Drive By Healing

•

0 likes•356 views

Andy Cronin

The idea of converting a Malicious hacking technique to be an update delivery system.

Drive-by Healing

Can Hacking Techniques Be Used For
Good?

Aims
• Discover if a malicious hacking technique could
be used for good

• Investigate Drive-by Downloads, and adapt them
to deliver updates instead of malware

• Attempt to create a Wi-Fi Hotspot system that
triggers a Drive-by Healing process to update the
computer silently
Drive-by Healing Andrew Cronin

What Good Can Hacking Do?
• Find holes in software
– Without abusing them
• Give-aways
– Money, Software, Vouchers
• Fix Software
– Updates

Drive-by Healing Andrew Cronin

Drive-by Healing
• Drive-by Downloads
– One of the biggest problems on the Internet
– Just loading a page can infect
– Payloads:
• Trojans
• Botnets
• Other viruses

Drive-by Healing Andrew Cronin

Drive-by Healing
• Healing
– To make better, to make sound or healthy.
• How can computers be healed?
– Hardware repairs
– Software repairs
• Patches
• Updates
• Anti-virus
• New software

Drive-by Healing Andrew Cronin

Project Method
• Researching Wi-Fi Hotspots
• Researching Drive-by Downloads
• Firmware Flashing
• Captive Portal
• Virtual Machine & Heap Spraying

Drive-by Healing Andrew Cronin

Hotspots
• Used in establishments and businesses all over
• Wi-Fi Industry big business
– Advertising
– Paid for services
• DD-WRT Open source firmware can re-create
Hotspots
• Captive Portals block internet access until terms
are agreed

Drive-by Healing Andrew Cronin

Drive-by Downloads
• Written in JavaScript
– Employs Heap Spraying to
deliver payload
• Using Shellcode and NOPs
allocated in arrays
• Requires an exploit to initiate
payload

Drive-by Healing Andrew Cronin

Legal Issues
• Drive-by Downloads
– Put data on computers
– Activate programs and code
• All Without users knowledge and consent
– Illegal
• Gaining consent is vital

Drive-by Healing Andrew Cronin

Firmware Flashing
• DD-WRT Firmware uploaded to a Linksys
E2000 Router after the Router was flashed

• Flashing is required to flush out the old
firmware

Drive-by Healing Andrew Cronin

Hotspot Services on DD-WRT Firmware
Drive-by Healing Andrew Cronin

Captive Portal
• The DD-WRT Firmware has Hotspot services

• CoovaChilli was chosen (connects to ChiliSpot)

• Attempts to Create Captive Portal system for
Drive-by Download code with Ubuntu system

Drive-by Healing Andrew Cronin

Virtual Machine
• VMWare Player

• Windows XP SP3

• IECollections – Allows
multiple versions of
Internet Explorer to run
simultaneously

Drive-by Healing Andrew Cronin

Heap Spraying
Sample code from ‘Corelan’ site and debuggers to
test:
• Windbg
• Immunity Debugger
– Mona.py

Drive-by Healing Andrew Cronin

Heap Spraying
Heap Spray generator page
• For script kiddies
• Tested with Windows
Calculator

Drive-by Healing Andrew Cronin

Conclusion
There were three different issues that arose
regarding the Wi-Fi Hotspot:
• Age of systems available was on average 4-5
years old
• Only complex Linux based systems available
requiring extra hardware
• Open source projects lacked support making
install and configuration difficult

Drive-by Healing Andrew Cronin

Conclusion
Other problems concerning the Drive-by Healing
project included:
• Exploits, being malicious, can be self-
incriminating, therefore informative articles were
impossible to find
• Project attempted an ambitious idea that had
unforeseen complexities

Drive-by Healing Andrew Cronin

Future Work
Wi-Fi Hotspot
• Possible NoCatSplash on DD-WRT
• Other Router, WRT54G
Drive-by Download
• Exploit from Scratch (avoiding script kiddie
dangers)
• Research into update commands
• Education on the importance of updates

Drive-by Healing Andrew Cronin

QUESTIONS???

