Bryce Kunz, profile picture
Uploaded byBryce Kunz
PDF, PPTX1,164 views

White Lightning Sept 2014

The document discusses a tool called White Lightning, which is a platform for browser exploitation. It uses surveys and exploits delivered over HTTP to compromise endpoints without requiring any downloads. The tool integrates with Metasploit to select and run exploits, reusing ports and protocols to maintain communication. Details are provided on its architecture, exploitation process, and supported exploits. A demo is shown and future development plans outlined.

Embed presentation

Download as PDF, PPTX
Exploiting Browsers Like A Boss with White Lightning! Whoa, this isn't wood shop class?
Exploitation - (Pen)Testing Defense - Threat Intel About Bryce 2 Recipe Makes 1 Bryce - 1 oz Chewbacca - 2 oz Energy Drinks - 37 oz Rage Hacking SoCal Hacking - Twentythreedotorg - LA2600
Phishing Demo 3 Turtle Cavalry Attack! ☺
The Why… 4 - Christmas years ago - Can you hack me bro? - Totes out of date Java SURE BRO! - Redirected network - iFrame to… - Browser Autopwn - Throws IE Exploits... - at my Bro’s Mac Book - """"""""""" Can You Hack Me Bro?
Hacker says: Just use BeEF... - I love BeEF… - for XSS and… - for interacting with user’s browser session - I hate waiting for a user to click a link… so… - Auto-run an exploit… but which exploit? - Build script with survey logic… but… - Was painful to implement logic to run the best applicable exploit(s) 5 The Why…
Realized… Just use a… Crimeware Exploit Kit (EK) • Fully Automated • Selects the best exploit(s) • Uses only 80/TCP HTTP • Every exploit has to be ported • Usually drops a binary to disk – (e.g. exe) The Why… 6
Crimeware Exploit Kits (EK) • Pros: Current Solutions -> Crimeware EK – Fairly easy to setup, depending on the kit – Will select the best exploit(s) to throw – Usually uses only 80/TCP HTTP • Cons: – Every exploit has to be ported to the EK – Usually drops a binary (e.g. exe) to disk – Potentially detectable by security products – Costs $$ & Trust issues? ☺ 7
Build your own custom solution Current Solutions -> Custom Solution with a mix of exploits and social engineering (SE) techniques • Pros: – Tailor solution to current engagement – You know your solution • Cons: – Time to develop and refine operations – Limited set of exploits and/or SE techniques – Low chance of selecting the correct exploit – Limited ability to leverage existing work 8
Current Solutions -> Metasploit with Single Exploit Metasploit with selecting a single exploit • Pros: – Easy to setup – Metasploit is awesome for exploit development • Cons: – Low chance of selecting the correct exploit 9
Current Solutions -> Metasploit Browser Autopwn • Metasploit’s auxiliary/server/browser_autopwn – Pros: • Easy to setup • Much better now with “BrowserRequirements” options • Metasploit is awesome for exploit development – Cons: • Throws all exploits Metasploit thinks is applicable (20+) • Needs the target endpoint to have loose egress filtering 10
TCP Ports Analysis for Metasploit’s Autopwn 80/TCP HTTP Exploit #1 11 80/TCP HTTP 80/TCP HTTP Exploit #2 80/TCP HTTP Exploit etc... 3333/TCP windows/meterpreter/reverse_tcp 6666/TCP generic/shell_reverse_tcp 7777/TCP java/meterpreter/reverse_tcp
TCP Ports Analysis for Metasploit’s Autopwn 80/TCP HTTP Exploit #1 80/TCP HTTP Exploit etc... 12 80/TCP HTTP 80/TCP HTTP Exploit #2 3333/TCP windows/meterpreter/reverse_tcp 6666/TCP generic/shell_reverse_tcp 7777/TCP java/meterpreter/reverse_tcp
Bryce’s Rule for Exploitation #? Whenever possible, reuse the same: • Transport Layer Protocol (TCP, UDP, etc…) • Port Number (80, 445, etc…) • Application Layer Protocol (HTTP, SMB, etc…) • And communicate through the same path including: – To the same IP address – Using the same hostname and/or domain Between the exploit and initial access to the endpoint Exploitation Truth 13 If it worked for the exploit… It should work for your RAT too :)
About White Lightning What is White Lightning? 14
About White Lightning What is White Lightning? - Urban Dictionary 15
About White Lightning What is White Lightning? - Urban Dictionary - A Burt Reynolds Movie 16
About White Lightning What is White Lightning? - Urban Dictionary - A Burt Reynolds Movie - Moonshine… yeah but it is now also a 17
About White Lightning What is White Lightning… - Urban Dictionary - A Burt Reynolds Movie - Moonshine… yeah but it is now also a Platform for Browser Exploitation 18
19 120% 100% 80% 60% 40% 20% 0% Success Rate of Attackers Auditor (10) Script Kiddie (30) White Hat Hacker (50) Hacktivist (60) Crime Orgs (80) Espionage Orgs (90) Publicly Available Tools Why more tools?
