SlideShare a Scribd company logo

Talk28oct14

M
mjos

This document summarizes a talk given by Dr. Markku-Juhani O. Saarinen on custom penetration testing (pentest) tools he developed called HAGRAT to simulate advanced persistent threats (APTs). Some key points: - HAGRAT includes a Windows remote access tool (RAT) and Linux command and control server to remotely control Windows systems and conduct intelligence gathering. - It was developed over 3 months for $30,000 specifically to test organizations' defenses against APTs in a safe, controlled manner. - HAGRAT remains undetected after 18 months due to limited and controlled usage. It penetrates firewalls using HTTP and looks like normal browser traffic to avoid detection

Technology
1 of 17
Download to read offline
Tales from the Professionals: Custom PENTEST Tools for Simulation of a Persistent Cyberattack Dr. Markku-Juhani O. Saarinen <mjos@iki.fi> ERCIM Research Fellow NTNU, Department of Telematics Trondheim, Norway 28 October 2014
Background on the Talk (and me) • I've been working with information security for about 20 years. (Changes since -94 are not as significant as you'd expect.) • In 1997-1999 as a young cryptographer I helped to create the SSH2 protocol which protects most of us against password sniffing. • After some time with Nokia Research etc. I got bored of Helsinki and in 2004 headed to the Middle East “where the action was”, becoming a Senior Security Specialist based in Riyadh. • Worked mainly in Penetration Testing and Compliance Audit, but also created network monitoring and filtering systems in KSA. • 2005 enrolled as PhD Student at Information Security Group, Royal Holloway (a GCHQ center for excellence). Continued to consult in ME. • Last year my old Dubai contacts asked me if I could help create a safe Remote Access Tool (RAT) & Command Control to test their customers preparedness against Advanced Persistent Threats (APT).
Stages of an APT Intel Operation 1. Initial Compromise. May use Social engineering such as Spear Phishing where target-tailored messaging is used to activate malicious payload on target. Even physical access to target premises (“walking or talking oneself to the office”) can be an effective option. 2. Establish Foothold. Use RATs (Remote Access Tools / Trojans) or other persistent software that is operated via an outbound connection, typically to a custom Command & Control infrastructure. 3. Escalate Privileges. The operator aims to further her access by examining the configuration or via basic hacking techniques such as exploits, using local password weaknesses or sniffing the network or keyboard for passwords. 4. Internal Reconnaissance. Map the target infrastructure; services and servers, tunnels, proxies etc. Standard commands and uploaded custom mapping tools. 5. Move Laterally. Identify and move closer to “targets of interest” with stolen credentials or other similar information to further internal access. 6. Maintain Presence. Via installation of low-level backdoors or even entirely new attacker-controlled user identities and accounts. 7. Complete Mission. Get the “loot” data out of the target environment. Clean up all traces of intrusion, if possible.
Typical Attack Scenario and Payload
Advanced Persistent Threats & RATs: Historical Highlights • A March 2011 attack against RSA Security dropped a variant of the Poison Ivy Remote Access Tool (RAT). • The attack involved an email sent to its employees which carried an Excel file called "2011 Recruitment plan." This file bundled a zero-day Flash Player exploit. • The Security intrusion resulted in the theft of secret keying data related to the company's SecurID two-factor authentication. • RSA eventually offered to replace all SecurID tokens for their customers; approximately 40 million units. • This pattern has repeated over and over again in major organizations.
Military Hacking – Research by Mandiant and Paul Rascagnères • Mandiant: APT1 is ran by the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. • Stolen hundreds of terabytes of data from at least 141 organizations. Focuses on compromising organizations in English-speaking countries. • Operational at least since 2006. Custom tools + Poison Ivy and Gh0st RAT + lots of manpower (Shanghai). • Most nations maintain similar capabilities. And you'll see that some private organizations too. It's not rocket science.
Example: G20 Campaign by APT12 • Delivered within a Zip archive, no exploit was involved. • All attacks used G20 summit as a theme for the bait (St. Petersburg, 05-06 September 2013). • All the attacks had their malware contact domains pointing to the same host, 23.19.122.231. • Malicious files used in the attacks belong to the same malware family and behave in the same way.
