counts
  • Be aware of this when auditing!!!
Could be extended to other languages: Scala, Clojure, Groovy, Gosu; ported languages as well.
No one has done anything with this in the past 6 yr.
His goal in doing this: an Awareness project.
Many differences between Android and Java APIs. The above work is for the Java API. Cf https://en.wikipedia.org/wiki/Comparison_of_Java_and_Android_API


Mayhem was 3rd from the bottom of the list when I looked!!!
in other words, the machine was better than at least two of the human teams.

Bypassing captive portals and Limited networks

They defragged the room! Had everyone stand up + move to the center. Empty seats at edges. Brilliant!
Author is presenting at defcon with Powerpoint.
Explained in detail various ways to bypass hotel captive portals / restricted networks.
Slides are here and are self-explanatory:
Portals / captive networks are primitive. Not real NAP
  • No real authN, encryption, just obfuscation.
  • MAC filtering on gateway, AuthN Radius
Everything’s Chilispot, DD-WRT, OpenWRT
Need an endpoint to tunnel to + some port in the GW to escape through eg dns is usually proxied out.
Endpoint needs to be locked down
Ideally also need a google apps engine setup for portals supported by Ads.
Https proxy maybe useful but probably not.
Linux / Kali on endpoint. Allows MAC changing. Otherwise windows works and run Linux in VM. MobaXTerm, Iodine, Wireshark, nmap, fiddler2 on endpoint.


  • Find gw. Nmap to see who’s there + what the g/w has open.
  • Try connection to possible proxy ports (via bowser config)
  • Try app engine endpoint. Usually works if add-supported.
  • Try dns lookups. Use iodine for dns tunnel + then route through the tunnel.
  • Last ditch: watch MAC address which stops being used. Clone MAC address + go out.

Domain Admin - Bloodhound

Who these ppl are

Veris Group ATD
These are the Empire, PowerView Devs!!!
“Defenders think in lists, Attackers think in Graphs. As long as this continues, attackers will win.”
Powerview: find systems where Domain Admin logged in.

“Derivative Dmn Admin attack”

If computers are hardened + patched:
  • Escalate privilege on one box. Typically this is a cleartext pwd in a file on a share.
  • Find who is logged onto the compromised box.
  • Pivot to each of these people, compromise their boxes with the stolen hashes.
  • Rince, repeat.
  • Eventually you (might) find a path to compromise Domain Admin.
They call this “Derivative Local Admin” Chained attack

Mechanisms giving rise to this

  • AD group delegation
  • Help Desk logs onto ppl’s desktop and leaves hashes there


  • Time consuming / tedious
  • Test is not comprehensive
  • Limited situational awareness – you don’t understand what privileges u have.
  • Maybe u don’t need DA but rather just some lower privileged group membership.

BloodHound – new graph tool

Graph theory

  • Vertices: users groups computers domains
  • Edges: Identiy grp memberships, Trusts, etc
  • Paths: directed so that privilege is always escalated.

Basic function

The new tool (BloodHound) looks for a path through to DA
Get-BloodHoundData automates gathering PowerView data.
Export-BloodHoundData exports collect neo4j (or CSVs for offline ingestion)

Input data

To construct the graph, the tool needs only 3 sets of data from the AD:
  • Who is logged on?
  • Who has admin rights
  • What users + grps belong to which grps.a
Usually a domain authenticated user can gather this info using std Win32 API calls. No special privileges needed.
Can also use GPOs to see who is in local admin groups by communicating with DC!!!
BloodHound demo.

Code is here:

Neural net to improve social engineering

Goal of research

Use AI to automate spear phishing
Goal is to generating links user will click
  • Phishing: low rate of success 5-10%
  • Spearphishing: Highly effective but very manual
These people work for ZeroFOX.


Natural language processing

2016 @TayandYou

MS AI + Deep Neural Netwk as a chatbot.
Now used for marketing.

ML on Offense

Why target Twitter?
  • bot-friendly API
  • colloquial syntax
  • shortened links: ppl click shortened links without thinking about it
  • trusting culture
  • incentivized data disclosure: ppl want to share content


Their new tool. Runs in 2 phases:
  • set of users divided into high-value / low-value targets
  • crafts a tweet


  • prepends tweet with @mention. Keeps tweet down
  • shortens payload per user. Can determine whether a specific user clicked on link
  • obeys rate limits
  • checks whether person is a valuable target
  • post non-phishing posts
  • build believable profile.
Otherwise Twitter will find u + shut u down.



Looks at whether user is a good target. Runs clustering algorithm on following attributes:
  • Description content
  • Engagement: following / followers
  • Age
  • #myfirsttweet
  • Whether default settings changed (shows engagement
Looks at user timeline.
Builds either Markov model or neural net model. Constructs tweet.
Tweet can be scheduled for time when user is usually most engaged.

Clustering algorithm

Tried different algorithms to maximize silhouette score. Ran k-means. Used sil. coef to tune k-means.

URL shortening

Chose Goo.gl:
  • gives timeline
  • analytics
    • who referred the link
    • browser
    • country
    • platform)
  • Will link to malicious sites!!!
  • Can create shortened links dynamically.
  • API to give analytics programmatically.

Recon + profiling

What time user is likely to engage platform? What topics are likely to interest the user?
They used “Bag of Words” on timeline tweets. Counting frequencies. Simple.
Schedule post for a random minute during the hour when user is likely to respond.

