Upload
ctruncer
View
350
Download
0
Embed Size (px)
Citation preview
Pen Testing
Devevelopment
Christopher Truncer
uid=0(@ChrisTruncer)
● Christopher Truncer (@ChrisTruncer)○ Open Source Software Developer, Veil Framework
Developer, Florida State Seminole
● Red Teamer, Pen Tester, and Security
Researcher for Mandiant
What’s this talk about?● How I got started
● Security through Offense
○ EyeWitness
○ #avlol
○ Own the Exfil
○ Misconfigurations
● What (I think) makes successful hackers
○ Your drive
○ Scripting/Programming
● Tempt the demo gods throughout
How I Started
● College
○ College computer security class
○ Hack my roommate
■ “Wow, hacking is real”
● Tech background before Security
○ Windows Admin
○ Linux Admin - to learn
● Started the plunge into security
○ No development experience
First Steps with Development
● Start small
○ Veil wasn’t built in day :)
● Fix problems/tasks you always see
● Google and Stack Overflow
● Just try it...
● Nearly all upcoming case studies involve writing
some code
When Coding...
Developing for
Offensive Operations
My Development Philosophy
● Develop a POC that does what you want
● Clean up your code, and add comments!
● Make it usable by everyone, not just you
● Contribute back and make it public
● Maintain your project
Version Control
● Use anything you’re comfortable with, but use it
○ git - my choice (look at Github, it’s free)
○ svn
○ cvs
○ etc…
● You will mess your code up
● You will delete your tools/scripts
● You will be thankful for checking in your code
EyeWitness
EyeWitness
● Problem: When dropped in large network
segments, we can see hundreds, if not
thousands of web applications. How do we know
which to attack?
EyeWitness
● Solution: Automate everything I would manually
have to do
● Mandatory:
○ Screenshot web applications
○ Check for default credentials
○ Generate a usable report
● Optional:
○ Make report “sections”
○ Grab server headers
Google!
StackOverflow
Proof of Concept
Make it Usable
● File Input
○ File, NMap, Nessus
● Web Timeouts
● Default Credential Checks
● Report Generation
○ Create Sections
■ High Value Targets
■ Error Section
■ etc.
EyeWitness Stats
● Originally: 409 Lines
● Now: 3402 Lines
● Reasons:
○ Login Signatures
○ Multi-Threading
● Guess for the real
reason?
#avlol
The Veil-Framework
● Problem: Antivirus can’t catch malware, but it
catches pentesters
● Goal: Bypass antivirus as easily as professional
malware developers
● Solution: A python-based framework for
generating shellcode and meterpreter injectors
As Always, Ask the Google
Have a POC… Next?
● Research obfuscation methods
○ Look at existing malware
○ Try encryption routines
● Generate random files from a template
○ Framework might help
● Automate as much as possible
○ I probably should make a framework...
Veil 1.0 - Released
● Small, single file
script
● Limited payloads
● It worked… better
than it really should
Next Steps...
● Don’t use a single script
○ Maintenance can be a pain
○ Not easily extensible
○ A framework would be nice...
● Find a mentor
○ Ability to ask questions is invaluable
○ Learning & Collaboration opportunities
Teamed Up
● Teamed up with Will Schroeder (@harmj0y) and
Mike Wright (@themightyshiv)
● We had separate tools, so we combined code
bases
● @Harmj0y didn’t sleep and combined the code
○ Took this as an opportunity to learn
framework development
Veil 2.0
Veil 2.0
● Fully modular framework
○ Drag and drop payloads
● “Language agnostic”
○ implement additional languages
● Easily Extensible
○ common libraries/methods available
● Huge UI focus
○ Tab completion, command line flags, etc.
The Veil-Framework
● We continued to come up with additional tools
which resulted in The Veil-Framework
○ “A toolset aiming to bridge the gap between
pen testing and red team toolsets.”
● Veil renamed to Veil-Evasion
○ Veil-Catapult - Initial payload delivery tool
○ Veil-Pillage - Post-Exploitation and payload
delivery
State of The Veil-Framework
● Still an actively maintained project
● V-Day
○ Victory over antivirus :)
○ Since 9/15/2013 we’ve released at least one
new payload on the 15th of every month
● Hoping for community involvement
○ hint hint… :)
Egress-Assess
Attackers don’t just target this...
http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-
content/uploads/041514_1356_MurderingDe30.png
What’s the point?
● End Goal - Money/Data
○ Data - grab it, get it out
○ !disrupt
○ !deny
○ !degrade,
○ !destroy (maybe deceive)
○ Not just shells anymore
...they target
this
Attacker C2 Comms
Tradecraft Evolution
● Pen Tests traditionally exploit vulnerabilities
○ Find and exploit vulnerabilities
○ Assess the security as a point in time
● Why not add in some exfiltration testing as
well?