Evaluating Security against Advanced Persistent Threat: HAGRAT • A tool for “APT” PENTEST or Red Team cyberwar exercises. • A Remote Access Tool (RAT) for Windows XP, 7, 8. Linux-platform Command & Control, Multiplatform Op Interface. • 100% clean-slate development in March-May 2013 by me for my former employer, a Private Security Company in Dubai. • Not indiscriminately distributed, hence not identified by anti-malware tools. Source internally available; can be vetted for a PENTEST exercise, this is not a backdoored backdoor! • Research value: Good indicator for estimating the effort required for such cybermunition development.
Requirement Spec (March 2013) 1. Remote command-line shell. Allows the operator to examine the target system and files contained therein. 2. Remote program execution. Facilitate operation of “plugin” tools on target system for additional functionality. 3. A control terminal. A remote operator interface that connects to the Command and Control Server component from a remote location. 4. File transfer. Arbitrary file upload / download from the operator system without additional tools or services. 5. Communications security. Strong encryption and authentication of all traffic. Communication link not identifiable by network analyzers. 6. Firewall penetration. HTTP control channel with the Windows system Proxy settings and credentials in order to effectively penetrate through firewalls. 7. Alerts. System can be configured to issue an alert message such as an e-mail when a specific RAT becomes active and the target system can be accessed. 8. Automation. A script system that allows automatic intelligence gathering and data acquisition from target systems. 9. Targeted binaries. Encoding of server address, persistence mechanism, and other configuration information into the RAT binary executable itself. 10. Limited persistence. A persistence mechanism and a “self-destruct” feature which erases the RAT from the target system after a specified date.
Architecture: Binaries Windows target executable: hagr4t.exe A small Windows executable that allows remote control of the target system (name arbitrary). Linux server binaries: hrccd Server daemon that manages multiple simultaneous encrypted connections. hrterm Operator control interface (“terminal”). hrhts Implements HTTP tunneling in the server end. Internal Server components: hrcomm Pairs a terminal session with the desired target. hrxfer File transfer helper for intel gathering scripts.
After 18 months: still undetected!
Windows development: hagr4t.exe
Linux development: hrccd
Outbound Firewall Penetration • Always outbound http connection using WININET.DLL (firewalls almost never don't stop these). Data flows out encoded in HTTP requests and commands go in responses. • Obtains proxy address and authentication information from Internet Explorer and forges user-agent and other identifiers. • Traffic looks like innocent browsing with Internet Explorer. • Implemented TCP tunneling in HTTP (port 80). File transfers and remote desktop all wrapped into the HTTP requests. • Based on mideast experience succeeds from 95% of end-user corporate / gov firewalls, even those with proxy authentication. • Strong proprietary authentication and encryption, not using system libraries for this. Not detected by most IDS systems. • A relay mechanism implemented on other end which bounces the traffic to/from the real C2 server if necessary
Brief Demo: Setup
Better than Chinese RATs ? • Professional communications security: Early versions of Blinker & CBEAM encryption were developed for this project. • The hagr4t.exe binary size is only 12kB ! Note that stuxnet and flame were in megabyte range, developed in multiple languages. • Excellent firewall penetration even through authenticating web proxies. Fakes a browser connection rather than proprietary port & protocol. • Robust Linux Command and Control (r00tbsd took over PLA's Poison Ivy CC in his hackback). • Not as easily detectable due to discrimination in usage.
Conclusions and Further Work: Efforts required for Cybermunitions • Three months and a US $30000 budget was required to develop a complete set from scratch (≈ 1 JDAM bomb). • Relatively safe: Can be used in Red Team Exercises (or simulated cyber warfare campaigns) against live targets. • Droppers available from metaspoit etc. (However APT12 intelligence gathering efforts with regards to a G20 meeting did not even use a zero-day.) • Easy, cheap and fast ? However I have 20 years of coding and 15 years of PENTEST / Ethical Hacking experience. • Operators need only moderate technical skills (e.g. CISSP), more tenacity and social engineering skill required. THANK YOU. QUESTIONS?

