Embed Size (px)
Citation preview
Tomer Teller
• Surprised and not surprised
• Do more harm than good
• But there are some good news..
Crypto Works
Trust the Math!
Implementation Is Broken
Trust No One!
• BSAFE crypto library
• BackDoor in Dual_EC_DRBG design
• $10 Million deal to set as default PRNG
• 2004-2013
Result: NSA can decrypt SSL/TLS Traffic
• Encrypted email service
• Founded in 2004
• [email protected] – hmm..
• FBI: Court order to reveal metadata
• Owner: Refuse
Result: Operation shut down
• 29/05/2014
• Project developer warns about “unfixed security issues” in
• Website contains instructions to switch to Microsoft’s Bitlocker
?
“hacking” through backdoors is significantly more
simple than trying to crack encryption.
The Bad Guys Are Winning!
[Restricted] ONLY for designated groups and individuals
#1 Information Security Crime Investigator/Forensics Expert
#2 System, Network, and/or Web Penetration Tester
#3 Forensic Analyst
#4 Incident Responder
#5 Security Architect
#6 Malware Analyst
#7 Network Security Engineer
#8 Security Analyst
#9 Computer Crime Investigator
#10 CISO/ISO or Director of Security
#11 Application Penetration Tester
#12 Security Operations Center Analyst
#13 Prosecutor Specializing in Information Security Crime
#14 Technical Director and Deputy CISO
#15 Intrusion Analyst
#16 Vulnerability Researcher/ Exploit Developer
#17 Security Auditor
#18 Security-savvy Software Developer
#19 Security Maven in an Application Developer Organization
#20 Disaster Recovery/Business Continuity Analyst/Manager
SRC: http://www.sans.org/20coolestcareers/
Step-By-Step, End-To-End, Target Attack Simulation
Understand attackers techniques & methodologies
Discuss defense technologies and their limitations
Understand that there is no 100% security ..but we can still do something about it
• Step 1: Recon
• Step 2: Exploits & Delivery
• Step 3: Explore the network
• Step 4: Persistency
• Step 5: Exfiltrate
Progress Bar
Wikipedia
Targeted
Attack
• Target Selection
• OSINT (Corporate/Individual)
• On-Site gathering
• HUMINT (Key employees, social engineering)
• Foot-printing (Port scanning, banner grabbing, etc..)
• Identify protection mechanisms (network/host/application/…)
http://www.pentest-standard.org/index.php/Intelligence_Gathering
• Cross-protocol profiling
• Application-leaked information
• Data correlation
• Weakest link and attack vector suggestion (Exploitation)
• Social engineering helper (categorization)
• MiTM with Automatic SSL Strip capabilities
• Supports multiple protocols: • HTTP (>100 web apps are supported)
• SMTP, FTP, DHCP, …
• Open Source!
https://ae.rsaconference.com/US12/published/rsaus12/sessions/SPO1-303/SPO1-303.pdf
• “Internet Census of 2012” (Carna Botnet)
• Shodan Search Engine
• Google Dorks (Google Hacking)
http://internetcensus2012.bitbucket.org/paper.html
http://www.shodanhq.com/
• There are no rules when gathering information
• The more relevant data your collect, the better the attack could be
• Gather intelligence anonymously (e.g. TOR)
• Harvesting social information is not enough
• Attackers need technical information, too
Social Profile
Full Name
Address
Like
Location
Friend’s with..
Works at…
.
.
Technical Profile
OS Version
Patch level
Browser usage
Installed plugins
AV Vendor
Firewall rules
.
.
• Harvesting information on our victim
• Social Profile
• Technical Profile
• Organizing information with Maltego
• Generating actionable items:
• Locate the weakest link (Who?)
• Human / mobile device / server / …
• Define Time-Frames (When?)
• Engaging the target / Delivery Vector (How?)
• Once accurate information was retrieved one can move on to the next
step…
• Writing specific and reliable exploits
• Preferably:
• No user interaction
• No crash / hang (continue in normal flow)
• No memory corruptions (less reliable)
• Oracle Java
• Adobe Acrobat Reader
• Adobe Flash
• Microsoft Internet Explorer
• Microsoft Word
• .
• .