○ Attackers DO this, why not help prep our customers?
○ Let’s emulate our threats
Our Solution
What does it do?
● Standard client/server model
● Simulates data exfiltration
○ Faux social security numbers or credit cards
○ And now real files :)
● Exfil data over multiple protocols
Project Goals
● Fast to set up for use
● Minimal (if any)
configurations
required to work
● Lightweight and no
excessive
dependencies
● Exfiltrate data over
different protocols
● Modular framework
that allows easy
expansion of
capabilities
Project Goals
● Store all data/files transferred for proof of
transfer
○ Stored in a specific directory
○ Time and date stamped for correlation with blue team
logs
● Demonstrate different options for data
exfiltration and educate the blue team
Tunneling Protocols
Supported Tunneling Protocols
● Protocols merged into Egress-Assess
● ICMP
● SMB
● DNS
● DNS_Resolved
● HTTP
● HTTPS
● FTP
● SFTP
FTP and SFTP
● Generates faux data and writes it to disk, or
transfers a file specified by user
● Creates FTP or SFTP connection to server and
transfers the file to the server
● If faux data is used, it deletes the file
FTP Transfer
ICMP
● Takes advantage of ICMP type 8 (echo)
○ Protocol allows you to specify the data used in
the echo request
● Splits data in 1100 byte chunks
● Base64 encodes data
● Uses encoded data for the echo
ICMP Transfer
DNS (Direct)
● Uses DNS TXT records
○ Max 255 bytes
● Split data into chunks, base64 encode each chunk,
send packets directly to Egress-Assess server
● Multiple limitations when working with DNS
○ Size restrictions, UDP, etc.
■ We’d say a joke, but you might not get it :)
DNS (Direct) Transfer
DNS Info
● Other protocol modules work well, but fail when a
proxy is used
● Other tools have shown that DNS can be used as a
communications channel○ Cobalt Strike’s Beacon, dns tunnelling projects
(dnscat), etc.
○ Began researching different methods to exfil data via
DNS
Why Use DNS
● “But we don’t allow port 53 out!”
● Locked down environments can have proxies
● How many people inspect DNS?
○ How many people only resolve certain domains?
○ Can you block protocol compliant C2 comms or data
exfiltration attempts?
● Customer’s own DNS server FTW!
DNS (Resolved)
● Resolves local system’s nameserver
● Send request to system/network nameserver○ <base64encodeddata>.subdomain.domain.com
● Server listens for incoming DNS A record request○ Grabs record being requested, decodes it, and writes
data to disk
http://blog.cobaltstrike.com/2013/06/20/thatll-never-work-we-dont-allow-port-53-out/
DNS Resolved Setup
● Create DNS A record for your final destination
● Create NS Record for subdomain, point to A
record
https://www.christophertruncer.com/exfiltrate-data-via-dns-with-egress-
assess/
DNS (Direct) Transfer
More DNS Woes
https://docs.google.com/presentation/d/1HfXVJyXElzBshZ9SYNjBwJf_4MBaho6UcATTFwApfXw/preview?sle=true&slide=id.g2d0184395_097
https://docs.google.com/presentation/d/1HfXVJyXElzBshZ9SYNjBwJf_4MBaho6UcATTFwApfXw/preview?sle=true&slide=id.g34d85052a_
00
https://docs.google.com/presentation/d/1HfXVJyXElzBshZ9SYNjBwJf_4MBaho6UcATTFwApfXw/preview?sle=true&slide=id.g34d85052a_00
DNS Woes
● Leads to problems when transferring files
○ Faux data, don’t need to preserve order, or 100%
integrity
○ Binary files, this is a problem
● Currently working on essentially TCP over UDP
DNS transfers
Powershell all the things
● Same client modules as python client
● Simulate attackers from Windows systems
● Domain proxy support
● Deployable through Beacon, Meterpreter, etc..
Get-Help
HTTP Snort Capture
What I Wish I Knew
What I wish I knew
● Programming/Scripting
○ Start doing this
○ You can literally control a computer, and
make it do exactly what you want
What I wish I knew
● Programming
○ Get the theme? :)
● Mentor
○ You’re always one step in front and one step
behind someone
● Build a lab and play with it
○ You can’t break anything that costs money!
What I wish I knew
● Be prepared to be uncomfortable at times
○ Always in a new environment with new “stuff”
and you’re expected to break it
○ Perk of the job too :)
● Build your process
○ Learn how you best approach networks, web
apps, etc.
○ Use this to face what you don’t know
The difference between a new and
experienced hacker is the experienced hacker
can count on their problem solving ability to
navigate an unknown environment.
?● Chris Truncer
○ @ChrisTruncer
○ https://www.christophertruncer.com
○ https://github.com/ChrisTruncer