SlideShare une entreprise Scribd logo

How to hide your browser 0-day @ Disobey

Télécharger en tant que PPTX, PDF
Zoltan Balazs
Zoltan Balazs

How to hide your browser 0-day @ Disobey #IRONSQUIRREL

Internet
1  sur  49
1
HOW TO HIDE YOUR BROWSER 0-DAY Codenamed #IRONSQUIRREL TS//SI//FVEY FOUO//SI//FVEY Zoltan Balazs – MRG Effitas 2019 January
Whoami? Zombie Browser Toolkit https://github.com/Z6543/ZombieBrowserPack HWFW Bypass tool Similar stuff was used in PacketRedirect in Danderspritz FlewAvenue by EQGRP https://github.com/MRGEffitas/hwfwbypass Malware Analysis Sandbox Tester tool https://github.com/MRGEffitas/Sandbox_tester Played with crappy IoT devices – my RCE exploit code running on ~600 000 IP cameras via Persirai https://jumpespjump.blogspot.hu/2015/09/how-i-hacked-my-ip-camera-and-found.html https://jumpespjump.blogspot.hu/2015/08/how-to-secure-your-home-against.html 3
Whoami? Invented the idea of encrypted exploit delivery via Diffie-Hellman key exchange, to bypass exploit detection appliances Implemented by Angler and Nuclear exploit kit developers https://www.mrg-effitas.com/generic-bypass-of-next-gen-intrusion-threat-breach-detection-systems/ Co-organizer of the Hackersuli meetup Programme committee member of the Hacktivity conference 4
Table of contents Introduction to ECDH / #IRONSQUIRREL Attacker model Why is this different/new Defense/offense
How did it all begin? I had this “discussion” with nextgen/breach-detection vendors that their network appliance can be bypassed in a way that they can’t even see an exploit has happened or that malware was delivered. They told me it is impossible. 6
Why should you listen to this talk? Exploit brokers and law enforcement Effective way to prevent the 0-day exploit code being leaked Pentesters/red team members Bypass perimeter defenses, some host IDS Blue team members, forensics investigators, exploit kit researchers How current defenses can be bypassed via #IRONSQUIRREL browser exploit delivery Rest of you Learning about elliptic curve cryptography is always fun
Introduction to Exploit kits, targeted attacks with 0-dayz DH key agreement ECDH key agreement Encrypted browser exploit delivery My idea implemented by the bad guys
Browser exploits, exploit kits • “An exploit kit is a software kit designed to run on web servers, with the purpose of identifying software vulnerabilities in client machines communicating with it, and discovering and exploiting vulnerabilities to upload and execute malicious code on the client.” • https://en.wikipedia.org/wiki/Exploit_kit
Lost 0-day exploit => $$$-- Targeting of Ahmed Mansoor with iOS Safari 0- day exploit • https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero- day-nso-group-uae/ • iOS 0-day exploit • 100 000 USD – 1 500 000 USD • Mansoor still in prison  Tor browser 0-day exploit used by law enforcement on pedophile site • http://www.5z8.info/twitterhack_u3o2ex_this-page-will-steal-all-of- your-personal-data • Tor Browser 0-day : 30 000 USD https://www.zerodium.com/program.html Both exploit leaked, burnt. 11
Diffie-Hellman key agreement - 1976 http://mathhombre.blogspot.hu/2014_05_01_archive.html https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
Elliptic Curve based Diffie-Hellman (ECDH) key agreement ECDH key agreement 5-10 times faster on same CPU [citation needed] DH key agreement is too slow for JS It is like you know the start and end position of the billiard ball on the table, but god knows the way it took to get there. http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/1/ 13
#IRONSQUIRREL 14
Demo with test JavaScript in Chrome
Implementation details Original Node.JS POC – 2 June, 2015 New Ruby POC compatible and tested with: • Edge • IE11 (older IE just sucks, can’t crypto) • Firefox (Tor Browser) • Chrome • Opera • Mobile Safari • Mobile Chrome • Android built-in browser 16
DH implemented in exploit kits FireEye analysis - Angler exploit kit • “First” in-the-wild DH encrypted exploit • Only shellcode was protected by encryption https://www.fireeye.com/blog/threat-research/2015/08/cve-2015- 2419_inte.html “You might think this is coincidental, but I assure you it is not …” https://www.youtube.com/watch?v=XeDqGwQkDk8 17
DH implemented in exploit kits “Several days ago analysts found the usage of the Diffie-Hellman cryptographic protocol in the Angler Exploit Kit, … that is the first known case of its usage in an exploit kit.” Weakness demonstrations • Use of DH instead of ECDH • Short keys -> discrete logarithm can be found 2017 May: Astrum/Stegano exploit kit back with DH exploit delivery https://securelist.com/blog/research/72097/attacking-diffie-hellman-protocol-implementation-in-the-angler-exploit-kit/ 19
20
Attacker model Who is my attacker? The reverse engineer (RE), who tries to reverse the precious 0-day exploit The nextgen/breach-detection system What is the capability of the attacker? See next slides
RE can record (and replay) network traffic 22
RE can debug in browser – JavaScript level Has access to DOM in browser 23
RE can debug the browser – Assembly level This is not always trivial – e.g. if you can’t jailbreak iOS 24
Network forensics When checking IRONSQUIRREL network traffic, you see • Bunch of crypto libraries • Public key exchange • Encrypted blobs • Without the shared key, you can’t do much • Unless you have a kick-ass quantum computer • Attackers: just use quantum resistant key exchange Debugging in browser is possible – but I will recommend some tricks to make this harder 25
Why is this different, new? Protecting the browser exploit code was so far obfuscation only It was encryption with keys known to the attacker Now, it is encryption with keys not know to the attacker Why is this different then SSL/TLS ? How does this affect exploit replay? Why is this different then StegoSploit?
