BG - Cookie Monster: Exfiltrating Data and More, Byte by Tasty Byte

good afternoon and welcome to b-sides las vegas lucky 13. you are in breaking ground this talk is titled cookie monster exfiltrating data and more bite by tasty bite i will be given by eric and mick whitehorn gillum just a few quick announcements before we start here i would like to thank our sponsors especially our diamond sponsors lastpass and palo alto networks and our gold sponsors intel google and bluecat it's their support along with our other sponsors donors and volunteers that make besides possible regarding cell phones these talks are being live streamed and as a courtesy to our speakers and audience we'd like everybody to silence your cell phone if you would thank you if you have a question use the audience microphone this is the one i'm holding so that youtube can hear what your question was we appreciate that uh as a reminder the besides photo policy prohibits taking pictures without the explicit permission of everyone in frame again these talks are being recorded so these will be available online youtube in the future last but not least we would like to please ask you to please keep your masks on at all times and with that let's get started please welcome eric and mick thank you i hope everybody's having a good time and is excited to be here is actually making ir to be here talking we've spoken at other b sides but never las vegas first time here so really excited about uh being able to present in front of all of you so as we said it's a cookie monster excel trading data and more the n more kind of got dropped off we'll talk about that towards the end yeah it kind of dropped off and this really has been here it's been like four years in the making we built this utility that we're going to talk about to serve a specific purpose and then over the years we thought maybe we should do more with it back and forth back and forth and finally decided that we wanted to make it publicly available to people but overall this tool while it serves a purpose it's really more about getting us thinking about our networks right as most of the conversations and talks have been here it's about knowing your network and visibility into your network and what's actually occurring and that's what this tool is here to help do before we start talking about it a little bit about us we both work for secure ideas it's a consulting company security consulting company based out of jacksonville florida our ceo kevin johnson former sands instructor started it back in 2010 it's our 12th year hard to believe we've been around that long but we do pen testing et cetera right so what we're talking about is something that we've tested it's not just us coming up with a theory it's something we actually tried my name is eric keane i'm a principal security consultant uh before i started working for secure ideas five years ago i was responsible for very large active directory infrastructures at fortune 50 companies uh like windows environments i know that probably gets me booed off stage when i say i actually kind of like windows but i do and when i'm not working i'm a movie enthusiast i love movies i was actually a film major acting minor i love watching movies now that my kids are older we're getting to watch all of the really good movies uh it's not just you know disney movies which are nice but i like what action films too uh so i'm mick whitehorn gillam uh i'm from canada but i'm i don't live there now uh you probably tell that uh i write code i've been doing it for a really long time uh started when i was six basically on the command line migrated to batch files within a couple of years and then actual real programming languages not long after that and if you can't guess my age that makes me old um so yeah uh i used to run long distances so as i do on the slide but it's been a while uh covid unfortunately i used to lift weights and then covet yeah so yeah it's harder now i'm heavier now um because you know that happens too so we're here to talk about data exfiltration and i'll admit for us when we're doing our pen tests this is usually not something that's on our radar at all right unless you're a very very mature organization and you have some controls really probably all i'm going to have to do is just browse out to an s3 bucket and i can take whatever i want off your network right that's not true for everybody and and you know there's all these wonderful options you know sure you can use command and control channels you can use network protocols ftp https uh cloud services like i said one of our favorites uh code repos then there's all those physical yeah i need to move a little further away from you evidently we'll get an echo physical things that you read about that sound so awesome but i don't think i've ever had to do or probably never will but you know using lights on a device and doing morse code or something strange or fan speeds or cable harmonics all this stuff but like i said that's really really high tech and not often what's needed and i mean i love my picture there of the the monitor on the copier right for that physical access in case that's all we have is the ability to print something and when we're talking about trying to get data off of a network there's all these controls that organizations are putting in place there's a considerable amount of time effort money etc all they're trying to prevent what we had to do you know our small list you can limit the open ports which most orgs are doing yep only http https although you'll still find even large orbs that somehow forgot about some random port that suddenly you can get access out there that's not covered by a firewall or a a proxy smb oh let's not yet please no although it does happen smb although i've seen smb in that's even worse let's move past uh then we have next-gen firewalls right seeing what's going on doing that deep packet inspection all those intrusion detection and prevention systems the inspection proxies that are ripping apart everything that we tried to hide over that tls encryption right let's break that apart then you have your dlp software making sure people aren't opening files that they're not supposed to with credit card information or whatever it might be then your drive encryption so that people just can't walk off with your laptop hopefully uh and then you know of course we have netflow and other things that are showing what devices are actually talking to and where right all of these things that somebody is going to have to try and defeat of course once again if you don't have all of these things maybe having somebody trying to actually trade data should not be one of your top priorities but that's what we were trying to solve way back in 2018 hard to believe it's been four years we were actually doing a red team assignment different from what we typically do we're pen testers but we do red team as well right pen testing if you're not familiar the difference red team and pen testing pen testing is down and dirty we have like this much time to get wherever you want us to get to red teaming we're going to try and be really stealthy we've been on the network for a while and our problems really came down to that last bullet point the blue team was really responsive you messed up at all once and they were on you we made a small mistake on one device trying to test a website to see if we could get a phishing campaign to work they caught it that domain was burned i'm sorry if i'm echoing i don't know what i did wrong but our client wanted us to exfoliate data right they had these controls they only allowed https out not over not even http they proxied everything they were ripping everything apart they were inspecting it they limited where we could go right we had very limited domain options um content filtering dlp software that everything we knew that they were ripping the traffic apart but we couldn't tell what they were using right and they wanted us to get this file that they gave us that was full of credit cards and other sensitive information and see if we could get it somewhere we didn't want to try that the good old s3 bucket they weren't using the cloud it was 2018 