Here are my notes from Defcon 24 for Saturday 2016-8-07.
You should check out the new Bloodhound graph tool for analyzing MS AD architecture. From the Empire folks. Wow! See my notes below for more details and the link.
Managed code rootkits for Java runtime environments
Need admin/root privilege
Compromises *every* pgm using the modified runtime.
- Usually code reviews, audits do not look at runtimes.
- Platform-independent rootkit
- Full-featured libraries available
Previous work: Erez Metula Defcon 17
- ReFrameworker to modify .NET runtimes
- Explored implications of MCRs
- Modify bytecode: Complex
- Decompiled Source: Hard problem since decompilers are not perfect, resulting code is unreliable
- Intermediate Representations
- Can be decompiled into “halfway” source
- Then recompile into bytecode.
- The best compromise sln
An open source Eclipse plugin
- Write rootkits in Java source
- Export modules are Eclipse Java pgms
- Extend object that want to manipulate in the Runtime.
- No incremental compiler yet → Future enhancement.
@Define → replace object
@Merge → Keep old function and extend it.
- Showed how could modify private field of RE object
- Took 2 yr old exploit. Refactored it to obfuscate: CVE-2012-4681
- Reflective invocations for sensitive APIs
- Simple XOR packer of whole class. 0/56 on VirusTotal
- “Reverse Bug Patch” to unfix the patch for the old CVE vuln
- This also got 0/56 on VirusTotal.
- Great for backdoor.
- People don’t look for vulnerabilities but rather exploits.
- Inserting new method will change line numbering (unless attacker is really stealthy)
- Look at file hash, file size change
- “jref_” method rename (can be changed in preferences)
- Class / Method / Field counts
- Be aware of this when auditing!!!
Could be extended to other languages: Scala, Clojure, Groovy, Gosu; ported languages as well.
No one has done anything with this in the past 6 yr.
His goal in doing this: an Awareness project.
Many differences between Android and Java APIs. The above work is for the Java API. Cf https://en.wikipedia.org/wiki/Comparison_of_Java_and_Android_API
Mayhem was 3rd from the bottom of the list when I looked!!!
in other words, the machine was better than at least two of the human teams.
Bypassing captive portals and Limited networks
They defragged the room! Had everyone stand up + move to the center. Empty seats at edges. Brilliant!
Author is presenting at defcon with Powerpoint.
Explained in detail various ways to bypass hotel captive portals / restricted networks.
Slides are here and are self-explanatory:
Portals / captive networks are primitive. Not real NAP
- No real authN, encryption, just obfuscation.
- MAC filtering on gateway, AuthN → Radius
Everything’s Chilispot, DD-WRT, OpenWRT
Need an endpoint to tunnel to + some port in the GW to escape through eg dns is usually proxied out.
- E.g. dns is usually proxied out.
- Can use iodine to tunnel dns (cf http://code.kryo.se/iodine/ )
Endpoint needs to be locked down
Ideally also need a google apps engine setup for portals supported by Ads.
Https proxy maybe useful but probably not.
Linux / Kali on endpoint. Allows MAC changing. Otherwise windows works and run Linux in VM. MobaXTerm, Iodine, Wireshark, nmap, fiddler2 on endpoint.
- Find gw. Nmap to see who’s there + what the g/w has open.
- Try connection to possible proxy ports (via bowser config)
- Try app engine endpoint. Usually works if add-supported.
- Try dns lookups. Use iodine for dns tunnel + then route through the tunnel.
- Last ditch: watch MAC address which stops being used. Clone MAC address + go out.
Domain Admin - Bloodhound
Who these ppl are
Veris Group ATD
These are the Empire, PowerView Devs!!!
“Defenders think in lists, Attackers think in Graphs. As long as this continues, attackers will win.”
Powerview: →find systems where Domain Admin logged in.
“Derivative Dmn Admin attack”
If computers are hardened + patched:
- Escalate privilege on one box. Typically this is a cleartext pwd in a file on a share.
- Find who is logged onto the compromised box.
- Pivot to each of these people, compromise their boxes with the stolen hashes.
- Rince, repeat.
- Eventually you (might) find a path to compromise Domain Admin.
They call this “Derivative Local Admin” → Chained attack
Mechanisms giving rise to this
- AD group delegation
- Help Desk logs onto ppl’s desktop and leaves hashes there
- Time consuming / tedious
- Test is not comprehensive
- Limited situational awareness – you don’t understand what privileges u have.
- Maybe u don’t need DA but rather just some lower privileged group membership.
BloodHound – new graph tool
- Vertices: users groups computers domains
- Edges: Identiy grp memberships, Trusts, etc
- Paths: directed so that privilege is always escalated.
The new tool (BloodHound) looks for a path through to DA
Get-BloodHoundData automates gathering PowerView data.
Export-BloodHoundData exports collect neo4j (or CSVs for offline ingestion)
To construct the graph, the tool needs only 3 sets of data from the AD:
- Who is logged on?
- Who has admin rights
- What users + grps belong to which grps.a
Usually a domain authenticated user can gather this info using std Win32 API calls. No special privileges needed.
Can also use GPOs to see who is in local admin groups by communicating with DC!!!
Code is here:
Code is here:
Neural net to improve social engineering
Goal of research
Use AI to automate spear phishing
Goal is to generating links user will click
- Phishing: low rate of success 5-10%
- Spearphishing: Highly effective but very manual
These people work for ZeroFOX.
Natural language processing
MS AI + Deep Neural Netwk as a chatbot.
Now used for marketing.
ML on Offense
Why target Twitter?