Drive-by Healing Andrew Cronin

What's hot

Programs you need!

dshinkfield

Docker - Hack Salem! - November 2014

Charles Anderson

Leaping the chasm from proprietary to open: A survivor's guide

bcantrill

Software Packaging/Scripting

Dell World

Pentest Apocalypse-That's when you hire a pentester, and they walk all over your network. To avoid this, organizations need to be prepared before the first packet is sent in order to get the most value from the tester. There is no excuse for pentesters to find critical vulnerabilities that are six years old on an assessment. And who needs a zero-day when employees leave credentials on wide-open shares? Just like how Doomsday Preppers helps you prepare for the apocalypse, this presentation will help you prepare for, and avoid, a pentest apocalypse by describing common vulnerabilities found on many assessments. Being prepared for common pentester activities will not only help add value to a pentest but will also help prevent attackers from using the same tactics to compromise your organization. For More Information Please Visit:- http://bsidestampa.net http://www.irongeek.com/i.php?page=videos/bsidestampa2015/104-pentest-apocalypse-beau-bullock

Pentest Apocalypse - SANSFIRE 2016 Edition

Beau Bullock

With the focus on security, most organisations test the security defenses via pen-testing. But what about after the network has been compromised. Is there an Advance Persistent Threat (APT) sitting on the network? Will the defenses be able to detect this? This talk will discuss some of the open source tools that can help simulate this threat. So as to test the security defenses if an APT makes it onto the network.

Breach and attack simulation tools

Bangladesh Network Operators Group

07182013 Hacking Appliances: Ironic exploits in security products

NCC Group

Webinar–Vulnerabilities in Containerised Production Environments

Synopsys Software Integrity Group

Pentest Apocalypse

Beau Bullock

Docking stations andy_davis_ncc_group_slides

NCC Group

CyberCrime in the Cloud and How to defend Yourself

Alert Logic

Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli

Priyanka Aash

Unikernels have produced impressive performance, including fast instantiation times, tiny memory footprints, and high consolidation, plus potentially a reduced attack surface and easier certification. Their main drawback is that they require applications to be manually ported to the underlying minimal OS; this means both expert work and considerable amount of time. In this talk we present Unikraft, an incubator project under the auspices of the Xen Project and the Linux Foundation aimed at automating the process of building customized images tailored to specific applications and thus significantly reducing development time. Unikraft decomposes the OS into elementary pieces (e.g., schedulers, memory allocators, drivers, etc.) that users can pick and choose from. It then builds images tailored to the needs of specific applications as well as the target platform (e.g., KVM, Xen) and architecture (e.g., ARM or x86).

OSSEU18: From Handcraft to Unikraft: Simpler Unikernelization of Your Applica...

The Linux Foundation

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Priyanka Aash

The Xen Project is used by more than 10 million users, powers some of the largest clouds on the planet, and is starting to build momentum in embedded and safety-conscious market segments. It is also nearly 16 years old. The Xen Project’s success and longevity can be attributed to its flexible architecture, but more importantly to enabling community members to contribute ideas and code, even if they are not core to the project's main use-case. This has brought Xen far beyond server virtualization. Lars will share how the project has supported new technologies and ideas, which may include some really interesting things you might not know about Xen (especially around defense applications), and will derive best practices that may help other projects.

Scale17x: Thinking outside of the conceived tech comfort zone

The Linux Foundation

Container Landscape -05.01.15

Barton George

SESSION TITLE DevOps - IaC SESSION THEME DevOps SESSION OVERVIEW This is a hands-on experience workshop on "DevOps - IaC" and Automation from Infrastructure prospective. The session provides valuable insights on How "IaC" is going to be future for traditional DC, VM's and for Cloud, and How to setup or start with "IaC", what tool set and pipelines can be used and followed to move from traditional manual approach to automated DevOps approach. SESSION AGENDA What is DevOps? and Why you need DevOps? What is DevOps - IaC? Overview of some essential tools like Git, Jenkins, Docker/Ansible Live Demo Q&A SESSION TAKEAWAYS DevOps - IaC Framework Overview of Tool Set Pipeline Creation Overview Automation Idea And at last confidence to start a change towards DevOps DURATION 45 Mins

DevOps - IaC | Talk | AGILE GURUGRAM 2018 | 23 - 24 March, 2018

AgileNetwork

The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products. I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.

Pwning the Enterprise With PowerShell

Beau Bullock

Two years ago enabling your site with SSL was a simple affair, buy a certificate or create your own, install it then just remember to renew it every couple of years. Then suddenly security holes are being found in SSL virtually every month , popular browsers stop connecting to your site to protect themselves, and you’re continually being told your users data is at risk. In this session we will discuss how it all went wrong and can go wrong again then go through each step of requesting, generating and deploying a 4096 SHA-2 certificate to use in a keyfile by Domino, IBM Connections, IBM Sametime and other WebSphere products. If you work with these IBM products and need to secure them as strongly as possible this session will show you how."