“A Price List For Hackers Secret Software Exploits” Forbes
• Smashing the stack is so 90’s
• Exploit writing is no longer generic
• Exploit mitigations makes it more challenging
• DEP, HiASLR, /GS, SEHOP, vTable Guard, SandBox, EMET, ….
http://phrack.org/papers/shockwave_memory_disclosure.html
• ASLR randomize key data areas (libraries, heap, stack,…)
• /DYNAMICBASE, PIE
• Cannot jump to fixed addresses anymore
• “Info-leak” era – Memory disclosure vulnerabilities
• Dynamic ROP based on image base address
• HeapCreate(HEAP_CREATE_ENABLE_EXECUTE,..)
• VirtualAlloc(..,PAGE_EXECUTE_READWRITE) + CopyMemory()
• VirtualProtect(,.. PAGE_EXECUTE_READWRITE)
• SetProcessDEPPolicy(0)
• WriteProcessMemory(..)
• …
http://media.blackhat.com/bh-us-12/Briefings/Serna/BH_US_12_Serna_Leak_Era_Slides.pdf
https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
• Separating running applications
• Lower the system privileges granted to the application
• Provides a tightly controlled set of resources for guest application
Adobe Sandbox Architecture
Chrome Sandbox Architecture
http://blogs.adobe.com/asset/2010/11/inside-adobe-reader-protected-mode-part-3-broker-process-policies-and-inter-process-communication.html
http://blog.azimuthsecurity.com/2010/05/chrome-sandbox-part-1-of-3-overview.html
• Mainly three types of vulnerabilities • Broker process
• Kernel vulnerabilities
• Through other user mode services (with higher privilege)
• Vulnerabilities in the kernel • A sandbox that relies on kernel security is as good as the kernel security
• Exploiting unpatched kernel vulnerabilities can be used to break out
• IE10 (CVE-2013-2551) - Vupen Pwn2own 2013
• Chrome (CVE-2013-0912) – MWR Labs Pwn2Own 2013
• "+1 vuln“ case • Depends on the sandbox
• Less LOC == lowered attack surface
https://media.blackhat.com/eu-13/briefings/Wojtczuk/bh-eu-13-thes-sandbox-wojtczuk-slides.pdf
http://haxpo.nl/wp-content/uploads/2014/01/D1T1-Escaping-IE11-Enhanced-Protected-Mode.pdf
• Targets: IE 6-10, Windows XP-Windows8, 32/64 bit
• Vulnerability in Vector Markup Language (VML)
• Integer overflow vulnerability in undocumented function • Arbitrary Read/Write
• Disclose a pointer to bypass ASLR
• Technique to read an arbitrary string in memory ** • #define MM_SHARED_USER_DATA_VA 0x7FFE0000
• Dynamic Return-Oriented-Programming (ROP)
• Use After Free Vulnerability
• Code Execution in the context of IE10 sandbox
• Kernel Vulnerability to escape the Sandbox
[Restriced] ONLY for designated groups and individuals
http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php
http://cansecwest.com/slides/2013/DEP-ASLR bypass without ROP-JIT.pdf **
• Allocate buffer (and use it)
• Free Buffer (at some point)
• Use Buffer (reuse it)
int main(void)
{
int i;
char *c = malloc(10);
strcpy(c, "hello");
printf("%s", c);
free(c);
*c = 0; // UAF
}
• Allocate Object -> Free Object
• Overwrite the memory area with data (object/shellcode)
• Heap Spray techniques (popular but less reliable)
• Low Fragmentation Heap (LFH) manipulations
• Application specific techniques
• Trigger vulnerability (use object)
• Data will be interpreted as code
http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/
http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf
• A technique, not an exploit
• Defeats ASLR
• Place sequence of bytes in predetermined location
• JavaScript, VBScript, ActionScript, Images, HTML5
• Exploit overwrites a vtable (stack/heap)
• Controlling EIP by calling a function pointer
• Fill the memory with NOPS (0x0c) + shellcode
• Memory at 0x0c0c0c0c will contain 0x0c0c0c0c
MOV EAX,DWORD PTR SS:[EBP+8] // Pointer to object
MOV EDX,DWORD PTR DS:[EAX] // Pointer to vtable
MOV EAX,[EDX+4] // Pointer to vfunc_A2 (offset)
CALL EAX // Call vfunc_A2
https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
https://www.blackhat.com/presentations/bh-usa-07/Afek/Whitepaper/bh-usa-07-afek-WP.pdf
Multiple pointer dereference:
EAX = 0x0c0c0c0c
[EAX] = 0x0c0c0c0c
[EDX+4] = 0x0c0c0c0c
CALL EAX // jump to 0x0c0c0c0c
0x0c0c (2 byte instruction) decoded as: OR AL 0x0C
• Nozzle & BuBBle
• EMET
• Heap Locker
• Browser Memory Subversion Library - DEMO
• Email attachment • Send a malicious email attachment