Building the tweet for the user

How to build a tweet for the user? Two choices:
  • Markov model
  • Deep neural net.

Markov Models

Markov Model is used for text generation.
How it works:
  • Measures pairwise freq of likeliness
  • Uses this data to generate new text phrases.
  • Are calculating transition probabilities.
  • Quick to train.
  • Small, light.
  • Overfits to a given user.
  • Performs poorly with if only a few tweets are input to train the model.
  • Generalizes out of the box to various other languages besides English.

Neural Net

LSTM == Long Short-Term Memory.
3 layers / 500 units/layer. Looks at context of whole sentence. Retraining required for new languages.
Runs on G2.2xlarge instance.
Training set was 2.2M tweets. Took them 5.5 days to train the model.



After 2 hrs: 17% clickthru rate.
After 2 days 30%-66% clickthru rate. However lot of bots clicked on links however. (unknown referrers may be bots)
Compared person vs machine. Machine outperformed the human.


They obtained very good results with automated AI approach. Almost as good as manual targeting but much faster.
Can be applied to other social networks. Classic social engineering results.
Version on conference CDs. They will publish on Internet.

Phishing Jay Beale

Generalized base attack discussed here. Not targeted red team attack.
Collaboration / Communication / Negotiation is important.
Single Red team email may take months to construct so that it goes thru filters + generates trust in users. Use Office365, Gmail since are trusted domains.
Lessons learned follow.

Schedule Fail

No plan survives 1st contact with the enemy. Build time into the timeline for dealing with resistance / opposition.

Communication Fail

Tell client what you need from the get-go. Approvals. Who can veto. Set + remind org of deadlines for approval. Prototype pretexts: Get final sign-off on pretext before building site. Involve org in developing pretexts. Multi-party negotiation.
  • Introvert: communicate more in the beginning to avoid time spent cleaning up mess afterwards

Check your Spam folder

Spam filters trigger because domain is too new, domain has broken SPF,
  • Check SPF (IPv6 addresses), DKIM (MTA with a domain that has existed for at least a week)
  • Budget time + test the whitelist
  • Otherwise spam filter will be trained on your pretext which will no longer be usable.

Numbers Game Fail

Use best tools to populate lists but only get 15 emails out of 1000 employees. Because of Rules of Engagement, cannot brute force mail servers, buy mailing addresses, buy pager traffic like a real BlackHat would.
  • Tell client that BlackHat hacker can get the addresses.
  • We stipulate that we can get all email addresses + we spend time in better ways.
  • Negotiate. We<ll do as much as we can, you give us the rest.

Open floor plan office

Email says it is from xxx. Organization people all sit in the same place. They walk over and find out that the email is spam. Fail.
Need to know your client. Where people sit in the organization. Understand their escalation procedure (so that you can have them not react). Involve the client to validate that the pretext will work / suggest better

Low & slow

Client asks you to send email slowly. By the time you get 100 emails out, the security guys are doing IR.
Spam needs to be fast to get email in front of as many people as possible. Don’t want people to talk to each other. Give them a call to action with short delay + impose a severe penalty (“cut off your access”).

Poor domain choice

Choose a domain badly. E.g. Try changing “I” to “1”. But user awareness training usually trains ppl to spot this.
Pick a good domain for long term and use subdomains.


Client wants to choose poorly.
Need to collaborate / communicate / negotiate. Need to realize you are always in a negotiation. Ask ppl to brainstorm / bring in other voices.

Broken Grammar

Client would ask to use broken grammar + spelling because that is what they get. This lowers success rate + gives client false sense of security. Client loses everyone loses.
Communicate what the effect will be because corporate emails do not look like broken stuff. Show them spam samples that prove your point. Be persistent. Have them explain why they want this.
Be willing to do both: some with broken grammar, some not.

The Investigation

Federal authority calls you because the phishing is so good. Internal infosec escalates  + escalates too far.
Cause is that internal people are too secretive + tell *no one* inside the organization. You have to lead the project. Manage expectations. Mandatory: involve HR + Legal. Brainstorm who needs to know that phishing campaign is going on. Pre-empt escalation.

Success but unhappy client

Client keeps bothering you for results. Or is unhappy at the end even though you consider the test a success.
Need to set expectations about how results will be communicated, and what to expect. Tell the client when the test is over. Manage the mitigation phase.

Do not reinvent the wheel

Keep the infra when the test is over. Reuse what has already been done. Use existing good free tools. Standardize. Learn from mistakes + build into the process. Automate + script it so can be reused multiple times.

Unknown impact

Unknown Hard Error that consultants didn’t understand.
Ask client how the test worked out. Get detailed feedback from the client.


Communicate / collaborate / lead  (with) the client. If anyone loses the negotiation, everyone loses.


Blogger said...

Did you know that you can shorten your urls with LinkShrink and get cash from every visit to your short links.

Mark smith said...

Nice blog and the description about it very amazing I really liked it.

How to Overthrow a Government

Albert Stone said...

Thanks for sharing this wonderful article.

doctor’s medical cause of death certificate

James Brown said...

I am very thankful for this really an amazing post

DEFCON Conference

Blogger said...

BlueHost is definitely the best web-hosting provider with plans for any hosting needs.