white lightning sept 2014
Post on 25-Jun-2015
326 Views
Preview:
DESCRIPTION
TRANSCRIPT
Exploiting Browsers Like A Boss with
ThreatRoast • www.ThreatRoast.com
White Lightning!
Whoa, this isn't wood shop class?
Exploitation - (Pen)Testing
Defense - Threat Intel
About Bryce
2
Recipe Makes 1 Bryce - 1 oz Chewbacca - 2 oz Energy Drinks - 37 oz Rage Hacking SoCal Hacking - Twentythreedotorg - LA2600
Phishing Demo
3
Turtle Cavalry Attack! ☺
The Why…
4
- Christmas years ago - Can you hack me bro? - Totes out of date Java
SURE BRO! - Redirected network - iFrame to… - Browser Autopwn - Throws IE Exploits... - at my Bro’s Mac Book - """""""""""
Can You Hack Me Bro?
Hacker says: Just use BeEF... - I love BeEF…
- for XSS and… - for interacting with user’s browser session
- I hate waiting for a user to click a link… so… - Auto-run an exploit… but which exploit? - Build script with survey logic… but… - Was painful to implement logic to run the best applicable exploit(s)
5
The Why…
Realized… Just use a… Crimeware Exploit Kit (EK) • Fully Automated • Selects the best exploit(s) • Uses only 80/TCP HTTP • Every exploit has to be ported • Usually drops a binary to disk
– (e.g. exe)
The Why…
6
Crimeware Exploit Kits (EK) • Pros:
– Fairly easy to setup, depending on the kit – Will select the best exploit(s) to throw – Usually uses only 80/TCP HTTP
• Cons: – Every exploit has to be ported to the EK – Usually drops a binary (e.g. exe) to disk – Potentially detectable by security products – Costs $$ & Trust issues? ☺
Current Solutions -> Crimeware EK
7
Build your own custom solution with a mix of exploits and social engineering (SE) techniques
• Pros: – Tailor solution to current engagement – You know your solution
• Cons: – Time to develop and refine operations – Limited set of exploits and/or SE techniques – Low chance of selecting the correct exploit – Limited ability to leverage existing work
Current Solutions -> Custom Solution
8
Metasploit with selecting a single exploit
• Pros: – Easy to setup – Metasploit is awesome for exploit development
• Cons: – Low chance of selecting the correct exploit
Current Solutions -> Metasploit with Single Exploit
9
• Metasploit’s auxiliary/server/browser_autopwn
– Pros: • Easy to setup • Much better now with “BrowserRequirements” options • Metasploit is awesome for exploit development
– Cons: • Throws all exploits Metasploit thinks is applicable (20+) • Needs the target endpoint to have loose egress filtering
Current Solutions -> Metasploit Browser Autopwn
10
TCP Ports Analysis for Metasploit’s Autopwn
11
80/TCP HTTP Exploit #1
80/TCP HTTP
80/TCP HTTP Exploit #2
80/TCP HTTP Exploit etc...
3333/TCP windows/meterpreter/reverse_tcp
6666/TCP generic/shell_reverse_tcp
7777/TCP java/meterpreter/reverse_tcp
TCP Ports Analysis for Metasploit’s Autopwn
12
80/TCP HTTP Exploit #1
80/TCP HTTP
80/TCP HTTP Exploit #2
3333/TCP windows/meterpreter/reverse_tcp
6666/TCP generic/shell_reverse_tcp
7777/TCP java/meterpreter/reverse_tcp
80/TCP HTTP Exploit etc...
Bryce’s Rule for Exploitation #? Whenever possible, reuse the same: • Transport Layer Protocol (TCP, UDP, etc…) • Port Number (80, 445, etc…) • Application Layer Protocol (HTTP, SMB, etc…) • And communicate through the same path including:
– To the same IP address – Using the same hostname and/or domain
Between the exploit and initial access to the endpoint
Exploitation Truth
13
If it worked for the exploit… It should work for your RAT too :)
What is White Lightning?
About White Lightning
14
What is White Lightning? - Urban Dictionary
About White Lightning
15
What is White Lightning? - Urban Dictionary - A Burt Reynolds Movie
About White Lightning
16
What is White Lightning? - Urban Dictionary - A Burt Reynolds Movie - Moonshine…
yeah but it is now also a
About White Lightning
17
What is White Lightning… - Urban Dictionary - A Burt Reynolds Movie - Moonshine…
yeah but it is now also a
Platform for Browser Exploitation
About White Lightning
18
19
0%
20%
40%
60%
80%
100%
120%
Success Rate of Attackers
Auditor (10)
Script Kiddie (30)
White Hat Hacker (50)
Hacktivist (60)
Crime Orgs (80)
Espionage Orgs (90)
Publicly Available Tools
Why more tools?
20
0%
20%
40%
60%
80%
100%
120%
Success Rate of Attackers
Auditor (10)
Script Kiddie (30)
White Hat Hacker (50)
Hacktivist (60)
Crime Orgs (80)
Espionage Orgs (90)
Push It Publicly Available Tools
Why more tools?