Recommended

Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testing
Abdul Rahman
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
CISSP Week 16
CISSP Week 16CISSP Week 16
CISSP Week 16
jemtallon
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
shreyng
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
KAMALI PRIYA P
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
jemtallon
 
Network security
Network securityNetwork security
Network security
Jarno Niemela
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
Anjum Ahuja
 

Recommended

Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testing
Abdul Rahman
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
CISSP Week 16
CISSP Week 16CISSP Week 16
CISSP Week 16
jemtallon
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
shreyng
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
KAMALI PRIYA P
 
CISSP Week 14
CISSP Week 14CISSP Week 14
CISSP Week 14
jemtallon
 
Network security
Network securityNetwork security
Network security
Jarno Niemela
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
Anjum Ahuja
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
Q Fadlan
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project Report
Raghav Bisht
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9
koolkampus
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
anilinvns
 
Network defenses
Network defensesNetwork defenses
Network defenses
G Prachi
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion Techniques
Tudor Damian
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
sweta dargad
 
Network security
Network securityNetwork security
Network security
Greater Noida Institute Of Technology
 
Access Control - Week 4
Access Control - Week 4Access Control - Week 4
Access Control - Week 4
jemtallon
 
Network forensics1
Network forensics1Network forensics1
Network forensics1
Santosh Khadsare
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshell
Yahia Kandeel
 
Cryptographic Protocol is and isn't like LEGO.
Cryptographic Protocol is and isn't like LEGO.Cryptographic Protocol is and isn't like LEGO.
Cryptographic Protocol is and isn't like LEGO.
Shin'ichiro Matsuo
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and Attacks
Information Technology
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
isc2-hellenic
 
Cyber security tutorial1
Cyber security tutorial1Cyber security tutorial1
Cyber security tutorial1
sweta dargad
 
Lec 1 apln security(4pd)
Lec 1 apln security(4pd)Lec 1 apln security(4pd)
Lec 1 apln security(4pd)
Santosh Khadsare
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
Nicholas Davis
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red Team
Satria Ady Pradana
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
whitehat 'People'
 
Itis pentest slides hyd
Itis pentest slides hydItis pentest slides hyd
Itis pentest slides hyd
Rama krishna
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
btpsec
 

More Related Content

What's hot

Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9
koolkampus
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
Access Control - Week 4
Access Control - Week 4Access Control - Week 4
Access Control - Week 4
jemtallon
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and Attacks
Information Technology
 
Cyber security tutorial1
Cyber security tutorial1Cyber security tutorial1
Cyber security tutorial1
sweta dargad
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
Nicholas Davis
 

What's hot (20)

Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project Report
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion Techniques
 
Cyber security tutorial2
Cyber security tutorial2Cyber security tutorial2
Cyber security tutorial2
 
Network security
Network securityNetwork security
Network security
 
Access Control - Week 4
Access Control - Week 4Access Control - Week 4
Access Control - Week 4
 
Network forensics1
Network forensics1Network forensics1
Network forensics1
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshell
 
Cryptographic Protocol is and isn't like LEGO.
Cryptographic Protocol is and isn't like LEGO.Cryptographic Protocol is and isn't like LEGO.
Cryptographic Protocol is and isn't like LEGO.
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and Attacks
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
Cyber security tutorial1
Cyber security tutorial1Cyber security tutorial1
Cyber security tutorial1
 
Lec 1 apln security(4pd)
Lec 1 apln security(4pd)Lec 1 apln security(4pd)
Lec 1 apln security(4pd)
 
Intrusion Detection And Prevention
Intrusion Detection And PreventionIntrusion Detection And Prevention
Intrusion Detection And Prevention
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red Team
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
 

Viewers also liked

Eight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentEight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability Assessment
Sirius
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
 
Building LinkedIn's Next Generation Architecture with OSGi
Building LinkedIn's Next Generation Architecture with OSGiBuilding LinkedIn's Next Generation Architecture with OSGi
Building LinkedIn's Next Generation Architecture with OSGi
LinkedIn
 

Viewers also liked (14)

Itis pentest slides hyd
Itis pentest slides hydItis pentest slides hyd
Itis pentest slides hyd
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0
 
Automation of Penetration Testing
Automation of Penetration TestingAutomation of Penetration Testing
Automation of Penetration Testing
 
Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 
Btpro-Penetration Testing Service
Btpro-Penetration Testing ServiceBtpro-Penetration Testing Service
Btpro-Penetration Testing Service
 
Eight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability AssessmentEight Steps to an Effective Vulnerability Assessment
Eight Steps to an Effective Vulnerability Assessment
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
 
Building LinkedIn's Next Generation Architecture with OSGi
Building LinkedIn's Next Generation Architecture with OSGiBuilding LinkedIn's Next Generation Architecture with OSGi
Building LinkedIn's Next Generation Architecture with OSGi
 
