wrapping it up · 2013-06-17 · (network/host/application/…) ... address like location...
TRANSCRIPT
Step-By-Step, End-To-End, “APT” Simulation
Understand attackers techniques & methodologies
Discuss defense technologies and their limitations
Understand that there is no 100% security ..but we can still do something about it
“Advanced Persistent Threat”, Wikipedia
Step 1: Recon
Step 2: Exploits & Delivery
Step 3: Explore the network
Step 4: Persistency
Step 5: Exfiltrate
Progress Bar
Target Selection
OSINT (Corporate/Individual)
On-Site gathering
HUMINT (Key employees, social
engineering)
Foot-printing (Port scanning, banner
grabbing, etc..)
Identify protection mechanisms
(network/host/application/…)
http://www.pentest-standard.org/index.php/Intelligence_Gathering
Cross-protocol profiling
• Application-leaked information
• Data correlation
Weakest link and attack vector suggestion (Exploitation)
Social engineering helper (categorization)
MiTM with Automatic SSL Strip capabilities
Supports multiple protocols: • HTTP (>100 web apps are supported)
• SMTP, FTP, DHCP, …
Open Source!
https://ae.rsaconference.com/US12/published/rsaus12/sessions/SPO1-303/SPO1-303.pdf
“Internet Census of 2012” (Carna Botnet)
Shodan Search Engine
Google Dorks (Google Hacking)
http://internetcensus2012.bitbucket.org/paper.html
http://www.shodanhq.com/
There are no rules when gathering information
The more relevant data your collect, the better the attack can be
Gather intelligence anonymously (e.g. TOR)
Harvesting social information is not enough • Attackers need technical information, too
Social Profile
Full Name
Address
Like
Location
Friend’s with..
Works at…
.
.
Technical Profile
OS Version
Patch level
Browser usage
Installed plugins
AV Vendor
Firewall rules
.
.
Harvesting information on our victim • Social Profile
• Technical Profile
Organizing information with Maltego
Generating actionable items: • Locate the weakest link (Who?) Human / mobile device / server / …
• Define Time-Frames (When?)
• Engaging the target / Delivery Vector (How?)
Once accurate information was retrieved
one can move on to the next step…
Writing specific and reliable exploits
Preferably: • No user interaction
• No crash / hang (continue in normal flow)
• No memory corruptions (less reliable)
Oracle Java
Adobe Acrobat Reader
Adobe Flash
Microsoft Internet Explorer
Microsoft Word
.
.
“A Price List For Hackers Secret Software Exploits” Forbes
Smashing the stack is so 90’s
Exploit writing is no longer generic
Exploit mitigations makes it more
challenging • DEP, HiASLR , /GS, SEHOP, vTable Guard, Sandbox, …
ASLR randomize key data areas (libraries, heap, stack,…) • /DYNAMICBASE, PIE • Cannot jump to fixed addresses anymore • “Info-leak” era – Memory disclosure vulnerabilities
Dynamic ROP based on image base address
• HeapCreate(HEAP_CREATE_ENABLE_EXECUTE,..)
• VirtualAlloc(..,PAGE_EXECUTE_READWRITE) + CopyMemory()
• VirtualProtect(,.. PAGE_EXECUTE_READWRITE)
• SetProcessDEPPolicy(0) • WriteProcessMemory(..) • …
http://media.blackhat.com/bh-us-12/Briefings/Serna/BH_US_12_Serna_Leak_Era_Slides.pdf
https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
Separating running applications
Lower the system privileges granted to the application
Provides a tightly controlled set of resources for guest
application
Adobe Sandbox Architecture
Chrome Sandbox Architecture
http://blogs.adobe.com/asset/2010/11/inside-adobe-reader-protected-mode-part-3-broker-process-policies-and-inter-process-communication.html
http://blog.azimuthsecurity.com/2010/05/chrome-sandbox-part-1-of-3-overview.html
Mainly three types of vulnerabilities • Broker process
• Kernel vulnerabilities
• Through other user mode services (with higher privilege)
Vulnerabilities in the kernel • A sandbox that relies on kernel security is as good as the kernel
security
• Exploiting unpatched kernel vulnerabilities can be used to break out IE10 (CVE-2013-2551) - Vupen Pwn2own 2013
Chrome (CVE-2013-0912) – MWR Labs Pwn2Own 2013
"+1 vuln“ case • Depends on the sandbox
• Less LOC == lowered attack surface
https://media.blackhat.com/eu-13/briefings/Wojtczuk/bh-eu-13-thes-sandbox-wojtczuk-slides.pdf
Targets: IE 6-10, Windows XP-Windows8, 32/64 bit
Vulnerability in Vector Markup Language (VML)
Integer overflow vulnerability in undocumented function
• Arbitrary Read/Write
• Disclose a pointer to bypass ASLR
Technique to read an arbitrary string in memory **