• Browser Drive-By-Download • Host the malicious content on a website
• “Water-hole” technique • Compromise a website the victim likely to visit
• USB • Brand the logo, and throw it next to a company HQ
• Social Engineering • Fool someone to do it for you
• Mobile malware • Spread a malicious mobile application
• “WaterHole” vector
• Browser exploit (DEP/ASLR/Sandbox bypass)
• Result: Compromised machine in the network
• Gain elevated access to resources
• Perform unauthorized actions
• Exploiting a bug or design flaw
• Kernel-Mode vulnerabilities
http://blog.cmpxchg8b.com/2013/05/introduction-to-windows-kernel-security.html
http://www.exploit-db.com/exploits/25912/
• Attackers will keep moving laterally in the network
• Find more devices
• Gain more access
• Find interesting data
• Pass-The-Hash
• Ease the SSO process by caching users credentials locally
• NTLM Uses password hashes in the challenge response
• Many available tools to dump the hashes: WCE, Pshtoolkit, …
Gain Privileged Access
Dump admin password hash
(Pshtoolkit, WCE,…)
Access Remote Computers
http://media.blackhat.com/bh-us-12/Briefings/Duckwall/BH_US_12_Duckwall_Campbell_Still_Passing_Slides.pdf
http://www.rsaconference.com/writable/presentations/file_upload/hta-w03-pass-the-hash-how-attackers-spread-and-how-to-stop-them.pdf
• Pass-The-Hash between nodes in the domain
• Gain more access in the network
• Maintain persistency
• Attacker needs to stay for the long term
• Users tend to:
• Reboot their computer
• Patch their systems
• Update their signature detection
• Attacker needs to deploy undetected software on victim machine
• Remote Administrator Tools (RAT) is the most popular
• Poison Ivy , Dark Comet, Net Wire, ….
• Client/Server Architecture
• Allows a remote "operator" to control a system
• Taking screenshots
• File Management (downloading/uploading files)
• Shell control (execute commands)
• Key logging capabilities
• AV vendors will likely flag the RAT as malicious
• Need to create a variant of the same RAT
• Obfuscation
• Packers
• Cryptors
• The result is “Same Same… But different”
• Attackers test their software first
• Uploading to VirusTotal will notify the AV vendors
• There are some alternatives in the market
• e.g. Scan4You (VirusTotal for Criminals)
• Sysadmin might detect the malicious program running
• Need to hide the malicious activity using a rootkit
• Rootkit is a stealthy software that hides the existence of certain processes/programs from normal methods of detection
• What can it hide?
• Network Communication
• Registry Values
• File-System
• Processes
• …
• Kernel-mode Rootkit (ring 0)
• DKOM = Direct Kernel Object Manipulation
• Loadable kernel module has access to kernel memory
• It can modify (manipulate) objects directly in memory
typedef struct _EPROCESS
{
KPROCESS Pcb;
..
..
LIST_ENTRY ActiveProcessLinks;
ULONGLONG ProcessQuotaUsage[2];
ULONGLONG ProcessQuotaPeak[2];
ULONGLONG CommitCharge;
PETHREAD RotateInProgress;
PETHREAD ForkInProgress;
..
..
UCHAR ImageFileName[16];
..
}
typedef struct _LIST_ENTRY
{
PLIST_ENTRY Flink;
PLIST_ENTRY Blink;
} LIST_ENTRY, *PLIST_ENTRY;
• KPRCB -> ETHREAD -> KTHREAD -> EPROCESS
• EPROCESS contains LIST_ENTRY (ActiveProcessLinks)
• Traverse the list and look for the process to hide
• Connect the previous process to point to the next one (and vice verse)
Why does the process
keeps running?
• Create a variant of a malicious software
• Test for detection
• Install it on the victim machine
• Hide the malicious process using a rootkit
• Exfiltration “an unauthorized release of data from within a computer system” Wikipedia
• Attacker needs to exfiltrate information from the network without getting detected
• Many ways to achieve that:
• Encrypted over SSL
• Blend in normal traffic over HTTP
• Picture, Social media posts, pastebin, HTML tags,…
• VoIP
• Removable Media
• .
• .
“Steganography is the art and science of writing hidden messages in such a way that
no one, apart from the sender and intended recipient, suspects the existence of the
message” Wikipedia
• Hiding secret information inside a cat (picture)
• Uploading picture into a web service by blending inside
normal traffic
Why
me?