IRONSQUIRREL exploit delivery VS exploit kits using SSL/TLS If you control the client (the analysis machine), TLS MiTM is trivial Deep Packet Inspection • TLS MiTM at enterprises • TLS MiTM with intercept proxies like Burp or Fiddler at home or your lab
Traditional browser exploits forensics Reproducible exploit replay with Fiddler or similar SSL/TLS exploit delivery can be replayed if MiTM is possible IRONSQUIRREL exploit delivery cannot be replayed • The client will generate different public/private key • Client will send different public key to replay server • Replay server either sends the encrypted data with the old key, or can’t generate new ECDH key thus fails to replay 28
Exploit replay with and without IRONSQUIRREL 29
Astrum EK replay broken http://blog.trendmicro.com/trendlabs-security-intelligence/astrum-exploit-kit-abuses-diffie-hellman-key-exchange/ Fun fact: even if exploit is not 0-day, other threat groups can’t steal your exploit code
Defense and offense Prevention and detection on the network level Analysis on the endpoint How to make endpoint analysis (a lot) harder
Anti-analysis improvements One-time URLs (URL is dead after one use) • In Law Enforcement mode, use one-time URL per logged in user! Time-limits to prevent manual debugging Remove full DOM after exploit runs Implemented 33 Implemented Implemented
Case study – Tor browser exploit 34
Prevent the IRONSQUIRREL exploit attacks via network defenses IRONSQUIRREL specific blocking/detection Write signature … which can be bypassed easily Detection of (EC)DH encrypted traffic Will lead to False Positives (FP) Non IRONSQUIRREL specific blocking/detection Block uncategorized/new domains Domain white-listing
Web ISOLATION Web Isolation is Something like a proxy Code runs on a remote server Rendered data is forwarded to client browser Exploit code “runs” on remote server Tested, it blocked IRONSQUIRREL Firefox and IE exploits If you have Chrome 0-day targeting Linux, let me know
Delivery method improvements To bypass uncategorized/new domain prevention/detection Use of watering hole Quantum insert techniques Warning, might not be available in your attacker capability
Analyze IRONSQUIRREL exploits on the endpoint Log the shared key and/or client private key “Fix” the random generator – generate same client private keys always “Hook” the JS code to immediately return with the same client secret key Remote debugging iOS Safari on OS X Detailed JS execution Tracelog https://github.com/szimeus/evalyzer --> check out this great project!
Evalyzer MS16-051 demo 39
Anti-analysis improvements Detect debug window (client-side protection  ) https://github.com/zswang/jdetects Proper fingerprinting of the target before exploit delivery Code obfuscation – effective against MiTM * Generate multiple DH private keys and check if it is the same * http://blog.trendmicro.com/trendlabs-security-intelligence/how-exploit-kit-operators-are-misusing-diffie-hellman- key-exchange/ Implemented
Anti-analysis improvements Adding lot of junk code to DoS the analysis environment Use eval equivalent functions like SetTimeout, new Function(), ... to bypass default Evalyzer https://www.slideshare.net/x00mario/in-the-dom-no-one-will-hear-you-scream
Conclusion of the RE attacker Determined RE engineer can restore exploit from a memory dump Determined attacker can put breakpoints on DEP related VirtualProtects or use Guard Pages, and reverse the vulnerability * But it can delay the analysis/discovery of the exploit by days/weeks/months if the attacker implements my suggestions * Windows only method 42
Chain the IRONSQUIRREL exploit to malware execution Encrypted malware payload delivery Target aware malware payload Gauss https://kasperskycontenthub.com/wp- content/uploads/sites/43/vlpdfs/kaspersky-lab-gauss.pdf Ebowla https://github.com/Genetic-Malware/Ebowla 43 Implemented
Current Metasploit integration level Pre-alpha (a.k.a non-existent) version 0.0 Run Metasploit with (fake) victim Extract HTML file (now the exploit is static) Put extracted HTML into exploit folder Run IRONSQUIRREL with the HTML file Need help!
Perimeter security is dying Mobile devices and encryption trends
Since initial publication 46 DH encrypted shellcode implemented in Angler, Astrum, Nuclear EK White-hats started to use in PoCs https://bugs.chromium.org/p/chromium/issues/detail?id=888926 Some people also like the idea
Ethical dilemmas Why do I help the “bad” guys? Who are the bad guys? Neither offense nor defense is bad by itself I consider the FBI being the good guys if they are catching the pedophiles It is all about evolution Have better defense or offense than the others to survive I agree that the current laws are not prepared for law enforcement hacking of Tor users What happens if we don’t prepare our defenses against these attacks?
Conclusion IRONSQUIRREL could have prevented the leak of the iOS Safari 0-day IRONSQUIRREL could have prevented (or significantly delay) the leak of the Tor Browser 0-day IRONSQUIRREL with one-time exploits can make RE a nightmare IRONSQUIRREL does not deal with endpoint exploit protections (EMET) OPSEC is important 48
49 Hack the planet! https://github.com/MRGEffitas/Ironsquirrel zoltan.balazs@mrg-effitas.com https://hu.linkedin.com/in/zbalazs Twitter – @zh4ck www.slideshare.net/bz98 httpscolonforwardslashforwardslashwwwdotzoltanbalazsdotcom.com HACKERSULI !!!1! Greetz to @CrySySLab, @SpamAndHex, @midnite_runr, @buherator, @sghctoma, @zmadarassy, @DavidSzili, @xoreipeip, @theevilbit, @molnar_g, Szimeus https://JumpESPJump.blogspot.com