• #define MM_SHARED_USER_DATA_VA 0x7FFE0000
Dynamic Return-Oriented-Programming (ROP)
Use After Free Vulnerability
Code Execution in the context of IE10 sandbox
Kernel Vulnerability to escape the Sandbox
[Restriced] ONLY for designated groups and individuals
http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php
http://cansecwest.com/slides/2013/DEP-ASLR bypass without ROP-JIT.pdf **
Allocate buffer (and use it)
Free Buffer (at some point)
Use Buffer (reuse it)
int main(void) {
int i;
char *c = malloc(10);
strcpy(c, "hello");
printf("%s", c);
free(c);
*c = 0; // UAF
}
Allocate Object -> Free Object
Overwrite the memory area with data (object/shellcode)
• Heap Spray techniques (popular but less reliable)
• Low Fragmentation Heap (LFH) manipulations
• Application specific techniques
Trigger vulnerability (use object)
Data will be interpreted as code
http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/
http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf
Exploit overwrites a vtable (stack/heap)
Controlling EIP by calling a function pointer
Fill the memory with NOPS (0x0c -> popular) + shellcode
Memory at 0x0c0c0c0c will contain 0x0c0c0c0c
MOV EAX,DWORD PTR SS:[EBP+8] // Pointer to object
MOV EDX,DWORD PTR DS:[EAX] // Pointer to vtable
MOV EAX,[EDX+4] // Pointer to vfunc_A2 (offset)
CALL EAX // Call vfunc_A2
https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
https://www.blackhat.com/presentations/bh-usa-07/Afek/Whitepaper/bh-usa-07-afek-WP.pdf
Multiple pointer dereference:
EAX = 0x0c0c0c0c
[EAX] = 0x0c0c0c0c
[EDX+4] = 0x0c0c0c0c
CALL EAX // jump to 0x0c0c0c0c
0x0c0c (2 byte instruction) decoded as: OR AL 0x0C
Email attachment • Send a malicious email attachment
Browser Drive-By-Download
• Host the malicious content on a website
“Water-hole” technique
• Compromise a website the victim likely to visit
USB
• Brand the logo, and throw it next to a company HQ
Social Engineering
• Fool someone to do it for you
Mobile malware
• Spread a malicious mobile application
“WaterHole” vector
Browser exploit (DEP/ASLR/Sandbox bypass)
Result: Compromised machine in the network
Gain elevated access to resources
Perform unauthorized actions
Exploiting a bug or design flaw
Kernel-Mode vulnerabilities
http://blog.cmpxchg8b.com/2013/05/introduction-to-windows-kernel-security.html
http://www.exploit-db.com/exploits/25912/
Attackers will keep moving laterally in the
network • Find more devices
• Gain more access
• Find interesting data
Pass-The-Hash • Ease the SSO process by caching users credentials locally
• NTLM Uses password hashes in the challenge response
• Many available tools to dump the hashes: WCE, Pshtoolkit, …
Gain Privileged Access
Dump admin password hash
(Pshtoolkit, WCE,…)
Access Remote Computers
http://media.blackhat.com/bh-us-12/Briefings/Duckwall/BH_US_12_Duckwall_Campbell_Still_Passing_Slides.pdf
Attacker needs to stay for the long term
Users tend to: • Reboot their computer • Patch their systems • Update their signature detection
Attacker needs to deploy undetected software on
victim machine
Remote Administrator Tools (RAT) is the most popular • Poison Ivy , Dark Comet, Net Wire, ….
Client/Server Architecture
Allows a remote "operator" to control a system
• Taking screenshots
• File Management (downloading/uploading files)
• Shell control (execute commands)
• Key logging capabilities
AV vendors will likely flag the RAT as malicious
Need to create a variant of the same RAT
• Obfuscation
• Packers
• Cryptors
The result is “Same Same… But different”
Attackers test their software first
Uploading to VirusTotal will notify the AV vendors
There are some alternatives in the market
• e.g. Scan4You (VirusTotal for Criminals)
Sysadmin might detect the malicious program running
Need to hide the malicious activity using a rootkit
Rootkit is a stealthy software that hides the existence of certain processes/programs from normal methods of detection
What can it hide? • Network Communication
• Registry Values
• File-System
• Processes
• …
Kernel-mode Rootkit (ring 0)
• DKOM = Direct Kernel Object Manipulation
Loadable kernel module has access to kernel memory
• It can modify (manipulate) objects directly in memory
typedef struct _EPROCESS
{
KPROCESS Pcb;
..
..
LIST_ENTRY ActiveProcessLinks;
ULONGLONG ProcessQuotaUsage[2];
ULONGLONG ProcessQuotaPeak[2];
ULONGLONG CommitCharge;
PETHREAD RotateInProgress;
PETHREAD ForkInProgress;
..
..
UCHAR ImageFileName[16];
..