• Information Gathering
• Reliable exploitation
• Target Selection/Delivery
• Persistency and Stealthiness
• Data Exfiltration
• “Kill Chain” Concept (Lockheed martin)
• Attacker only need to win once (find one hole)
• Need to move the asymmetry from the attacker to the defender
The defender only need to detect once
What can be detected?
• Recon “Dry Run”
• Delivery methods
• Exploits techniques (heapspray, ROP chaining,…)
• Shellcode structure
• Communication (C2C communication)
• ..
• ..
Pattern Based Static Analysis
Dynamic Analysis
Hybrid Approach
MD5 / SHA1 / SHA256
Fuzzy hashing
Pattern-based
PCRE/ Regex
Proprietary language
Malware classifiers (J48, J48
Graft, PART)
Anti-VM
Anti-debugging
Anti-disassembly
Obfuscation
Reverse engineering
Semantic-aware detectors
Extract dynamic trace
Transform into IR
Compare to pre-defined templates
Memory dump analysis (packers)
API call trace analysis
Network activities
Registry modifications
Process creation/injections
File activities
What you see is what you get!
The Sample Lifecycle
Sample Arrives Unknown Static
Analysis
# Flags
< Threshold Dynamic
Analysis
Classification
Benign
Not Classified
Generic
Threat
Family
Threat
Classified
Manual
Analysis Malicious
Interesting
# Flags
< Threshold
Pattern Based Static Analysis
Dynamic Analysis
Hybrid Approach
Build variants (e.g. Zeus)
Append garbage
Encoding
“Stay compliant”
Packing
Obfuscation
Encryption
Anti-reversing techniques
Avoid using the same executable
template
Metasploit AV-evasion
Reuse “trusted templates”
PowerShell
In-memory exploits
Detect analysis*
Detect emulation*
Detect security product*
Beat the clock (AV sandbox)
“Split the maliciousness”
*Could be detected during static analysis
• Based on Lockheed Martin
“Cyber Kill Chain”
• Overview of offensive and
defensive exploit technologies
[Restricted] ONLY for designated groups and individuals
http://0xdabbad00.com/2013/04/28/exploit-mitigation-kill-chain/
http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
[Restricted] ONLY for designated groups and individuals
[Restricted] ONLY for designated groups and individuals
[Restricted] ONLY for designated groups and individuals
TIME
Cannot analyze program forever
• Slow down loops
• Sleep
• Time-consuming operations (Encryption/Packing)
SPACE
Cannot maintain unlimited states
• “Run out the clock”
• OpenProcess VirtualAllocEx WriteProcessMemory LOOP .. CreateRemoteThread
• Elevation of privilege to kernel mode • Bypassing security products
• Server-Side Memory Leaks • HeartBleed Attack
• Stolen certificate authorities • Breaking the trust
• Automatic static analysis is hard! • Packing / obfuscation / encryption
• Manual static analysis • Time consuming / not scalable
• Dynamic analysis • The malware problem!
[Restricted] ONLY for designated groups and individuals
• A subset of Malware that do not re-use old patterns
• Unseen exploit techniques
• Undetected delivery methods
• Undetected persistency tools
• Covert communication channels
• Stealthy rootkit
• ..
• ..
https://ae.rsaconference.com/US13/connect/fileDownload/session/DA3B2DD6AE143237522B02205867156D/SPO2-T19_SPO2-T19.pdf
• Detecting internal threats using ML
• Network Behavior Analysis
• Evasive Malware
• Making the malware “feel comfortable”
• Effective patch management
• Social engineering
• Password Management
• The Achilles heel of security
• Privacy & Law enforcement
https://ae.rsaconference.com/US13/connect/fileDownload/session/AB01B2A7988BE24B3EC4802D824C20C3/HT-T17.pdf
http://video.ted.com/talk/stream/2011G/Blank/MikkoHypponen_2011G-320k.mp4
• Attackers are 10 steps ahead
• Defenders need to raise attacks complexity • Force mistakes
• Raise cost
• Setup traps
• Defense-In-Depth works for 99% • For the 1% we need to keep innovating
• Exchange threat intelligence
• Don’t forget the basics • Patching
• Password re-use
• …
?
• Original Security Research
• Whitepapers / Tools
• Company representation
• Conferences
Current Research:
• Automated Memory Analysis for Malware Detection
• Advanced Exploit mitigation techniques
• Malware Evasion Visualization