Recommandé

Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
Zoltan Balazs
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs
 
MIPS-X
MIPS-XMIPS-X
MIPS-X
Zoltan Balazs
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
Zoltan Balazs
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 

Recommandé

Explain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a fiveExplain Ethereum smart contract hacking like i am a five
Explain Ethereum smart contract hacking like i am a five
Zoltan Balazs
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs
 
MIPS-X
MIPS-XMIPS-X
MIPS-X
Zoltan Balazs
 
[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie[ENG] IPv6 shipworm + My little Windows domain pwnie
[ENG] IPv6 shipworm + My little Windows domain pwnie
Zoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
Zoltan Balazs
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012
Andrew Morris
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
Sergey Gordeychik
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
Slawomir Jasek
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)
Zoltan Balazs
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
 
[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov
OWASP Russia
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
Andrew Morris
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Priyanka Aash
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Duo Security
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 

Contenu connexe

Tendances

Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012
Andrew Morris
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
Sergey Gordeychik
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
Slawomir Jasek
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
Andrew Morris
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Duo Security
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 

Tendances (20)

Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
 
[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov[2.2] Hacking Internet of Things devices - Ivan Novikov
[2.2] Hacking Internet of Things devices - Ivan Novikov
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peopDefcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
Defcon 22-adrian-crenshaw-dropping-docs-on-darknets-how-peop
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 

Similaire à How to hide your browser 0-day @ Disobey

Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
WSO2
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
Filip Šebesta
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 

Similaire à How to hide your browser 0-day @ Disobey (20)

Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
 

Plus de Zoltan Balazs

[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking
Zoltan Balazs
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
Zoltan Balazs
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
Zoltan Balazs
 

Plus de Zoltan Balazs (11)

[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain[ Hackersuli ] Privacy on the blockchain
[ Hackersuli ] Privacy on the blockchain
 
MLSEC 2020
MLSEC 2020MLSEC 2020
MLSEC 2020
 
Web3 + scams = It's a match
Web3 + scams = It's a matchWeb3 + scams = It's a match
Web3 + scams = It's a match
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Sandboxes
SandboxesSandboxes
Sandboxes
 
[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland[ENG] Hacktivity 2013 - Alice in eXploitland
[ENG] Hacktivity 2013 - Alice in eXploitland
 
[HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking [HUN] Védtelen böngészők - Ethical Hacking
[HUN] Védtelen böngészők - Ethical Hacking
 
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions
 
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012
 
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő
 
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s
 

Dernier

Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
Escorts Call Girls
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Delhi Call girls
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
SUHANI PANDEY
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Call Girls in Nagpur High Profile
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
Delhi Call girls
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
soniya singh
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
imonikaupta
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
Diya Sharma
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
soniya singh
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
tanu pandey
 

Dernier (20)

Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Mamura Sector 66 ( Noida)
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 