Business Process
Business ProcessBusiness Process
Business Process
 
Cloudfoundry architecture
Cloudfoundry architectureCloudfoundry architecture
Cloudfoundry architecture
 

Similar to Talk28oct14

Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
Giuseppe Paterno'
 
Module 7 (sniffers)
Module 7 (sniffers)Module 7 (sniffers)
Module 7 (sniffers)
Wail Hassan
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
webhostingguy
 

Similar to Talk28oct14 (20)

Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system security
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2C
 
Day4
Day4Day4
Day4
 
Network security
Network securityNetwork security
Network security
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Hacking
Hacking Hacking
Hacking
 
Sectools
SectoolsSectools
Sectools
 
aaa
aaaaaa
aaa
 
Module 7 (sniffers)
Module 7 (sniffers)Module 7 (sniffers)
Module 7 (sniffers)
 
Backdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerBackdoor Entry to a Windows Computer
Backdoor Entry to a Windows Computer
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
 
Secure Android Development
Secure Android DevelopmentSecure Android Development
Secure Android Development
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Recently uploaded (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 

Talk28oct14

  • 1. Tales from the Professionals: Custom PENTEST Tools for Simulation of a Persistent Cyberattack Dr. Markku-Juhani O. Saarinen <mjos@iki.fi> ERCIM Research Fellow NTNU, Department of Telematics Trondheim, Norway 28 October 2014
  • 2. Background on the Talk (and me) • I've been working with information security for about 20 years. (Changes since -94 are not as significant as you'd expect.) • In 1997-1999 as a young cryptographer I helped to create the SSH2 protocol which protects most of us against password sniffing. • After some time with Nokia Research etc. I got bored of Helsinki and in 2004 headed to the Middle East “where the action was”, becoming a Senior Security Specialist based in Riyadh. • Worked mainly in Penetration Testing and Compliance Audit, but also created network monitoring and filtering systems in KSA. • 2005 enrolled as PhD Student at Information Security Group, Royal Holloway (a GCHQ center for excellence). Continued to consult in ME. • Last year my old Dubai contacts asked me if I could help create a safe Remote Access Tool (RAT) & Command Control to test their customers preparedness against Advanced Persistent Threats (APT).
  • 3. Stages of an APT Intel Operation 1. Initial Compromise. May use Social engineering such as Spear Phishing where target-tailored messaging is used to activate malicious payload on target. Even physical access to target premises (“walking or talking oneself to the office”) can be an effective option. 2. Establish Foothold. Use RATs (Remote Access Tools / Trojans) or other persistent software that is operated via an outbound connection, typically to a custom Command & Control infrastructure. 3. Escalate Privileges. The operator aims to further her access by examining the configuration or via basic hacking techniques such as exploits, using local password weaknesses or sniffing the network or keyboard for passwords. 4. Internal Reconnaissance. Map the target infrastructure; services and servers, tunnels, proxies etc. Standard commands and uploaded custom mapping tools. 5. Move Laterally. Identify and move closer to “targets of interest” with stolen credentials or other similar information to further internal access. 6. Maintain Presence. Via installation of low-level backdoors or even entirely new attacker-controlled user identities and accounts. 7. Complete Mission. Get the “loot” data out of the target environment. Clean up all traces of intrusion, if possible.
  • 5. Advanced Persistent Threats & RATs: Historical Highlights • A March 2011 attack against RSA Security dropped a variant of the Poison Ivy Remote Access Tool (RAT). • The attack involved an email sent to its employees which carried an Excel file called "2011 Recruitment plan." This file bundled a zero-day Flash Player exploit. • The Security intrusion resulted in the theft of secret keying data related to the company's SecurID two-factor authentication. • RSA eventually offered to replace all SecurID tokens for their customers; approximately 40 million units. • This pattern has repeated over and over again in major organizations.
  • 6. Military Hacking – Research by Mandiant and Paul Rascagnères • Mandiant: APT1 is ran by the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. • Stolen hundreds of terabytes of data from at least 141 organizations. Focuses on compromising organizations in English-speaking countries. • Operational at least since 2006. Custom tools + Poison Ivy and Gh0st RAT + lots of manpower (Shanghai). • Most nations maintain similar capabilities. And you'll see that some private organizations too. It's not rocket science.