Fun With SHA2 Certificates

Gabriella Davis

Module 8: Increasing Security for Windows Servers Security is an essential consideration for networking with Windows Server 2008. In this module, you will learn how to implement various methods to increase security. Windows Firewall with Advanced Security is one of the features in Windows Server 2008 that is used to increase security. You can also use Windows Server Update Services to ensure that approved security updates are applied to servers in a timely way. Lessons Windows Security Overview Configuring Windows Firewall with Advanced Security Deploying Updates with Windows Server Update Services Lab : Increasing Security for Windows Servers Deploying a Windows Firewall Rule Implementing WSUS After completing this module, students will be able to: Describe a process for increasing the security of Windows Server 2008. Configure Windows Firewall with Advanced Security. Describe Windows Server Update Services and how to use it.

6421 b Module-08

Bibekananada Jena

What's hot (20)

Programs you need!

Docker - Hack Salem! - November 2014

Leaping the chasm from proprietary to open: A survivor's guide

Software Packaging/Scripting

Pentest Apocalypse - SANSFIRE 2016 Edition

Breach and attack simulation tools

07182013 Hacking Appliances: Ironic exploits in security products

Webinar–Vulnerabilities in Containerised Production Environments

Pentest Apocalypse

Docking stations andy_davis_ncc_group_slides

CyberCrime in the Cloud and How to defend Yourself

Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli

OSSEU18: From Handcraft to Unikraft: Simpler Unikernelization of Your Applica...

Defcon 22-philip-young-from-root-to-special-hacking-ibm-main

Scale17x: Thinking outside of the conceived tech comfort zone

Container Landscape -05.01.15

DevOps - IaC | Talk | AGILE GURUGRAM 2018 | 23 - 24 March, 2018

Pwning the Enterprise With PowerShell

Fun With SHA2 Certificates

6421 b Module-08

Viewers also liked

Theme 8(suite)

salmazen

Tic educacion docencia aprendizaje

WALTERIO BARRA C / COMPETENZZA CONSULTORES

Reglamento estudiantil maleja

malejaardila

Tendencias En Educación

Logicalis Latam

EXECUTIVE SUMMARY METRONAPOLI ● Public transportation ● Naples, Italy ● 550 employees CHALLENGE ● Increase mass transit ridership to lessen traffic congestion and pollution ● Provide subway passengers with enhanced security and new services ● Install innovative wireless/wired infrastructure that enables remote monitoring and control of subway system SOLUTION ● Integrated, standards-based wireless/wired solution ● Cisco Planning, Design, and Implementation services ● Transfers of information RESULTS ● Increased passenger security ● Greater control over transit services ● Enhanced rider experience

Metronapoli Services- Cisco

Cisco Case Studies

EdiçãO 2 Fevereiro

Luiz Fernando Galdino

Curso Plano de Continuidade de Negocios

Grupo Treinar

Viewers also liked (7)

Theme 8(suite)

Tic educacion docencia aprendizaje

Reglamento estudiantil maleja

Tendencias En Educación

Metronapoli Services- Cisco

EdiçãO 2 Fevereiro

Curso Plano de Continuidade de Negocios

Similar to Drive By Healing

Open Audit

ncspa

Chrome and Android Operating Systems

Lakshmanan Meiyappan

Creating your own private Download Center with Bintray

Baruch Sadogursky

Creating Havoc using Human Interface Device

Positive Hack Days

The Straight Skinny on Cloud Platforms

Hostway|HOSTING

SCADA Security: The Five Stages of Cyber Grief

Lancope, Inc.

Computer Architecture - Software - Lesson 10 - Hard Drive Management / Logica...

Eric Vanderburg

Cloud hosting providers, such as Amazon AWS, Google Cloud, DigitalOcean, Microsoft Azure, and many others, have to respond to a regular barrage of abuse complaint reports from all around the world when their customers virtual private servers are used for malicious activity. This activity can happen knowingly by the "renter" of the system or on behalf of an attacker if the server becomes infected. Although by no means the end all, one way of measuring the trust posture of a cloud hosting provider is by analyzing the amount of time between shared hosts beginning to attack other hosts on the Internet and the activity ceasing, generally by way of forced-decommissioning, quarantining, or remediation of the root-cause, such as a malware infection. In this talk, we discuss using the data collected by GreyNoise, a large network of passive collector nodes, to measure the time-to-remediation of infected or malicious machines. We will discuss methodology, results, and actionable takeaways for conference attendees who use shared cloud hosting in their businesses.

Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams

Andrew Morris

Mobile security

priyanka pandey

Every time a new information technology finds its way into production, it seems as though we end up repeating the same process – security vulnerabilities will be discovered and disclosed in that technology, and users and vendors will deny that the risks are significant. Only after major attacks occur do we really start to see efforts to address the inherent risks in a systematic way. We’re falling into this exact same trap again with Industrial Control and SCADA systems, but in this case the problem is worse, because the inherent nature of control systems prevents us from applying many of the strategies that have been used to protect other kinds of computer networks. Join Lancope’s Director of Security Research, Tom Cross, for a look at the five stages of grief that organizations seem to pass through as they come to terms with security risks, and how far we’ve come regarding Industrial Control Systems. Hear about: The state of Control Systems security vulnerabilities Attack activity that is prompting a change in perspective The unique, long-term challenges associated with protecting SCADA networks How anomaly detection can play a key role in protecting SCADA systems now

SCADA Security: The Five Stages of Cyber Grief

Lancope, Inc.

Virtualization

Ydel Capales

Security events in 2014

Chong-Kuan Chen

Chrome O S

Freelance android developer

Why you should believe in cloud - ITCluster iQuest Cluj Napoca

Radu Vunvulea

It's never been easier to containerize your services using Docker and deploy them to Azure using Kubernetes. In this session we will introduce you to the world of containers in Azure. You will learn how to set up continuous deployment with Visual Studio Team Services (VSTS), monitor and scale your containers in Azure, how to build Docker images, run them in Azure, and even handle secrets in Kubernetes clusters.

Container DevOps in Azure

Microsoft Tech Community

Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...

PranavPatil822557

Docker Enterprise Deployment Planning

Stephane Woillez

Strategy, planning and governance for enterprise deployments of containers - ...

The Incredible Automation Day

Telecom companies, software companies, and IT firms are all talking about “The Cloud” these days, but what is it really and what does it mean for small business owners? The truth is, most of us are already using the cloud in our daily jobs as marketers and businesspeople, and we don’t even know it. Moving your business from using a few cloud computing tools to embracing it as our primary IT toolkit can have a big impact on our productivity and bottom line. Trevor Jones and Brad Dormanen from GWI explain the basic concepts of cloud computing and some of the key benefits to Maine small businesses. They’ll explain how cloud computing can save businesses money and give small companies access to software tools previously only available to big companies. Brad and Trevor will also discuss the basic components your business needs to be “cloud ready” and outline some key things to think about when getting started in cloud computing.

Cloud Computing Basics for Small Business

GWI

ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...

Robert Conti Jr.

Similar to Drive By Healing (20)

Open Audit

Chrome and Android Operating Systems

Creating your own private Download Center with Bintray

Creating Havoc using Human Interface Device

The Straight Skinny on Cloud Platforms

SCADA Security: The Five Stages of Cyber Grief

Computer Architecture - Software - Lesson 10 - Hard Drive Management / Logica...

Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams

Mobile security

SCADA Security: The Five Stages of Cyber Grief

Virtualization

Security events in 2014

Chrome O S

Why you should believe in cloud - ITCluster iQuest Cluj Napoca

Container DevOps in Azure

Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...

Docker Enterprise Deployment Planning

Strategy, planning and governance for enterprise deployments of containers - ...

Cloud Computing Basics for Small Business

ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...

Drive By Healing

1. Drive-by Healing Can Hacking Techniques Be Used For Good?

2. Aims • Discover if a malicious hacking technique could be used for good • Investigate Drive-by Downloads, and adapt them to deliver updates instead of malware • Attempt to create a Wi-Fi Hotspot system that triggers a Drive-by Healing process to update the computer silently Drive-by Healing Andrew Cronin

3. What Good Can Hacking Do? • Find holes in software – Without abusing them • Give-aways – Money, Software, Vouchers • Fix Software – Updates Drive-by Healing Andrew Cronin

4. Drive-by Healing • Drive-by Downloads – One of the biggest problems on the Internet – Just loading a page can infect – Payloads: • Trojans • Botnets • Other viruses Drive-by Healing Andrew Cronin

5. Drive-by Healing • Healing – To make better, to make sound or healthy. • How can computers be healed? – Hardware repairs – Software repairs • Patches • Updates • Anti-virus • New software Drive-by Healing Andrew Cronin

6. Project Method • Researching Wi-Fi Hotspots • Researching Drive-by Downloads • Firmware Flashing • Captive Portal • Virtual Machine & Heap Spraying Drive-by Healing Andrew Cronin

7. Hotspots • Used in establishments and businesses all over • Wi-Fi Industry big business – Advertising – Paid for services • DD-WRT Open source firmware can re-create Hotspots • Captive Portals block internet access until terms are agreed Drive-by Healing Andrew Cronin

8. Drive-by Downloads • Written in JavaScript – Employs Heap Spraying to deliver payload • Using Shellcode and NOPs allocated in arrays • Requires an exploit to initiate payload Drive-by Healing Andrew Cronin