20 120% 100% 80% 60% 40% 20% 0% Success Rate of Attackers Auditor (10) Script Kiddie (30) White Hat Hacker (50) Hacktivist (60) Crime Orgs (80) Espionage Orgs (90) Push It Publicly Available Tools Why more tools?
21 120% 100% 80% 60% 40% 20% 0% Success Rate of Attackers Auditor (10) Script Kiddie (30) White Hat Hacker (50) Hacktivist (60) Crime Orgs (80) Espionage Orgs (90) Push It, Real Good Publicly Available Tools Why more tools?
Server-Side Exploitation, The Good Old Days • Server side exploitation, the good old days • Exploits vulnerability in a service running on a port (traditional hack) • Instant on demand access • Services tend to crash during exploitation • Becoming less prevalent 22 Script Kiddie Exploit Exploit Web Server Database Server
Firewall all the things! 23 So what are we to do?
Firewall all the Things! 24 Unfortunately our Castles, A.K.A. Security Technology Stack Ends up being like this… And… Real attackers know this and…
They Exploit our Browsers! … To gain Initial Access into Protected Networks • Move past the hard outer wall & defenses • Collect data from the initial endpoint • Collect credentials and other tokens • Pivot to other workstations & servers – Lather, rinse, repeat Why Exploit Browsers 25
Why Exploit Browsers Hacker Email w/ Exploit Database Server Web Server SSH w/ Creds SSH w/ Creds Admin Jump Server SSH w/ Creds Client-Side • Wait for user interaction • Malicious documents exploits • Browser exploitation • Trojan binaries • Java applet • VBScript infections
Now Publicly Releasing -> White Lightning! Pros: • Extensible framework for exploitation – Platform for easy customizations • Future proofed for new exploits – Elegant back-end for interaction with Metasploit – Easily supports the latest exploits • Harder to defend against before it solves egress port problems – Designed to only use 80/TCP w/ all valid HTTP requests – Selects the best exploit(s) to throw – Sets the number of exploits to throw, including survey only mode • Payload never touches disk ( unless you really want it to ☺ ) • Fairly easy to setup & 100% FREE ☺ 27
Overview of White Lightning Management Exploit Management Create Tasking Creates Unique URL User Hits Loads User visits URL Throws Survey Uses an exploit Software Installed Click 28
Demo of White Lightning’s User Interface 29
Sticking w/ Bryce’s Rule for Exploitation #? Survey 80/TCP HTTP 30 Exploit 80/TCP HTTP Command & Control (C2) 80/TCP HTTP
How to…? 31 How to…? - Valid HTTP Requests - only on TCP port 80 - Integrate Multiple Tools - Use on same endpoint …? ! Extremx !
Overview of Apache Reverse Proxy 32 80/TCP HTTP e.com Metasploit Listening on TCP port 805 Apache Reverse Proxy 80/TCP HTTP sub.e.com 80/TCP HTTP White Lightning 805/TCP HTTP
Overview of White Lightning’s Front-End & Back-End 33 80/TCP HTTP e.com Front End Survey for… OS Version OS Architecture (x86, x64) Browser Version Browser Plugins Versions etc… Back End Process Survey Data Exploit Selection Logic MSGRPC to Metasploit Return iFrame Survey Data iFrame
Detailed Overview of White Lightning’s Survey Process e.com 80/TCP iFrame iFrame iFrame 80/TCP Front End 80/TCP HTTP Back End Database XMLHttpReq Metasploit 34
Detailed Overview of White Lightning’s Exploitation Process Metasploit 805/TCP HTTP sub.e.com 80/TCP Exploit Exploit 80/TCP 35
Detailed Overview of White Lightning’s Load Process Payload Database 80/TCP e.com 80/TCP Payload Payload 36
Exploits Supported • exploit/windows/browser/adobe_flash_pixel_bender_bof • exploit/windows/browser/ms13_022_silverlight_script_object • exploit/windows/browser/adobe_cooltype_sing • exploit/windows/browser/adobe_flash_avm2 • exploit/windows/browser/apple_quicktime_marshaled_punk • exploit/windows/browser/ms14_012_textrange • exploit/windows/browser/ms14_012_cmarkup_uaf • exploit/windows/browser/ms13_080_cdisplaypointer • exploit/windows/browser/ms13_059_cflatmarkuppointer • exploit/windows/browser/ms13_055_canchor • exploit/windows/browser/ms13_037_svg_dashstyle • exploit/windows/browser/java_cmm use • etc… (mainly focused on exploiting Windows 7 & 8 workstations) 37
Overview of Client-Side Exploitation 38
Demo of White Lightning’s Exploitation 39
Overview of Client-Side Exploitation 40
Demo of WL Deploying TB 41
Unhappy Campers ☺ 42
Source code on GitHub: Source Code https://github.com/TweekFawkes 43
Training at BlackHat EU! Dark Side Ops: Custom Penetration Testing Training October 14th & 15th in Amsterdam!!! ☺
Road Map Community Project! Road Map for future features… • Select what exploits to use per tasking • Add alternative iFrame methods • Easily convert a reflective dll into a WL load • Easily select & store payloads 45
The End Running Since 1791
The End Twitter: @TweekFawkes The End Running Since 1791