  • 7. Example: G20 Campaign by APT12 • Delivered within a Zip archive, no exploit was involved. • All attacks used G20 summit as a theme for the bait (St. Petersburg, 05-06 September 2013). • All the attacks had their malware contact domains pointing to the same host, 23.19.122.231. • Malicious files used in the attacks belong to the same malware family and behave in the same way.
  • 8. Evaluating Security against Advanced Persistent Threat: HAGRAT • A tool for “APT” PENTEST or Red Team cyberwar exercises. • A Remote Access Tool (RAT) for Windows XP, 7, 8. Linux-platform Command & Control, Multiplatform Op Interface. • 100% clean-slate development in March-May 2013 by me for my former employer, a Private Security Company in Dubai. • Not indiscriminately distributed, hence not identified by anti-malware tools. Source internally available; can be vetted for a PENTEST exercise, this is not a backdoored backdoor! • Research value: Good indicator for estimating the effort required for such cybermunition development.
  • 9. Requirement Spec (March 2013) 1. Remote command-line shell. Allows the operator to examine the target system and files contained therein. 2. Remote program execution. Facilitate operation of “plugin” tools on target system for additional functionality. 3. A control terminal. A remote operator interface that connects to the Command and Control Server component from a remote location. 4. File transfer. Arbitrary file upload / download from the operator system without additional tools or services. 5. Communications security. Strong encryption and authentication of all traffic. Communication link not identifiable by network analyzers. 6. Firewall penetration. HTTP control channel with the Windows system Proxy settings and credentials in order to effectively penetrate through firewalls. 7. Alerts. System can be configured to issue an alert message such as an e-mail when a specific RAT becomes active and the target system can be accessed. 8. Automation. A script system that allows automatic intelligence gathering and data acquisition from target systems. 9. Targeted binaries. Encoding of server address, persistence mechanism, and other configuration information into the RAT binary executable itself. 10. Limited persistence. A persistence mechanism and a “self-destruct” feature which erases the RAT from the target system after a specified date.
  • 10. Architecture: Binaries Windows target executable: hagr4t.exe A small Windows executable that allows remote control of the target system (name arbitrary). Linux server binaries: hrccd Server daemon that manages multiple simultaneous encrypted connections. hrterm Operator control interface (“terminal”). hrhts Implements HTTP tunneling in the server end. Internal Server components: hrcomm Pairs a terminal session with the desired target. hrxfer File transfer helper for intel gathering scripts.
  • 11. After 18 months: still undetected!
  • 14. Outbound Firewall Penetration • Always outbound http connection using WININET.DLL (firewalls almost never don't stop these). Data flows out encoded in HTTP requests and commands go in responses. • Obtains proxy address and authentication information from Internet Explorer and forges user-agent and other identifiers. • Traffic looks like innocent browsing with Internet Explorer. • Implemented TCP tunneling in HTTP (port 80). File transfers and remote desktop all wrapped into the HTTP requests. • Based on mideast experience succeeds from 95% of end-user corporate / gov firewalls, even those with proxy authentication. • Strong proprietary authentication and encryption, not using system libraries for this. Not detected by most IDS systems. • A relay mechanism implemented on other end which bounces the traffic to/from the real C2 server if necessary
  • 16. Better than Chinese RATs ? • Professional communications security: Early versions of Blinker & CBEAM encryption were developed for this project. • The hagr4t.exe binary size is only 12kB ! Note that stuxnet and flame were in megabyte range, developed in multiple languages. • Excellent firewall penetration even through authenticating web proxies. Fakes a browser connection rather than proprietary port & protocol. • Robust Linux Command and Control (r00tbsd took over PLA's Poison Ivy CC in his hackback). • Not as easily detectable due to discrimination in usage.
  • 17. Conclusions and Further Work: Efforts required for Cybermunitions • Three months and a US $30000 budget was required to develop a complete set from scratch (≈ 1 JDAM bomb). • Relatively safe: Can be used in Red Team Exercises (or simulated cyber warfare campaigns) against live targets. • Droppers available from metaspoit etc. (However APT12 intelligence gathering efforts with regards to a G20 meeting did not even use a zero-day.) • Easy, cheap and fast ? However I have 20 years of coding and 15 years of PENTEST / Ethical Hacking experience. • Operators need only moderate technical skills (e.g. CISSP), more tenacity and social engineering skill required. THANK YOU. QUESTIONS?