This document summarizes a talk given by Dr. Markku-Juhani O. Saarinen on custom penetration testing (pentest) tools he developed called HAGRAT to simulate advanced persistent threats (APTs). Some key points:
- HAGRAT includes a Windows remote access tool (RAT) and Linux command and control server to remotely control Windows systems and conduct intelligence gathering.
- It was developed over 3 months for $30,000 specifically to test organizations' defenses against APTs in a safe, controlled manner.
- HAGRAT remains undetected after 18 months due to limited and controlled usage. It penetrates firewalls using HTTP and looks like normal browser traffic to avoid detection
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Talk28oct14
1. Tales from the Professionals:
Custom PENTEST Tools for Simulation of a
Persistent Cyberattack
Dr. Markku-Juhani O. Saarinen <mjos@iki.fi>
ERCIM Research Fellow
NTNU, Department of Telematics
Trondheim, Norway
28 October 2014
2. Background on the Talk (and me)
• I've been working with information security for about 20 years.
(Changes since -94 are not as significant as you'd expect.)
• In 1997-1999 as a young cryptographer I helped to create the SSH2
protocol which protects most of us against password sniffing.
• After some time with Nokia Research etc. I got bored of Helsinki and in
2004 headed to the Middle East “where the action was”, becoming a
Senior Security Specialist based in Riyadh.
• Worked mainly in Penetration Testing and Compliance Audit, but
also created network monitoring and filtering systems in KSA.
• 2005 enrolled as PhD Student at Information Security Group, Royal
Holloway (a GCHQ center for excellence). Continued to consult in ME.
• Last year my old Dubai contacts asked me if I could help create a safe
Remote Access Tool (RAT) & Command Control to test their
customers preparedness against Advanced Persistent Threats (APT).
3. Stages of an APT Intel Operation
1. Initial Compromise. May use Social engineering such as Spear Phishing where target-tailored
messaging is used to activate malicious payload on target. Even physical access
to target premises (“walking or talking oneself to the office”) can be an effective option.
2. Establish Foothold. Use RATs (Remote Access Tools / Trojans) or other persistent
software that is operated via an outbound connection, typically to a custom Command
& Control infrastructure.
3. Escalate Privileges. The operator aims to further her access by examining the
configuration or via basic hacking techniques such as exploits, using local password
weaknesses or sniffing the network or keyboard for passwords.
4. Internal Reconnaissance. Map the target infrastructure; services and servers,
tunnels, proxies etc. Standard commands and uploaded custom mapping tools.
5. Move Laterally. Identify and move closer to “targets of interest” with stolen
credentials or other similar information to further internal access.
6. Maintain Presence. Via installation of low-level backdoors or even entirely new
attacker-controlled user identities and accounts.
7. Complete Mission. Get the “loot” data out of the target environment. Clean up all
traces of intrusion, if possible.
5. Advanced Persistent Threats & RATs:
Historical Highlights
• A March 2011 attack against RSA Security dropped a variant of the
Poison Ivy Remote Access Tool (RAT).
• The attack involved an email sent to its employees which carried an
Excel file called "2011 Recruitment plan." This file bundled a zero-day
Flash Player exploit.
• The Security intrusion resulted in the theft of secret keying data
related to the company's SecurID two-factor authentication.
• RSA eventually offered to replace all SecurID tokens for their
customers; approximately 40 million units.
• This pattern has repeated over and over again in major organizations.
6. Military Hacking – Research by
Mandiant and Paul Rascagnères
• Mandiant: APT1 is ran by the 2nd Bureau of the People’s
Liberation Army (PLA) General Staff Department’s (GSD) 3rd
Department, which is most commonly known by its Military
Unit Cover Designator (MUCD) as Unit 61398.
• Stolen hundreds of terabytes of data from at least 141
organizations. Focuses on compromising organizations in
English-speaking countries.
• Operational at least since 2006. Custom tools + Poison Ivy and
Gh0st RAT + lots of manpower (Shanghai).
• Most nations maintain similar capabilities. And you'll see that
some private organizations too. It's not rocket science.
7. Example: G20 Campaign by APT12
• Delivered within a Zip archive, no exploit was involved.
• All attacks used G20 summit as a theme for the bait (St.
Petersburg, 05-06 September 2013).