More Related Content

PDF
44CON 2014 - Breaking AV Software
by44CON
 
PDF
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
by44CON
 
PDF
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
byPriyanka Aash
 
PPTX
Indicators of compromise: From malware analysis to eradication
byMichael Boman
 
PPTX
Unsecuring SSH
byJeremy Brown
 
PDF
0d1n
byAntonio Costa aka Cooler_
 
PDF
Cloud forensics putting the bits back together
byShakacon
 
PPTX
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
byinfodox
 
44CON 2014 - Breaking AV Software
by44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
by44CON
 
Defcon 22-colby-moore-patrick-wardle-synack-drop cam
byPriyanka Aash
 
Indicators of compromise: From malware analysis to eradication
byMichael Boman
 
Unsecuring SSH
byJeremy Brown
 
0d1n
byAntonio Costa aka Cooler_
 
Cloud forensics putting the bits back together
byShakacon
 
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disasters
byinfodox
 

What's hot

PPTX
Software Security : From school to reality and back!
byPeter Hlavaty
 
PDF
Understand study
byAntonio Costa aka Cooler_
 
PDF
44CON London 2015 - Is there an EFI monster inside your apple?
by44CON
 
PPTX
Metasploit for Web Workshop
byDennis Maldonado
 
ODP
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
byJoxean Koret
 
PPTX
Nginx warhead
bySergey Belov
 
PPTX
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
byPROIDEA
 
PDF
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
by44CON
 
PDF
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
byPositive Hack Days
 
PDF
Metasploit Humla for Beginner
byn|u - The Open Security Community
 
PPT
На страже ваших денег и данных
byPositive Hack Days
 
PDF
FUZZING & SOFTWARE SECURITY TESTING
byMuH4f1Z
 
PDF
Richard Johnson, high performance fuzzing
byPacSecJP
 
PDF
Raptor web application firewall
byAntonio Costa aka Cooler_
 
PDF
Алексей Старов - Как проводить киберраследования?
byHackIT Ukraine
 
PPTX
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
byShota Shinogi
 
PDF
Threat stack aws
byJen Andre
 
PDF
WAF protections and bypass resources
byAntonio Costa aka Cooler_
 
PDF
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
byRob Fuller
 
PDF
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
byNate Lawson
 
Software Security : From school to reality and back!
byPeter Hlavaty
 
Understand study
byAntonio Costa aka Cooler_
 
44CON London 2015 - Is there an EFI monster inside your apple?
by44CON
 
Metasploit for Web Workshop
byDennis Maldonado
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
byJoxean Koret
 
Nginx warhead
bySergey Belov
 
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
byPROIDEA
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
by44CON
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
byPositive Hack Days
 
Metasploit Humla for Beginner
byn|u - The Open Security Community
 
На страже ваших денег и данных
byPositive Hack Days
 
FUZZING & SOFTWARE SECURITY TESTING
byMuH4f1Z
 
Richard Johnson, high performance fuzzing
byPacSecJP
 
Raptor web application firewall
byAntonio Costa aka Cooler_
 
Алексей Старов - Как проводить киберраследования?
byHackIT Ukraine
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
byShota Shinogi
 