- bot-friendly API
- colloquial syntax
- shortened links: ppl click shortened links without thinking about it
- trusting culture
- incentivized data disclosure: ppl want to share content
Their new tool. Runs in 2 phases:
- set of users divided into high-value / low-value targets
- crafts a tweet
- prepends tweet with @mention. Keeps tweet down
- shortens payload per user. Can determine whether a specific user clicked on link
- obeys rate limits
- checks whether person is a valuable target
- post non-phishing posts
- build believable profile.
Otherwise Twitter will find u + shut u down.
Looks at whether user is a good target. Runs clustering algorithm on following attributes:
- Description content
- Engagement: following / followers
- Whether default settings changed (shows engagement
Looks at user timeline.
Builds either Markov model or neural net model. Constructs tweet.
Tweet can be scheduled for time when user is usually most engaged.
Tried different algorithms to maximize silhouette score. Ran k-means. Used sil. coef to tune k-means.
- gives timeline
- who referred the link
- Will link to malicious sites!!!
- Can create shortened links dynamically.
- API to give analytics programmatically.
Recon + profiling
What time user is likely to engage platform? What topics are likely to interest the user?
They used “Bag of Words” on timeline tweets. Counting frequencies. Simple.
Schedule post for a random minute during the hour when user is likely to respond.
Building the tweet for the user
How to build a tweet for the user? Two choices:
- Markov model
- Deep neural net.
Markov Model is used for text generation.
How it works:
- Measures pairwise freq of likeliness
- Uses this data to generate new text phrases.
- Are calculating transition probabilities.
- Quick to train.
- Small, light.
- Overfits to a given user.
- Performs poorly with if only a few tweets are input to train the model.
- Generalizes out of the box to various other languages besides English.
LSTM == Long Short-Term Memory.
3 layers / 500 units/layer. Looks at context of whole sentence. Retraining required for new languages.
Runs on G2.2xlarge instance.
Training set was 2.2M tweets. Took them 5.5 days to train the model.
After 2 hrs: 17% clickthru rate.
After 2 days 30%-66% clickthru rate. However lot of bots clicked on links however. (unknown referrers may be bots)
Compared person vs machine. Machine outperformed the human.
They obtained very good results with automated AI approach. Almost as good as manual targeting but much faster.
Can be applied to other social networks. Classic social engineering results.
Version on conference CDs. They will publish on Internet.
Phishing Jay Beale
Generalized base attack discussed here. Not targeted red team attack.
Collaboration / Communication / Negotiation is important.
Single Red team email may take months to construct so that it goes thru filters + generates trust in users. Use Office365, Gmail since are trusted domains.
Lessons learned follow.
No plan survives 1st contact with the enemy. Build time into the timeline for dealing with resistance / opposition.
Tell client what you need from the get-go. Approvals. Who can veto. Set + remind org of deadlines for approval. Prototype pretexts: Get final sign-off on pretext before building site. Involve org in developing pretexts. Multi-party negotiation.
- Introvert: communicate more in the beginning to avoid time spent cleaning up mess afterwards
Check your Spam folder
Spam filters trigger because domain is too new, domain has broken SPF,
- Check SPF (IPv6 addresses), DKIM (MTA with a domain that has existed for at least a week)
- Budget time + test the whitelist
- Otherwise spam filter will be trained on your pretext which will no longer be usable.
Numbers Game Fail
Use best tools to populate lists but only get 15 emails out of 1000 employees. Because of Rules of Engagement, cannot brute force mail servers, buy mailing addresses, buy pager traffic like a real BlackHat would.
- Tell client that BlackHat hacker can get the addresses.
- We stipulate that we can get all email addresses + we spend time in better ways.
- Negotiate. We<ll do as much as we can, you give us the rest.
Open floor plan office
Email says it is from xxx. Organization people all sit in the same place. They walk over and find out that the email is spam. Fail.
Need to know your client. Where people sit in the organization. Understand their escalation procedure (so that you can have them not react). Involve the client to validate that the pretext will work / suggest better
Low & slow
Client asks you to send email slowly. By the time you get 100 emails out, the security guys are doing IR.
Spam needs to be fast to get email in front of as many people as possible. Don’t want people to talk to each other. Give them a call to action with short delay + impose a severe penalty (“cut off your access”).
Poor domain choice
Choose a domain badly. E.g. Try changing “I” to “1”. But user awareness training usually trains ppl to spot this.
Pick a good domain for long term and use subdomains.
Client wants to choose poorly.
Need to collaborate / communicate / negotiate. Need to realize you are always in a negotiation. Ask ppl to brainstorm / bring in other voices.
Client would ask to use broken grammar + spelling because that is what they get. This lowers success rate + gives client false sense of security. Client loses → everyone loses.
Communicate what the effect will be because corporate emails do not look like broken stuff. Show them spam samples that prove your point. Be persistent. Have them explain why they want this.
Be willing to do both: some with broken grammar, some not.
Federal authority calls you because the phishing is so good. Internal infosec escalates + escalates too far.
Cause is that internal people are too secretive + tell *no one* inside the organization. You have to lead the project. Manage expectations. Mandatory: involve HR + Legal. Brainstorm who needs to know that phishing campaign is going on. Pre-empt escalation.
Success but unhappy client
Client keeps bothering you for results. Or is unhappy at the end even though you consider the test a success.
Need to set expectations about how results will be communicated, and what to expect. Tell the client when the test is over. Manage the mitigation phase.
Do not reinvent the wheel
Keep the infra when the test is over. Reuse what has already been done. Use existing good free tools. Standardize. Learn from mistakes + build into the process. Automate + script it so can be reused multiple times.
Unknown Hard Error that consultants didn’t understand.
Ask client how the test worked out. Get detailed feedback from the client.
Communicate / collaborate / lead (with) the client. If anyone loses the negotiation, everyone loses.