[Re|stricted] ONLY for designated groups and individuals

Tomer Teller

Step-By-Step, End-To-End, “APT” Simulation

Understand attackers techniques & methodologies

Discuss defense technologies and their limitations

Understand that there is no 100% security ..but we can still do something about it

“Advanced Persistent Threat”, Wikipedia

Step 1: Recon

Step 2: Exploits & Delivery

Step 3: Explore the network

Step 4: Persistency

Step 5: Exfiltrate

Progress Bar

Zombie & Co

Domain Controller

Switch

Domain Clients

For The Lulz

Target Selection

OSINT (Corporate/Individual)

On-Site gathering

HUMINT (Key employees, social

engineering)

Foot-printing (Port scanning, banner

grabbing, etc..)

Identify protection mechanisms

(network/host/application/…)

http://www.pentest-standard.org/index.php/Intelligence_Gathering

dvader86@gmail.com dvader86@hotmail.com dvader86@yahoo.com

Cross-protocol profiling

• Application-leaked information

• Data correlation

Weakest link and attack vector suggestion (Exploitation)

Social engineering helper (categorization)

MiTM with Automatic SSL Strip capabilities

Supports multiple protocols: • HTTP (>100 web apps are supported)

• SMTP, FTP, DHCP, …

Open Source!

https://ae.rsaconference.com/US12/published/rsaus12/sessions/SPO1-303/SPO1-303.pdf

“Internet Census of 2012” (Carna Botnet)

Shodan Search Engine

Google Dorks (Google Hacking)

http://internetcensus2012.bitbucket.org/paper.html

http://www.shodanhq.com/

There are no rules when gathering information

The more relevant data your collect, the better the attack can be

Gather intelligence anonymously (e.g. TOR)

Harvesting social information is not enough • Attackers need technical information, too

Social Profile

Full Name

Address

Like

Location

Friend’s with..

Works at…

.

.

Technical Profile

OS Version

Patch level

Browser usage

Installed plugins

AV Vendor

Firewall rules

.

.

Harvesting information on our victim • Social Profile

• Technical Profile

Organizing information with Maltego

Generating actionable items: • Locate the weakest link (Who?) Human / mobile device / server / …

• Define Time-Frames (When?)

• Engaging the target / Delivery Vector (How?)

Once accurate information was retrieved

one can move on to the next step…

Writing specific and reliable exploits

Preferably: • No user interaction

• No crash / hang (continue in normal flow)

• No memory corruptions (less reliable)

Oracle Java

Adobe Acrobat Reader

Adobe Flash

Microsoft Internet Explorer

Microsoft Word

.

.

“A Price List For Hackers Secret Software Exploits” Forbes

Smashing the stack is so 90’s

Exploit writing is no longer generic

Exploit mitigations makes it more

challenging • DEP, HiASLR , /GS, SEHOP, vTable Guard, Sandbox, …

ASLR randomize key data areas (libraries, heap, stack,…) • /DYNAMICBASE, PIE • Cannot jump to fixed addresses anymore • “Info-leak” era – Memory disclosure vulnerabilities

Dynamic ROP based on image base address

• HeapCreate(HEAP_CREATE_ENABLE_EXECUTE,..)

• VirtualAlloc(..,PAGE_EXECUTE_READWRITE) + CopyMemory()

• VirtualProtect(,.. PAGE_EXECUTE_READWRITE)

• SetProcessDEPPolicy(0) • WriteProcessMemory(..) • …

http://media.blackhat.com/bh-us-12/Briefings/Serna/BH_US_12_Serna_Leak_Era_Slides.pdf

https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/

Separating running applications

Lower the system privileges granted to the application

Provides a tightly controlled set of resources for guest

application

Adobe Sandbox Architecture

Chrome Sandbox Architecture

http://blogs.adobe.com/asset/2010/11/inside-adobe-reader-protected-mode-part-3-broker-process-policies-and-inter-process-communication.html

http://blog.azimuthsecurity.com/2010/05/chrome-sandbox-part-1-of-3-overview.html

Mainly three types of vulnerabilities • Broker process

• Kernel vulnerabilities

• Through other user mode services (with higher privilege)

Vulnerabilities in the kernel • A sandbox that relies on kernel security is as good as the kernel

security

• Exploiting unpatched kernel vulnerabilities can be used to break out IE10 (CVE-2013-2551) - Vupen Pwn2own 2013

Chrome (CVE-2013-0912) – MWR Labs Pwn2Own 2013

"+1 vuln“ case • Depends on the sandbox

• Less LOC == lowered attack surface

https://media.blackhat.com/eu-13/briefings/Wojtczuk/bh-eu-13-thes-sandbox-wojtczuk-slides.pdf

Targets: IE 6-10, Windows XP-Windows8, 32/64 bit

Vulnerability in Vector Markup Language (VML)

Integer overflow vulnerability in undocumented function

• Arbitrary Read/Write

• Disclose a pointer to bypass ASLR

Technique to read an arbitrary string in memory **

• #define MM_SHARED_USER_DATA_VA 0x7FFE0000

Dynamic Return-Oriented-Programming (ROP)

