Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi

Anonymization techniques are a double-edged sword invention as they can be used by journalists to communicate more safely with whistle blowers or by malicious users to commit cyber-crimes without getting caught but the problem is that neither party is anonymous nor safe from being exposed. In the presentation Mohamed discussed a tool that he developed "dynamicDetect" to de-anonymize TOR clients and browsers and abstracting the user's original IP address and fingerprint. The tool then uses this information as a launchpad to perform defensive and offensive against that TOR user.

  • Login to see the comments

BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi

  1. 1. Attacking The Unknown www.dts-solution.com Mohamed Bedewi – Sr. Security Researcher and Penetration Testing Consultant Network+ | CCNA | MCSE | Linux+ | RHCE | Security+ | CEH | ECSA | LPT | PWB | CWHH | OSCP mohamed@dts-solution.com | https://ae.linkedin.com/in/mbedewi | https://twitter.com/mbedewi
  2. 2. DTS Solution
  3. 3. Attacking The Unknown Escalation Exploitation Enumeration Discovery The Unknown is such a general term! The Unknown can literally be anything You can’t attack The Unknown! What The Unknown really is?
  4. 4. What The Unknown Really is? • The Unknown is an internet user who think he is fully anonymous or untraceable. • The Unknown will use anonymity technologies which never promised full anonymity. • The Unknown can be your neighbor, friend, boss or the person sitting next to you. • The Unknown has his own reasons to become anonymous but not all reasons are good. Technologies Web Proxy Proxy Chains VPN TOR
  5. 5. Anonymity Technologies - Web Proxy Web Proxy is a computer that acts as an intermediary and privacy shield between a client computer and the rest of the Internet. It accesses the Internet on the user's behalf, protecting personal information by hiding the client computer's identifying information. Privacy Implications: • Web Proxy servers are poorly maintained. • The internet is full of rouge Web Proxy servers. • DNS leakage can reveal Web Proxy users’ identity. • The data travels unencrypted in most use cases. • Web Proxy is vulnerable to client-side attacks. Web Proxy is now considered as an old and deprecated technology since it’s far away from being stable, secure, fast, practical nor flexible while being a single point of failure from both security and functionality perspectives.
  6. 6. Anonymity Technologies – Proxy Chains Proxy Chains is a daemon which chains a list of proxy servers and route any TCP traffic through them. The last proxy server in the chain accesses the Internet on the user's behalf, protecting personal information by hiding the client computer's identifying information. Privacy Implications: • Proxy servers are poorly maintained. • The internet is full of rouge Proxy servers. • DNS leakage can reveal Proxy Chains users’ identity. • The data travels unencrypted in most use cases. • Proxy Chains is vulnerable to client-side attacks. Proxy Chains is now considered as an old and deprecated technology since it’s far away from being stable, secure, fast, practical nor flexible even with the fact it can route any TCP traffic through a chained network of proxy servers.
  7. 7. Anonymity Technologies – VPN VPN is an intermediate computer which tunnels and encrypts all network traffic initiated or destined to a client computer. It accesses the Internet on the user's behalf, protecting personal information by hiding the client computer's identifying information. Privacy Implications: • VPN activity logs can reveal VPN users’ identity. • The internet is full of vulnerable VPN servers. • DNS leakage can reveal VPN users’ identity. • Service payment can reveal VPN users’ identity. • VPN is vulnerable to client-side attacks. VPN is now considered as the second favorite choice when it comes to anonymity since it's stable, semi-fast, practical and flexible with the ability to handle and route any IP-based service robustly through the encrypted magical tunnel.
  8. 8. Anonymity Technologies – TOR TOR is based on a VPN distributed network which takes a random pathway through several encrypted servers to an exit node which accesses the Internet on the user's behalf, protecting personal information by hiding the client computer's identifying information. Privacy Implications: • TOR exit nodes are poorly maintained. • Compromised nodes can reveal TOR users’ identity. • DNS leakage can reveal TOR users’ identity. • Correlation attacks can reveal TOR users’ identity. • TOR is vulnerable to client-side attacks. TOR is now considered as the favorite choice when it comes to anonymity since it's free, stable, semi-fast, practical and flexible with the ability to handle and route any IP-based service robustly and securely through a VPN network.
  9. 9. Anonymity Technologies Facts • If the technology in question is free of charge then it’s poorly maintained and vulnerable. • Anonymity technologies are vulnerable to client-side attacks which will reveal users identity. • If the technology in question is paid then it’s most probably monitored even if told otherwise. • Anonymity technologies are vulnerable to DNS information leakage if not specially configured. • Intermediate mediums used by anonymity technologies can be sniffing traffic for any purpose.
  10. 10. Privacy is an Illusion
  11. 11. How to Exploit The Unknown? Attack Any successful exploitation starts with discovering the target in question then enumerating the target for potential vulnerabilities then exploiting the discovered vulnerabilities then finally escalading privileges and backdooring the target in question to ensure further access. The target in questions is anonymous and to take the previous approach further, we need to deanonymize and identify the target first otherwise exploitation won’t be possible. The entire process of deanonymizing, identifying, attacking and profiling (DIAP) the target needs to be automated via a smart light weight offensive module. Deanonymization Identification Enumeration Exploitation Escalation Persistence
  12. 12. Now Since We Know How it Should be Done Let Me Introduce to You dynamicDetect
  13. 13. What is dynamicDetect? Despite it’s friendly name, dynamicDetect is a very sophisticated offensive module which can effectively and robustly deanonymize, identify, attack and profile (DIAP) malicious users basically behind TOR, VPN and Proxies automatically and with zero human interaction. dynamicDetect Technical Features: • Capable of deanonymizing any anonymous user flawlessly and accurately on the fly. • Capable of identifying the anonymous user’s IP address, country, city and coordinates. • Capable of enumerating the anonymous user’s machine to spot every single weakness. • Capable of exploiting every single weakness identified in the anonymous user’s machine. • Capable of escalading privileges under any system despite deployed security controls. • Capable of maintaining access and staying stealthy even in the most strict environments. • Capable of profiling every and each anonymous user efficiently with detailed activity log. The anonymous user never suspects the activity happening in the background and it all happens in a maximum of 3.10 seconds!
  14. 14. How dynamicDetect Works? Deanonymization Identification Enumeration Exploitation Escalation Persistence Excellent Alice thinks that she's fully anonymous till she clicks on a rouge link and out of the sudden, her machine isn't hers anymore after being fully deanonymized and got her identity exposed! The best way to deliver a malicious payload is over an encrypted channel and we don’t even have to worry about raising any suspicions because Alice is the one who initiated it Payload successfully delivered and Alice doesn’t even know!
  15. 15. Talk is Cheap, Show us dynamicDetect
  16. 16. Thanks and Have a Good Day

×