Threat stack aws
byJen Andre
 
WAF protections and bypass resources
byAntonio Costa aka Cooler_
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
byRob Fuller
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
byNate Lawson
 

Similar to White Lightning Sept 2014

PDF
CNIT 124 Ch10-12: Local Exploits through Bypassing AV
bySam Bowne
 
PPTX
advanced advanced advanced ethical hack
byzeedeera
 
PDF
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
PPTX
Hacking WebApps for fun and profit : how to approach a target?
byYassine Aboukir
 
PDF
Metasploitation part-1 (murtuja)
byClubHack
 
PDF
Web Exploitation
byUTD Computer Security Group
 
PDF
Hacking intranet websites
byshehab najjar
 
PPTX
Network Penetration Testing
byMohammed Adam
 
PDF
24 33 -_metasploit
bywozgeass
 
PDF
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
byAditya K Sood
 
PPT
Inside Out Hacking - Bypassing Firewall
byamiable_indian
 
PPTX
Introduction to Exploitation
byprimeteacher32
 
PDF
Ht w23
bySelectedPresentations
 
KEY
DVWA BruCON Workshop
bytestuser1223
 
PPTX
Introduction To Ethical Hacking
byRaghav Bisht
 
PDF
Black hat usa_2015-bypass_surgery-6_aug2015
bya4202655
 
PDF
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
PDF
Top Ten Web Hacking Techniques (2010)
byJeremiah Grossman
 
PDF
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
byegypt
 
PDF
cyber security-ethical hacking web servers.pdf
byjayaprasanna10
 
CNIT 124 Ch10-12: Local Exploits through Bypassing AV
bySam Bowne
 
advanced advanced advanced ethical hack
byzeedeera
 
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
Hacking WebApps for fun and profit : how to approach a target?
byYassine Aboukir
 
Metasploitation part-1 (murtuja)
byClubHack
 
Web Exploitation
byUTD Computer Security Group
 
Hacking intranet websites
byshehab najjar
 
Network Penetration Testing
byMohammed Adam
 
24 33 -_metasploit
bywozgeass
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
byAditya K Sood
 
Inside Out Hacking - Bypassing Firewall
byamiable_indian
 
Introduction to Exploitation
byprimeteacher32
 
Ht w23
bySelectedPresentations
 
DVWA BruCON Workshop
bytestuser1223
 
Introduction To Ethical Hacking
byRaghav Bisht
 
Black hat usa_2015-bypass_surgery-6_aug2015
bya4202655
 
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
Top Ten Web Hacking Techniques (2010)
byJeremiah Grossman
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
byegypt
 
cyber security-ethical hacking web servers.pdf
byjayaprasanna10
 

Recently uploaded

PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PPTX
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PDF
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
API-First Architecture in Financial Systems
bycyy111112
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
How to Evaluate a High Performance Database
byScyllaDB
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 