Use After Free Vulnerability

Code Execution in the context of IE10 sandbox

Kernel Vulnerability to escape the Sandbox

[Restriced] ONLY for designated groups and individuals

http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php

http://cansecwest.com/slides/2013/DEP-ASLR bypass without ROP-JIT.pdf **

Allocate buffer (and use it)

Free Buffer (at some point)

Use Buffer (reuse it)

int main(void) {

int i;

char *c = malloc(10);

strcpy(c, "hello");

printf("%s", c);

free(c);

*c = 0; // UAF

}

Allocate Object -> Free Object

Overwrite the memory area with data (object/shellcode)

• Heap Spray techniques (popular but less reliable)

• Low Fragmentation Heap (LFH) manipulations

• Application specific techniques

Trigger vulnerability (use object)

Data will be interpreted as code

http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/

http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf

Exploit overwrites a vtable (stack/heap)

Controlling EIP by calling a function pointer

Fill the memory with NOPS (0x0c -> popular) + shellcode

Memory at 0x0c0c0c0c will contain 0x0c0c0c0c

MOV EAX,DWORD PTR SS:[EBP+8] // Pointer to object

MOV EDX,DWORD PTR DS:[EAX] // Pointer to vtable

MOV EAX,[EDX+4] // Pointer to vfunc_A2 (offset)

CALL EAX // Call vfunc_A2

https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/

https://www.blackhat.com/presentations/bh-usa-07/Afek/Whitepaper/bh-usa-07-afek-WP.pdf

Multiple pointer dereference:

EAX = 0x0c0c0c0c

[EAX] = 0x0c0c0c0c

[EDX+4] = 0x0c0c0c0c

CALL EAX // jump to 0x0c0c0c0c

0x0c0c (2 byte instruction) decoded as: OR AL 0x0C

Email attachment • Send a malicious email attachment

Browser Drive-By-Download

• Host the malicious content on a website

“Water-hole” technique

• Compromise a website the victim likely to visit

USB

• Brand the logo, and throw it next to a company HQ

Social Engineering

• Fool someone to do it for you

Mobile malware

• Spread a malicious mobile application

“WaterHole” vector

Browser exploit (DEP/ASLR/Sandbox bypass)

Result: Compromised machine in the network

Gain elevated access to resources

Perform unauthorized actions

Exploiting a bug or design flaw

Kernel-Mode vulnerabilities

http://blog.cmpxchg8b.com/2013/05/introduction-to-windows-kernel-security.html

http://www.exploit-db.com/exploits/25912/

Attackers will keep moving laterally in the

network • Find more devices

• Gain more access

• Find interesting data

Pass-The-Hash • Ease the SSO process by caching users credentials locally

• NTLM Uses password hashes in the challenge response

• Many available tools to dump the hashes: WCE, Pshtoolkit, …

Gain Privileged Access

Dump admin password hash

(Pshtoolkit, WCE,…)

Access Remote Computers

http://media.blackhat.com/bh-us-12/Briefings/Duckwall/BH_US_12_Duckwall_Campbell_Still_Passing_Slides.pdf

Pass-The-Hash between nodes in the domain

Gain more access in the network

Maintain persistency

Attacker needs to stay for the long term

Users tend to: • Reboot their computer • Patch their systems • Update their signature detection

Attacker needs to deploy undetected software on

victim machine

Remote Administrator Tools (RAT) is the most popular • Poison Ivy , Dark Comet, Net Wire, ….

Client/Server Architecture

Allows a remote "operator" to control a system

• Taking screenshots

• File Management (downloading/uploading files)

• Shell control (execute commands)

• Key logging capabilities

AV vendors will likely flag the RAT as malicious

Need to create a variant of the same RAT

• Obfuscation

• Packers

• Cryptors

The result is “Same Same… But different”

Attackers test their software first

Uploading to VirusTotal will notify the AV vendors

There are some alternatives in the market

• e.g. Scan4You (VirusTotal for Criminals)

Sysadmin might detect the malicious program running

Need to hide the malicious activity using a rootkit

Rootkit is a stealthy software that hides the existence of certain processes/programs from normal methods of detection

What can it hide? • Network Communication

• Registry Values

• File-System

• Processes

• …

Kernel-mode Rootkit (ring 0)

• DKOM = Direct Kernel Object Manipulation

Loadable kernel module has access to kernel memory

• It can modify (manipulate) objects directly in memory

typedef struct _EPROCESS

{

KPROCESS Pcb;

..

..

LIST_ENTRY ActiveProcessLinks;

ULONGLONG ProcessQuotaUsage[2];

ULONGLONG ProcessQuotaPeak[2];

ULONGLONG CommitCharge;

PETHREAD RotateInProgress;

PETHREAD ForkInProgress;

..

..

UCHAR ImageFileName[16];

..