21
0%
20%
40%
60%
80%
100%
120%
Success Rate of Attackers
Auditor (10)
Script Kiddie (30)
White Hat Hacker (50)
Hacktivist (60)
Crime Orgs (80)
Espionage Orgs (90)
Push It, Real Good Publicly Available Tools
Why more tools?
• Server side exploitation, the good old days • Exploits vulnerability in a service running on a port (traditional hack) • Instant on demand access • Services tend to crash during exploitation • Becoming less prevalent
Server-Side Exploitation, The Good Old Days
22
Script Kiddie Exploit
Web Server Database Server
Exploit
Firewall all the things!
23
So what are we to do?
Firewall all the Things!
24
Unfortunately our Castles, A.K.A. Security Technology Stack Ends up being like this…
And…
Real attackers know this and…
They Exploit our Browsers! … To gain Initial Access into Protected Networks • Move past the hard outer wall & defenses • Collect data from the initial endpoint • Collect credentials and other tokens • Pivot to other workstations & servers
– Lather, rinse, repeat
Why Exploit Browsers
25
Why Exploit Browsers
Hacker
Email w/ Exploit
Database Server
Jump Server Admin
Web Server
SSH w/ Creds
SSH w/ Creds
SSH w/ Creds
Client-Side • Wait for user interaction • Malicious documents exploits • Browser exploitation • Trojan binaries • Java applet • VBScript infections
Pros: • Extensible framework for exploitation
– Platform for easy customizations • Future proofed for new exploits
– Elegant back-end for interaction with Metasploit – Easily supports the latest exploits
• Harder to defend against before it solves egress port problems – Designed to only use 80/TCP w/ all valid HTTP requests – Selects the best exploit(s) to throw – Sets the number of exploits to throw, including survey only mode
• Payload never touches disk ( unless you really want it to ☺ ) • Fairly easy to setup & 100% FREE ☺
Now Publicly Releasing -> White Lightning!
27
Exploit
Overview of White Lightning Management
Management
Create
Tasking
Creates
Unique URL
Hits User visits URL
Throws Uses an exploit
Survey
User Loads Software Installed
Click
28
Demo of White Lightning’s User Interface
29
Sticking w/ Bryce’s Rule for Exploitation #?
30
Survey 80/TCP HTTP
Exploit 80/TCP HTTP
Command & Control (C2) 80/TCP HTTP
How to…?
31
How to…? - Valid HTTP Requests - only on TCP port 80 - Integrate Multiple Tools - Use on same endpoint
…?
! Extremx !
Overview of Apache Reverse Proxy
32
80/TCP HTTP e.com
Metasploit Listening on TCP port 805
Apache Reverse Proxy
80/TCP HTTP sub.e.com
80/TCP HTTP
White Lightning
805/TCP HTTP
Overview of White Lightning’s Front-End & Back-End
33
80/TCP HTTP e.com
Front End Survey for… OS Version
OS Architecture (x86, x64) Browser Version
Browser Plugins Versions etc…
Back End Process Survey Data
Exploit Selection Logic MSGRPC to Metasploit
Return iFrame
Survey Data
iFrame
Detailed Overview of White Lightning’s Survey Process
e.com 80/TCP
Front End
80/TCP HTTP
Database
Back End
XMLHttpReq
Metasploit
iFrame iFrame iFrame 80/TCP
34
Detailed Overview of White Lightning’s Exploitation Process
Metasploit
sub.e.com 80/TCP 805/TCP HTTP
Exploit Exploit 80/TCP
35
Payload
Detailed Overview of White Lightning’s Load Process
Database
e.com 80/TCP 80/TCP
Payload Payload
36
• exploit/windows/browser/adobe_flash_pixel_bender_bof • exploit/windows/browser/ms13_022_silverlight_script_object • exploit/windows/browser/adobe_cooltype_sing • exploit/windows/browser/adobe_flash_avm2 • exploit/windows/browser/apple_quicktime_marshaled_punk • exploit/windows/browser/ms14_012_textrange • exploit/windows/browser/ms14_012_cmarkup_uaf • exploit/windows/browser/ms13_080_cdisplaypointer • exploit/windows/browser/ms13_059_cflatmarkuppointer • exploit/windows/browser/ms13_055_canchor • exploit/windows/browser/ms13_037_svg_dashstyle • exploit/windows/browser/java_cmm use • etc… (mainly focused on exploiting Windows 7 & 8 workstations)
Exploits Supported
37
Overview of Client-Side Exploitation
38
Demo of White Lightning’s Exploitation
39
Overview of Client-Side Exploitation
40
Demo of WL Deploying TB
41
Unhappy Campers ☺
42
Source code on GitHub:
https://github.com/TweekFawkes
Source Code
43
Training at BlackHat EU! Dark Side Ops:
Custom Penetration Testing
Training
October 14th & 15th in Amsterdam!!! ☺
Community Project! Road Map for future features… • Select what exploits to use per tasking • Add alternative iFrame methods • Easily convert a reflective dll into a WL load • Easily select & store payloads
Road Map
45
The End
Running Since 1791
The End
Twitter: @TweekFawkes
The End
Running Since 1791
top related