}
typedef struct _LIST_ENTRY
{
PLIST_ENTRY Flink;
PLIST_ENTRY Blink;
} LIST_ENTRY, *PLIST_ENTRY;
KPRCB -> ETHREAD -> KTHREAD -> EPROCESS
EPROCESS contains LIST_ENTRY (ActiveProcessLinks)
Traverse the list and look for the process to hide
Connect the previous process to point to the next one (and vice verse)
Why does the process
keeps running?
Create a variant of a malicious software
Test for detection
Install it on the victim machine
Hide the malicious process using a rootkit
Exfiltration “an unauthorized release of data from within a computer system” Wikipedia
Attacker needs to exfiltrate information from the network without getting detected
Many ways to achieve that: • Encrypted over SSL • Blend in normal traffic over HTTP Picture, Social media posts, pastebin, HTML tags,…
• VoIP • Removable Media
• . • .
“Steganography is the art and science of writing hidden messages in such
a way that no one, apart from the sender and intended recipient, suspects
the existence of the message” Wikipedia
Hiding secret information inside a cat (picture)
Uploading picture into a web service by blending
inside normal traffic
Why
me?
Information Gathering
Reliable exploitation
Target Selection/Delivery
Persistency and Stealthiness
Data Exfiltration
“Kill Chain” Concept (Lockheed martin)
Attacker only need to win once (find one hole)
Need to move the asymmetry from the attacker to the defender
The defender only need to detect once
What can be detected?
• Recon “Dry Run”
• Delivery methods
• Exploits techniques (heapspray, ROP chaining,…)
• Shellcode structure
• Communication (C2C communication)
• ..
• ..
Pattern Based Static Analysis
Dynamic Analysis
Hybrid Approach
MD5 / SHA1 / SHA256
Fuzzy hashing
Pattern-based
PCRE/ Regex
Proprietary language
Malware classifiers (J48, J48
Graft, PART)
Anti-VM
Anti-debugging
Anti-disassembly
Obfuscation
Reverse engineering
Semantic-aware detectors
Extract dynamic trace
Transform into IR
Compare to pre-defined templates
Memory dump analysis (packers)
API call trace analysis
Network activities
Registry modifications
Process creation/injections
File activities
What you see is what you get!
The Sample Lifecycle
Sample Arrives Unknown Static
Analysis
# Flags
< Threshold Dynamic
Analysis
Classification
Benign
Not Classified
Generic
Threat
Family
Threat
Classified
Manual
Analysis Malicious
Interesting
# Flags
< Threshold
Pattern Based Static Analysis
Dynamic Analysis
Hybrid Approach
Build variants (e.g. Zeus)
Append garbage
Encoding
“Stay compliant”
Packing
Obfuscation
Encryption
Anti-reversing techniques
Avoid using the same executable
template
Metasploit AV-evasion
Reuse “trusted templates”
PowerShell
In-memory exploits
Detect analysis*
Detect emulation*
Detect security product*
Beat the clock (AV sandbox)
“Split the maliciousness”
*Could be detected during static analysis
Based on Lockheed Martin
“Cyber Kill Chain”
Overview of offensive and
defensive exploit technologies
[Restricted] ONLY for designated groups and individuals
http://0xdabbad00.com/2013/04/28/exploit-mitigation-kill-chain/
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
[Restricted] ONLY for designated groups and individuals
TIME
Cannot analyze program forever
• Slow down loops
• Sleep
• Time-consuming operations (Encryption/Packing)
SPACE
Cannot maintain unlimited states
• “Run out the clock”
• OpenProcess VirtualAllocEx WriteProcessMemory LOOP .. CreateRemoteThread
[Restricted] ONLY for designated groups and individuals
Elevation of privilege to kernel mode • Bypassing security products
Stolen certificate authorities
• Breaking the trust
Automatic static analysis is hard! • Packing / obfuscation / encryption
Manual static analysis
• Time consuming / not scalable
Dynamic analysis • The malware problem!
A subset of Malware that do not re-use old
patterns • Unseen exploit techniques
• Undetected delivery methods
• Undetected persistency tools
• Covert communication channels
• Stealthy rootkit
• ..
• ..
https://ae.rsaconference.com/US13/connect/fileDownload/session/DA3B2DD6AE143237522B02205867156D/SPO2-T19_SPO2-T19.pdf
Detecting internal threats using ML • Network Behavior Analysis
Malware Interaction • Making the malware “feel comfortable”
Effective patch management
Social engineering
Password Management • The Achilles heel of security
Privacy & Law enforcement
https://ae.rsaconference.com/US13/connect/fileDownload/session/AB01B2A7988BE24B3EC4802D824C20C3/HT-T17.pdf
http://video.ted.com/talk/stream/2011G/Blank/MikkoHypponen_2011G-320k.mp4
Attackers are 10 steps ahead
Defenders need to raise attacks complexity • Force mistakes
• Raise cost
• Setup traps
Defense-In-Depth works for 99%
• For the 1% we need to keep innovating
Exchange threat intelligence
Don’t forget the basics
• Patching
• Password re-use
• …