}

typedef struct _LIST_ENTRY

{

PLIST_ENTRY Flink;

PLIST_ENTRY Blink;

} LIST_ENTRY, *PLIST_ENTRY;

KPRCB -> ETHREAD -> KTHREAD -> EPROCESS

EPROCESS contains LIST_ENTRY (ActiveProcessLinks)

Traverse the list and look for the process to hide

Connect the previous process to point to the next one (and vice verse)

Why does the process

keeps running?

Create a variant of a malicious software

Test for detection

Install it on the victim machine

Hide the malicious process using a rootkit

Exfiltration “an unauthorized release of data from within a computer system” Wikipedia

Attacker needs to exfiltrate information from the network without getting detected

Many ways to achieve that: • Encrypted over SSL • Blend in normal traffic over HTTP Picture, Social media posts, pastebin, HTML tags,…

• VoIP • Removable Media

• . • .

“Steganography is the art and science of writing hidden messages in such

a way that no one, apart from the sender and intended recipient, suspects

the existence of the message” Wikipedia

Hiding secret information inside a cat (picture)

Uploading picture into a web service by blending

inside normal traffic

Why

me?

Information Gathering

Reliable exploitation

Target Selection/Delivery

Persistency and Stealthiness

Data Exfiltration

“Kill Chain” Concept (Lockheed martin)

Attacker only need to win once (find one hole)

Need to move the asymmetry from the attacker to the defender

The defender only need to detect once

What can be detected?

• Recon “Dry Run”

• Delivery methods

• Exploits techniques (heapspray, ROP chaining,…)

• Shellcode structure

• Communication (C2C communication)

• ..

• ..

Pattern Based Static Analysis

Dynamic Analysis

Hybrid Approach

MD5 / SHA1 / SHA256

Fuzzy hashing

Pattern-based

PCRE/ Regex

Proprietary language

Malware classifiers (J48, J48

Graft, PART)

Anti-VM

Anti-debugging

Anti-disassembly

Obfuscation

Reverse engineering

Semantic-aware detectors

Extract dynamic trace

Transform into IR

Compare to pre-defined templates

Memory dump analysis (packers)

API call trace analysis

Network activities

Registry modifications

Process creation/injections

File activities

What you see is what you get!

The Sample Lifecycle

Sample Arrives Unknown Static

Analysis

# Flags

< Threshold Dynamic

Analysis

Classification

Benign

Not Classified

Generic

Threat

Family

Threat

Classified

Manual

Analysis Malicious

Interesting

# Flags

< Threshold

Pattern Based Static Analysis

Dynamic Analysis

Hybrid Approach

Build variants (e.g. Zeus)

Append garbage

Encoding

“Stay compliant”

Packing

Obfuscation

Encryption

Anti-reversing techniques

Avoid using the same executable

template

Metasploit AV-evasion

Reuse “trusted templates”

PowerShell

In-memory exploits

Detect analysis*

Detect emulation*

Detect security product*

Beat the clock (AV sandbox)

“Split the maliciousness”

*Could be detected during static analysis

Based on Lockheed Martin

“Cyber Kill Chain”

Overview of offensive and

defensive exploit technologies

[Restricted] ONLY for designated groups and individuals

http://0xdabbad00.com/2013/04/28/exploit-mitigation-kill-chain/

http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

[Restricted] ONLY for designated groups and individuals

[Restricted] ONLY for designated groups and individuals

[Restricted] ONLY for designated groups and individuals

TIME

Cannot analyze program forever

• Slow down loops

• Sleep

• Time-consuming operations (Encryption/Packing)

SPACE

Cannot maintain unlimited states

• “Run out the clock”

• OpenProcess VirtualAllocEx WriteProcessMemory LOOP .. CreateRemoteThread

[Restricted] ONLY for designated groups and individuals

Elevation of privilege to kernel mode • Bypassing security products

Stolen certificate authorities

• Breaking the trust

Automatic static analysis is hard! • Packing / obfuscation / encryption

Manual static analysis

• Time consuming / not scalable

Dynamic analysis • The malware problem!

A subset of Malware that do not re-use old

patterns • Unseen exploit techniques

• Undetected delivery methods

• Undetected persistency tools

• Covert communication channels

• Stealthy rootkit

• ..

• ..

https://ae.rsaconference.com/US13/connect/fileDownload/session/DA3B2DD6AE143237522B02205867156D/SPO2-T19_SPO2-T19.pdf

Detecting internal threats using ML • Network Behavior Analysis

Malware Interaction • Making the malware “feel comfortable”

Effective patch management

Social engineering

Password Management • The Achilles heel of security

Privacy & Law enforcement

https://ae.rsaconference.com/US13/connect/fileDownload/session/AB01B2A7988BE24B3EC4802D824C20C3/HT-T17.pdf

http://video.ted.com/talk/stream/2011G/Blank/MikkoHypponen_2011G-320k.mp4

Attackers are 10 steps ahead

Defenders need to raise attacks complexity • Force mistakes

• Raise cost

• Setup traps

Defense-In-Depth works for 99%

• For the 1% we need to keep innovating

Exchange threat intelligence

Don’t forget the basics

• Patching

• Password re-use

• …

?

Tomer Teller

tomert@checkpoint.com

@djteller