• All the attacks had their malware contact domains pointing
to the same host, 23.19.122.231.
• Malicious files used in the attacks belong to the same
malware family and behave in the same way.
8. Evaluating Security against
Advanced Persistent Threat: HAGRAT
• A tool for “APT” PENTEST or Red Team cyberwar exercises.
• A Remote Access Tool (RAT) for Windows XP, 7, 8. Linux-platform
Command & Control, Multiplatform Op Interface.
• 100% clean-slate development in March-May 2013 by me for
my former employer, a Private Security Company in Dubai.
• Not indiscriminately distributed, hence not identified by anti-malware
tools. Source internally available; can be vetted for a
PENTEST exercise, this is not a backdoored backdoor!
• Research value: Good indicator for estimating the effort
required for such cybermunition development.
9. Requirement Spec (March 2013)
1. Remote command-line shell. Allows the operator to examine the target system and
files contained therein.
2. Remote program execution. Facilitate operation of “plugin” tools on target system
for additional functionality.
3. A control terminal. A remote operator interface that connects to the Command and
Control Server component from a remote location.
4. File transfer. Arbitrary file upload / download from the operator system without
additional tools or services.
5. Communications security. Strong encryption and authentication of all traffic.
Communication link not identifiable by network analyzers.
6. Firewall penetration. HTTP control channel with the Windows system Proxy
settings and credentials in order to effectively penetrate through firewalls.
7. Alerts. System can be configured to issue an alert message such as an e-mail when a
specific RAT becomes active and the target system can be accessed.
8. Automation. A script system that allows automatic intelligence gathering and data
acquisition from target systems.
9. Targeted binaries. Encoding of server address, persistence mechanism, and other
configuration information into the RAT binary executable itself.
10. Limited persistence. A persistence mechanism and a “self-destruct” feature which
erases the RAT from the target system after a specified date.
10. Architecture: Binaries
Windows target executable:
hagr4t.exe A small Windows executable that allows remote
control of the target system (name arbitrary).
Linux server binaries:
hrccd Server daemon that manages multiple
simultaneous encrypted connections.
hrterm Operator control interface (“terminal”).
hrhts Implements HTTP tunneling in the server end.
Internal Server components:
hrcomm Pairs a terminal session with the desired target. hrxfer
File transfer helper for intel gathering scripts.
14. Outbound Firewall Penetration
• Always outbound http connection using WININET.DLL
(firewalls almost never don't stop these). Data flows out
encoded in HTTP requests and commands go in responses.
• Obtains proxy address and authentication information from
Internet Explorer and forges user-agent and other identifiers.
• Traffic looks like innocent browsing with Internet Explorer.
• Implemented TCP tunneling in HTTP (port 80). File transfers
and remote desktop all wrapped into the HTTP requests.
• Based on mideast experience succeeds from 95% of end-user
corporate / gov firewalls, even those with proxy authentication.
• Strong proprietary authentication and encryption, not using
system libraries for this. Not detected by most IDS systems.
• A relay mechanism implemented on other end which bounces
the traffic to/from the real C2 server if necessary
16. Better than Chinese RATs ?
• Professional communications security: Early versions of Blinker
& CBEAM encryption were developed for this project.
• The hagr4t.exe binary size is only 12kB ! Note that stuxnet and
flame were in megabyte range, developed in multiple languages.
• Excellent firewall penetration even through authenticating web
proxies. Fakes a browser connection rather than proprietary
port & protocol.
• Robust Linux Command and Control (r00tbsd took over PLA's
Poison Ivy CC in his hackback).
• Not as easily detectable due to discrimination in usage.
17. Conclusions and Further Work:
Efforts required for Cybermunitions
• Three months and a US $30000 budget was required to
develop a complete set from scratch (≈ 1 JDAM bomb).
• Relatively safe: Can be used in Red Team Exercises (or
simulated cyber warfare campaigns) against live targets.
• Droppers available from metaspoit etc. (However APT12
intelligence gathering efforts with regards to a G20 meeting
did not even use a zero-day.)
• Easy, cheap and fast ? However I have 20 years of coding and 15
years of PENTEST / Ethical Hacking experience.
• Operators need only moderate technical skills (e.g. CISSP),
more tenacity and social engineering skill required.
THANK YOU. QUESTIONS?