How to hide your browser 0-day @ Disobey

  • 1. 1
  • 2. HOW TO HIDE YOUR BROWSER 0-DAY Codenamed #IRONSQUIRREL TS//SI//FVEY FOUO//SI//FVEY Zoltan Balazs – MRG Effitas 2019 January
  • 3. Whoami? Zombie Browser Toolkit https://github.com/Z6543/ZombieBrowserPack HWFW Bypass tool Similar stuff was used in PacketRedirect in Danderspritz FlewAvenue by EQGRP https://github.com/MRGEffitas/hwfwbypass Malware Analysis Sandbox Tester tool https://github.com/MRGEffitas/Sandbox_tester Played with crappy IoT devices – my RCE exploit code running on ~600 000 IP cameras via Persirai https://jumpespjump.blogspot.hu/2015/09/how-i-hacked-my-ip-camera-and-found.html https://jumpespjump.blogspot.hu/2015/08/how-to-secure-your-home-against.html 3
  • 4. Whoami? Invented the idea of encrypted exploit delivery via Diffie-Hellman key exchange, to bypass exploit detection appliances Implemented by Angler and Nuclear exploit kit developers https://www.mrg-effitas.com/generic-bypass-of-next-gen-intrusion-threat-breach-detection-systems/ Co-organizer of the Hackersuli meetup Programme committee member of the Hacktivity conference 4
  • 5. Table of contents Introduction to ECDH / #IRONSQUIRREL Attacker model Why is this different/new Defense/offense
  • 6. How did it all begin? I had this “discussion” with nextgen/breach-detection vendors that their network appliance can be bypassed in a way that they can’t even see an exploit has happened or that malware was delivered. They told me it is impossible. 6
  • 7.
  • 8. Why should you listen to this talk? Exploit brokers and law enforcement Effective way to prevent the 0-day exploit code being leaked Pentesters/red team members Bypass perimeter defenses, some host IDS Blue team members, forensics investigators, exploit kit researchers How current defenses can be bypassed via #IRONSQUIRREL browser exploit delivery Rest of you Learning about elliptic curve cryptography is always fun
  • 9. Introduction to Exploit kits, targeted attacks with 0-dayz DH key agreement ECDH key agreement Encrypted browser exploit delivery My idea implemented by the bad guys
  • 10. Browser exploits, exploit kits • “An exploit kit is a software kit designed to run on web servers, with the purpose of identifying software vulnerabilities in client machines communicating with it, and discovering and exploiting vulnerabilities to upload and execute malicious code on the client.” • https://en.wikipedia.org/wiki/Exploit_kit
  • 11. Lost 0-day exploit => $$$-- Targeting of Ahmed Mansoor with iOS Safari 0- day exploit • https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero- day-nso-group-uae/ • iOS 0-day exploit • 100 000 USD – 1 500 000 USD • Mansoor still in prison  Tor browser 0-day exploit used by law enforcement on pedophile site • http://www.5z8.info/twitterhack_u3o2ex_this-page-will-steal-all-of- your-personal-data • Tor Browser 0-day : 30 000 USD https://www.zerodium.com/program.html Both exploit leaked, burnt. 11
  • 12. Diffie-Hellman key agreement - 1976 http://mathhombre.blogspot.hu/2014_05_01_archive.html https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
  • 13. Elliptic Curve based Diffie-Hellman (ECDH) key agreement ECDH key agreement 5-10 times faster on same CPU [citation needed] DH key agreement is too slow for JS It is like you know the start and end position of the billiard ball on the table, but god knows the way it took to get there. http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/1/ 13
  • 15. Demo with test JavaScript in Chrome
  • 16. Implementation details Original Node.JS POC – 2 June, 2015 New Ruby POC compatible and tested with: • Edge • IE11 (older IE just sucks, can’t crypto) • Firefox (Tor Browser) • Chrome • Opera • Mobile Safari • Mobile Chrome • Android built-in browser 16
  • 17. DH implemented in exploit kits FireEye analysis - Angler exploit kit • “First” in-the-wild DH encrypted exploit • Only shellcode was protected by encryption https://www.fireeye.com/blog/threat-research/2015/08/cve-2015- 2419_inte.html “You might think this is coincidental, but I assure you it is not …” https://www.youtube.com/watch?v=XeDqGwQkDk8 17
  • 18.
  • 19. DH implemented in exploit kits “Several days ago analysts found the usage of the Diffie-Hellman cryptographic protocol in the Angler Exploit Kit, … that is the first known case of its usage in an exploit kit.” Weakness demonstrations • Use of DH instead of ECDH • Short keys -> discrete logarithm can be found 2017 May: Astrum/Stegano exploit kit back with DH exploit delivery https://securelist.com/blog/research/72097/attacking-diffie-hellman-protocol-implementation-in-the-angler-exploit-kit/ 19
  • 20. 20
  • 21. Attacker model Who is my attacker? The reverse engineer (RE), who tries to reverse the precious 0-day exploit The nextgen/breach-detection system What is the capability of the attacker? See next slides
  • 23. RE can debug in browser – JavaScript level Has access to DOM in browser 23
  • 24. RE can debug the browser – Assembly level This is not always trivial – e.g. if you can’t jailbreak iOS 24
  • 25. Network forensics When checking IRONSQUIRREL network traffic, you see • Bunch of crypto libraries • Public key exchange • Encrypted blobs • Without the shared key, you can’t do much • Unless you have a kick-ass quantum computer • Attackers: just use quantum resistant key exchange Debugging in browser is possible – but I will recommend some tricks to make this harder 25
  • 26. Why is this different, new? Protecting the browser exploit code was so far obfuscation only It was encryption with keys known to the attacker Now, it is encryption with keys not know to the attacker Why is this different then SSL/TLS ? How does this affect exploit replay? Why is this different then StegoSploit?