White Lightning Sept 2014

  • 1.
    Exploiting Browsers LikeA Boss with White Lightning! Whoa, this isn't wood shop class?
  • 2.
    Exploitation - (Pen)Testing Defense - Threat Intel About Bryce 2 Recipe Makes 1 Bryce - 1 oz Chewbacca - 2 oz Energy Drinks - 37 oz Rage Hacking SoCal Hacking - Twentythreedotorg - LA2600
  • 3.
    Phishing Demo 3 Turtle Cavalry Attack! ☺
  • 4.
    The Why… 4 - Christmas years ago - Can you hack me bro? - Totes out of date Java SURE BRO! - Redirected network - iFrame to… - Browser Autopwn - Throws IE Exploits... - at my Bro’s Mac Book - """"""""""" Can You Hack Me Bro?
  • 5.
    Hacker says: Justuse BeEF... - I love BeEF… - for XSS and… - for interacting with user’s browser session - I hate waiting for a user to click a link… so… - Auto-run an exploit… but which exploit? - Build script with survey logic… but… - Was painful to implement logic to run the best applicable exploit(s) 5 The Why…
  • 6.
    Realized… Just usea… Crimeware Exploit Kit (EK) • Fully Automated • Selects the best exploit(s) • Uses only 80/TCP HTTP • Every exploit has to be ported • Usually drops a binary to disk – (e.g. exe) The Why… 6
  • 7.
    Crimeware Exploit Kits(EK) • Pros: Current Solutions -> Crimeware EK – Fairly easy to setup, depending on the kit – Will select the best exploit(s) to throw – Usually uses only 80/TCP HTTP • Cons: – Every exploit has to be ported to the EK – Usually drops a binary (e.g. exe) to disk – Potentially detectable by security products – Costs $$ & Trust issues? ☺ 7
  • 8.
    Build your owncustom solution Current Solutions -> Custom Solution with a mix of exploits and social engineering (SE) techniques • Pros: – Tailor solution to current engagement – You know your solution • Cons: – Time to develop and refine operations – Limited set of exploits and/or SE techniques – Low chance of selecting the correct exploit – Limited ability to leverage existing work 8
  • 9.
    Current Solutions ->Metasploit with Single Exploit Metasploit with selecting a single exploit • Pros: – Easy to setup – Metasploit is awesome for exploit development • Cons: – Low chance of selecting the correct exploit 9
  • 10.
    Current Solutions ->Metasploit Browser Autopwn • Metasploit’s auxiliary/server/browser_autopwn – Pros: • Easy to setup • Much better now with “BrowserRequirements” options • Metasploit is awesome for exploit development – Cons: • Throws all exploits Metasploit thinks is applicable (20+) • Needs the target endpoint to have loose egress filtering 10
  • 11.
    TCP Ports Analysisfor Metasploit’s Autopwn 80/TCP HTTP Exploit #1 11 80/TCP HTTP 80/TCP HTTP Exploit #2 80/TCP HTTP Exploit etc... 3333/TCP windows/meterpreter/reverse_tcp 6666/TCP generic/shell_reverse_tcp 7777/TCP java/meterpreter/reverse_tcp
  • 12.
    TCP Ports Analysisfor Metasploit’s Autopwn 80/TCP HTTP Exploit #1 80/TCP HTTP Exploit etc... 12 80/TCP HTTP 80/TCP HTTP Exploit #2 3333/TCP windows/meterpreter/reverse_tcp 6666/TCP generic/shell_reverse_tcp 7777/TCP java/meterpreter/reverse_tcp
  • 13.
    Bryce’s Rule forExploitation #? Whenever possible, reuse the same: • Transport Layer Protocol (TCP, UDP, etc…) • Port Number (80, 445, etc…) • Application Layer Protocol (HTTP, SMB, etc…) • And communicate through the same path including: – To the same IP address – Using the same hostname and/or domain Between the exploit and initial access to the endpoint Exploitation Truth 13 If it worked for the exploit… It should work for your RAT too :)
  • 14.
    About White Lightning What is White Lightning? 14
  • 15.
    About White Lightning What is White Lightning? - Urban Dictionary 15
  • 16.
    About White Lightning What is White Lightning? - Urban Dictionary - A Burt Reynolds Movie 16
  • 17.
    About White Lightning What is White Lightning? - Urban Dictionary - A Burt Reynolds Movie - Moonshine… yeah but it is now also a 17
  • 18.
    About White Lightning What is White Lightning… - Urban Dictionary - A Burt Reynolds Movie - Moonshine… yeah but it is now also a Platform for Browser Exploitation 18
  • 19.
    19 120% 100% 80% 60% 40% 20% 0% Success Rate of Attackers Auditor (10) Script Kiddie (30) White Hat Hacker (50) Hacktivist (60) Crime Orgs (80) Espionage Orgs (90) Publicly Available Tools Why more tools?
  • 20.
    20 120% 100% 80% 60% 40% 20% 0% Success Rate of Attackers Auditor (10) Script Kiddie (30) White Hat Hacker (50) Hacktivist (60) Crime Orgs (80) Espionage Orgs (90) Push It Publicly Available Tools Why more tools?
  • 21.
    21 120% 100% 80% 60% 40% 20% 0% Success Rate of Attackers Auditor (10) Script Kiddie (30) White Hat Hacker (50) Hacktivist (60) Crime Orgs (80) Espionage Orgs (90) Push It, Real Good Publicly Available Tools Why more tools?