9. Legal Issues • Drive-by Downloads – Put data on computers – Activate programs and code • All Without users knowledge and consent – Illegal • Gaining consent is vital Drive-by Healing Andrew Cronin

10. Firmware Flashing • DD-WRT Firmware uploaded to a Linksys E2000 Router after the Router was flashed • Flashing is required to flush out the old firmware Drive-by Healing Andrew Cronin

11. Hotspot Services on DD-WRT Firmware Drive-by Healing Andrew Cronin

12. Captive Portal • The DD-WRT Firmware has Hotspot services • CoovaChilli was chosen (connects to ChiliSpot) • Attempts to Create Captive Portal system for Drive-by Download code with Ubuntu system Drive-by Healing Andrew Cronin

13. Virtual Machine • VMWare Player • Windows XP SP3 • IECollections – Allows multiple versions of Internet Explorer to run simultaneously Drive-by Healing Andrew Cronin

14. Heap Spraying Sample code from ‘Corelan’ site and debuggers to test: • Windbg • Immunity Debugger – Mona.py Drive-by Healing Andrew Cronin

15. Heap Spraying Heap Spray generator page • For script kiddies • Tested with Windows Calculator Drive-by Healing Andrew Cronin

16. Conclusion There were three different issues that arose regarding the Wi-Fi Hotspot: • Age of systems available was on average 4-5 years old • Only complex Linux based systems available requiring extra hardware • Open source projects lacked support making install and configuration difficult Drive-by Healing Andrew Cronin

17. Conclusion Other problems concerning the Drive-by Healing project included: • Exploits, being malicious, can be self- incriminating, therefore informative articles were impossible to find • Project attempted an ambitious idea that had unforeseen complexities Drive-by Healing Andrew Cronin

18. Future Work Wi-Fi Hotspot • Possible NoCatSplash on DD-WRT • Other Router, WRT54G Drive-by Download • Exploit from Scratch (avoiding script kiddie dangers) • Research into update commands • Education on the importance of updates Drive-by Healing Andrew Cronin

19. QUESTIONS??? Drive-by Healing Andrew Cronin

Editor's Notes

What is hacking? Why do it?Disrupting or damaging technologyCuriosity, Gain, ChallengeWhat is malware?Software made for malicious (bad, damaging) purposesHacking …??Breaking computers, Because they canWhy Do hackers hack?To understand to explore, Don’t press the big red button,To play, to push limits and boundariesFor Reward, fraud, theftIt’s a Game, Challenge (what can I break, get into?)Good Hacking.Hackers that send good things, Or do good (find vulnerability, without exploiting)Rather than break and steal.Find Holes = Software VulnerabilitiesSoftware = Useful programsFree Stuff = Vouchers or money, Things sent over internet
Hacking technique,About.com – biggest problem on internetOne statement put to the users in this survey was; “You can’t get infected just by loading an infected website”(G Data 2011, p.13).The survey highlighted that over 48% of those questioned believed this statement to be true.Over 53% of these people were 18-24 years of age.Countries, Italy topped the survey as the country that believed this myth the most,closely followed by Germany.In comparison, the most disbelieving country was the USA, closely followed by the UK. Women were most likely to believe that computers cannot be infected by just loading an infected website, by a tiny majority.This survey shows that the Internet is perceived to be more trustworthy than it actually is. Most likely to believe this false statement live in Italy, are between ages of 18-24 and are women.
Nicknamed the ‘Christian’ ProjectUpdates can: Reduce OS size Performance increase New features Over write infected system files to original purpose (disabling malware)
Heap Spraying step took the longest!
Walled Gardens also, Allow certain sites, e.g. Google search but stopped at results
Heap Spraying is….Like buffer overflows More targeted NOPs Sledge is ….Exploits, Broswerplugins …
A Legal Drive-by Download delivery systemFirst Idea – Drive-by Download Unleased anywhere on the net (NOT LEGAL)Second idea – Website (NOT LEGAL)Third Idea – WiFi Hotspot … Controlled audience, Consent from Captive portal (LEGAL) :D
90secs … ON … OFF … ON Reset Flushes out of firmware from NVRAM
CoovaChilli Chosen, FailedConnected to chillispot
Ubuntu LinuxLack of support Open source 5 yrs old Forums Dead
IE 6 and 7 and 86 and 7 worked DEPData Execution PreventionOn or Off … depending on exploit
Simple code For LoopArrayFor loopIn memory
Encrypted by generator but still showed calc in memory
Lots to do!!!!!

Drive By Healing

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to Drive By Healing

Similar to Drive By Healing (20)

Drive By Healing

Editor's Notes