  • 27. IRONSQUIRREL exploit delivery VS exploit kits using SSL/TLS If you control the client (the analysis machine), TLS MiTM is trivial Deep Packet Inspection • TLS MiTM at enterprises • TLS MiTM with intercept proxies like Burp or Fiddler at home or your lab
  • 28. Traditional browser exploits forensics Reproducible exploit replay with Fiddler or similar SSL/TLS exploit delivery can be replayed if MiTM is possible IRONSQUIRREL exploit delivery cannot be replayed • The client will generate different public/private key • Client will send different public key to replay server • Replay server either sends the encrypted data with the old key, or can’t generate new ECDH key thus fails to replay 28
  • 29. Exploit replay with and without IRONSQUIRREL 29
  • 30.
  • 31. Astrum EK replay broken http://blog.trendmicro.com/trendlabs-security-intelligence/astrum-exploit-kit-abuses-diffie-hellman-key-exchange/ Fun fact: even if exploit is not 0-day, other threat groups can’t steal your exploit code
  • 32. Defense and offense Prevention and detection on the network level Analysis on the endpoint How to make endpoint analysis (a lot) harder
  • 33. Anti-analysis improvements One-time URLs (URL is dead after one use) • In Law Enforcement mode, use one-time URL per logged in user! Time-limits to prevent manual debugging Remove full DOM after exploit runs Implemented 33 Implemented Implemented
  • 34. Case study – Tor browser exploit 34
  • 35. Prevent the IRONSQUIRREL exploit attacks via network defenses IRONSQUIRREL specific blocking/detection Write signature … which can be bypassed easily Detection of (EC)DH encrypted traffic Will lead to False Positives (FP) Non IRONSQUIRREL specific blocking/detection Block uncategorized/new domains Domain white-listing
  • 36. Web ISOLATION Web Isolation is Something like a proxy Code runs on a remote server Rendered data is forwarded to client browser Exploit code “runs” on remote server Tested, it blocked IRONSQUIRREL Firefox and IE exploits If you have Chrome 0-day targeting Linux, let me know
  • 37. Delivery method improvements To bypass uncategorized/new domain prevention/detection Use of watering hole Quantum insert techniques Warning, might not be available in your attacker capability
  • 38. Analyze IRONSQUIRREL exploits on the endpoint Log the shared key and/or client private key “Fix” the random generator – generate same client private keys always “Hook” the JS code to immediately return with the same client secret key Remote debugging iOS Safari on OS X Detailed JS execution Tracelog https://github.com/szimeus/evalyzer --> check out this great project!
  • 40. Anti-analysis improvements Detect debug window (client-side protection  ) https://github.com/zswang/jdetects Proper fingerprinting of the target before exploit delivery Code obfuscation – effective against MiTM * Generate multiple DH private keys and check if it is the same * http://blog.trendmicro.com/trendlabs-security-intelligence/how-exploit-kit-operators-are-misusing-diffie-hellman- key-exchange/ Implemented
  • 41. Anti-analysis improvements Adding lot of junk code to DoS the analysis environment Use eval equivalent functions like SetTimeout, new Function(), ... to bypass default Evalyzer https://www.slideshare.net/x00mario/in-the-dom-no-one-will-hear-you-scream
  • 42. Conclusion of the RE attacker Determined RE engineer can restore exploit from a memory dump Determined attacker can put breakpoints on DEP related VirtualProtects or use Guard Pages, and reverse the vulnerability * But it can delay the analysis/discovery of the exploit by days/weeks/months if the attacker implements my suggestions * Windows only method 42
  • 43. Chain the IRONSQUIRREL exploit to malware execution Encrypted malware payload delivery Target aware malware payload Gauss https://kasperskycontenthub.com/wp- content/uploads/sites/43/vlpdfs/kaspersky-lab-gauss.pdf Ebowla https://github.com/Genetic-Malware/Ebowla 43 Implemented
  • 44. Current Metasploit integration level Pre-alpha (a.k.a non-existent) version 0.0 Run Metasploit with (fake) victim Extract HTML file (now the exploit is static) Put extracted HTML into exploit folder Run IRONSQUIRREL with the HTML file Need help!
  • 45. Perimeter security is dying Mobile devices and encryption trends
  • 46. Since initial publication 46 DH encrypted shellcode implemented in Angler, Astrum, Nuclear EK White-hats started to use in PoCs https://bugs.chromium.org/p/chromium/issues/detail?id=888926 Some people also like the idea
  • 47. Ethical dilemmas Why do I help the “bad” guys? Who are the bad guys? Neither offense nor defense is bad by itself I consider the FBI being the good guys if they are catching the pedophiles It is all about evolution Have better defense or offense than the others to survive I agree that the current laws are not prepared for law enforcement hacking of Tor users What happens if we don’t prepare our defenses against these attacks?
  • 48. Conclusion IRONSQUIRREL could have prevented the leak of the iOS Safari 0-day IRONSQUIRREL could have prevented (or significantly delay) the leak of the Tor Browser 0-day IRONSQUIRREL with one-time exploits can make RE a nightmare IRONSQUIRREL does not deal with endpoint exploit protections (EMET) OPSEC is important 48
  • 49. 49 Hack the planet! https://github.com/MRGEffitas/Ironsquirrel zoltan.balazs@mrg-effitas.com https://hu.linkedin.com/in/zbalazs Twitter – @zh4ck www.slideshare.net/bz98 httpscolonforwardslashforwardslashwwwdotzoltanbalazsdotcom.com HACKERSULI !!!1! Greetz to @CrySySLab, @SpamAndHex, @midnite_runr, @buherator, @sghctoma, @zmadarassy, @DavidSzili, @xoreipeip, @theevilbit, @molnar_g, Szimeus https://JumpESPJump.blogspot.com