  • 22.
    Server-Side Exploitation, TheGood Old Days • Server side exploitation, the good old days • Exploits vulnerability in a service running on a port (traditional hack) • Instant on demand access • Services tend to crash during exploitation • Becoming less prevalent 22 Script Kiddie Exploit Exploit Web Server Database Server
  • 23.
    Firewall all thethings! 23 So what are we to do?
  • 24.
    Firewall all theThings! 24 Unfortunately our Castles, A.K.A. Security Technology Stack Ends up being like this… And… Real attackers know this and…
  • 25.
    They Exploit ourBrowsers! … To gain Initial Access into Protected Networks • Move past the hard outer wall & defenses • Collect data from the initial endpoint • Collect credentials and other tokens • Pivot to other workstations & servers – Lather, rinse, repeat Why Exploit Browsers 25
  • 26.
    Why Exploit Browsers Hacker Email w/ Exploit Database Server Web Server SSH w/ Creds SSH w/ Creds Admin Jump Server SSH w/ Creds Client-Side • Wait for user interaction • Malicious documents exploits • Browser exploitation • Trojan binaries • Java applet • VBScript infections
  • 27.
    Now Publicly Releasing-> White Lightning! Pros: • Extensible framework for exploitation – Platform for easy customizations • Future proofed for new exploits – Elegant back-end for interaction with Metasploit – Easily supports the latest exploits • Harder to defend against before it solves egress port problems – Designed to only use 80/TCP w/ all valid HTTP requests – Selects the best exploit(s) to throw – Sets the number of exploits to throw, including survey only mode • Payload never touches disk ( unless you really want it to ☺ ) • Fairly easy to setup & 100% FREE ☺ 27
  • 28.
    Overview of WhiteLightning Management Exploit Management Create Tasking Creates Unique URL User Hits Loads User visits URL Throws Survey Uses an exploit Software Installed Click 28
  • 29.
    Demo of WhiteLightning’s User Interface 29
  • 30.
    Sticking w/ Bryce’sRule for Exploitation #? Survey 80/TCP HTTP 30 Exploit 80/TCP HTTP Command & Control (C2) 80/TCP HTTP
  • 31.
    How to…? 31 How to…? - Valid HTTP Requests - only on TCP port 80 - Integrate Multiple Tools - Use on same endpoint …? ! Extremx !
  • 32.
    Overview of ApacheReverse Proxy 32 80/TCP HTTP e.com Metasploit Listening on TCP port 805 Apache Reverse Proxy 80/TCP HTTP sub.e.com 80/TCP HTTP White Lightning 805/TCP HTTP
  • 33.
    Overview of WhiteLightning’s Front-End & Back-End 33 80/TCP HTTP e.com Front End Survey for… OS Version OS Architecture (x86, x64) Browser Version Browser Plugins Versions etc… Back End Process Survey Data Exploit Selection Logic MSGRPC to Metasploit Return iFrame Survey Data iFrame
  • 34.
    Detailed Overview ofWhite Lightning’s Survey Process e.com 80/TCP iFrame iFrame iFrame 80/TCP Front End 80/TCP HTTP Back End Database XMLHttpReq Metasploit 34
  • 35.
    Detailed Overview ofWhite Lightning’s Exploitation Process Metasploit 805/TCP HTTP sub.e.com 80/TCP Exploit Exploit 80/TCP 35
  • 36.
    Detailed Overview ofWhite Lightning’s Load Process Payload Database 80/TCP e.com 80/TCP Payload Payload 36
  • 37.
    Exploits Supported •exploit/windows/browser/adobe_flash_pixel_bender_bof • exploit/windows/browser/ms13_022_silverlight_script_object • exploit/windows/browser/adobe_cooltype_sing • exploit/windows/browser/adobe_flash_avm2 • exploit/windows/browser/apple_quicktime_marshaled_punk • exploit/windows/browser/ms14_012_textrange • exploit/windows/browser/ms14_012_cmarkup_uaf • exploit/windows/browser/ms13_080_cdisplaypointer • exploit/windows/browser/ms13_059_cflatmarkuppointer • exploit/windows/browser/ms13_055_canchor • exploit/windows/browser/ms13_037_svg_dashstyle • exploit/windows/browser/java_cmm use • etc… (mainly focused on exploiting Windows 7 & 8 workstations) 37
  • 38.
    Overview of Client-SideExploitation 38
  • 39.
    Demo of WhiteLightning’s Exploitation 39
  • 40.
    Overview of Client-SideExploitation 40
  • 41.
    Demo of WLDeploying TB 41
  • 42.
  • 43.
    Source code onGitHub: Source Code https://github.com/TweekFawkes 43
  • 44.
    Training at BlackHatEU! Dark Side Ops: Custom Penetration Testing Training October 14th & 15th in Amsterdam!!! ☺
  • 45.
    Road Map CommunityProject! Road Map for future features… • Select what exploits to use per tasking • Add alternative iFrame methods • Easily convert a reflective dll into a WL load • Easily select & store payloads 45
  • 46.
    The End RunningSince 1791
  • 47.
    The End Twitter:@TweekFawkes The End Running Since 1791