this institution hadn't moved there yet and we knew we had one shot so mick myself and another gentleman we're sitting around we're discussing we're like what are we gonna do that might mask this and let us get some data off of this network we need something that's quick we didn't have a lot of time we're getting towards the end of the engagement and we need something that's low-tech right we don't want to invest the time and effort to try and get one of their devices to do some strange harmonics on a cable or something so we actually said what's normal in web traffic that's there that probably isn't going to be looked at by anything and that brought us to cookies right so uh just to do a quick overview because people are at different levels with cookies most people probably if you deal with http traffic on a regular basis this is going to be why is that guy explaining cookies but for the people in the audience that might not uh so example there that's a request there's a cookie in it that's being sent to the server in normal traffic uh that would be set one of two ways uh would be common so either a response header would have come back that said set cookie and provided the value or a response of some other kind like a json response uh would be a common one sent the value back and then javascript on the page picked it up and shoved it in through the browser's api uh those be the two ways they normally would get set um and then when the requests go to the server whatever the scope is for the cookie uh those cookies get included in a header just like in the picture there and the important part is as you see from our website secure ideas right it's pretty much unintelligible right there there's nothing there to give you any indication of what it is and if that's what a system is looking at to determine if this is normal behavior or not i we were pretty sure we could do something that would look kind of like that and bypass all of those wonderful controls which brought us to cookie monster so cookies have a max size right you can't just send that that whole file all at once it's gonna be way way too big so we said let's you know come up with this idea let's encode the data take that file just encode it read everything read the contents and code the contents break it apart into nice sized chunks send all of those out and request as cookies merge it all back together on the back end bam we have a file right and of course we needed a mascot as soon as you build a utility if you don't have a mascot it's not a utility right okay so cookie monster v1 back in 2018 built on node we had a web server in our case it was apache because we wanted to have that tls encryption just because we didn't want to send anything over http and it wouldn't have worked anyways through the proxy so we had the cert and then we had the feeder the one lim the one thing that we found on the network which was very nice for us it was 2018 so powershell was still a very good attack vector back then right not quite as good now we can have discussions about that i think it's still a good attack vector but uh powershell was enabled we could use it so we built the feeder the script around invoke web we create web request this is sending just like it sounds a request as if it was like a browser to a website so we encoded the file on memory all right took up a little bit of space we used that normal commandlet to bypass them if they were looking for something using a.net library because that is a little odd in most cases we made sure to set the user agent on the on the request so it didn't say powershell right that would be kind of obvious uh and then we also said let's allow it to send a whole bunch of files not just one and then put that random sleep in there so it's not just you know sending requests over request of a request let it take some time somewhere between oh like half a second and a minute whatever you want to make it look a little odd and not sit there and be a consistent state it was simple but effective and you know you look at that and it looks very different from our cookie and i'm kind of embarrassed to say that this is what we came up with but we were running out of time and the funny thing is it worked right this bypassed their content filter their inspection proxy everything to us any person looking at it who has any idea what a cookie looks like this looks pretty odd right we've got double slashes in the front and that was because we were encoding certain things we didn't want it to be able to see it that's not normal we have some random integers in there that we're telling cookie monster the back end hey this is part one of x so that incremented and then we had our payload which is the first that was part one of the file and then we had some other bad things in there right the web server did things like said okay whatever but overall it worked um if somebody would have seen this while we were going through the 45 minutes or so was sending the data um you know they would have instantly known it was wrong right if they would have gone to that website that we had picked when we got that domain name it would have aired because of nav cookies it was down and dirty but it worked it's not good enough we know it's not good enough right that that was like gen one let's let's do a proof of concept we needed to be better we need to be hiding in plain sight better than we were this is a picture of a snake do you see the snake no she's right there do you see him it's a copperhead okay can you see him now that's the no broke that's the bad end of the no rope you don't want to get bit by it would be really really bad okay this is one that mick saw when he was running when he was running that's not true yeah this this is what we needed to be we needed to be like this guy so we came up with version two we said all right let's let's take a step back we want to stick with our same premise but things have gotten better right we're sure detections have gotten better so let's set up some other stuff for us number one let's set up a unique id for for our device because before it would accept like if we had four computers all sending files at the same time it was going to get confused really fast so let's add a unique id let's do some better padding let's get rid of that slash in the front right let's do something a little bit better do some graceful handling in case the server goes offline or something strange so that we can do some retries because when you encode the contents of a file and you miss a section you pretty much lost everything we mick made a beautiful ui all right a functional ui uh and a whole bunch of other enhancements and then we put it on github because well once again we think this is gonna work i admit we don't know if this version is gonna work so when we get to the question time and you say is that going to work we're going to say maybe we have no reason to believe it won't but we admit as of right now no one has paid us to try and exfiltrate data out of their network if you're interested in helping us test this please let us know reach out right we'll be happy to do it or if you test it yourself let us know or test it yourself let us know we want to know so the server enhancements all on mick oh that that's right that's me that's you uh so uh i rewrote it like pretty much the whole thing uh updated it to node 18 is what i was using but it would probably work on 14 or higher uh i did stuff i so user interface uh is there still doesn't have built-in tls but we do that through a reverse proxy definitely if you're using it for real data even in you know a testing environment be nice and tls encrypt the data keeps a lot of stuff in memory at this point in time uh [Music] when when eric wrote that bullet point that's because that's that's what i told him but it's not actually entirely true anymore oh i need to change it all right um it does write a temp file at one point uh but yeah so it still reassembles still decodes and it can send well i can send one command actually i've it can send am i premature on this it will go ahead it can send one one command to the server it's kind of hard coded in there it's who am i so you can send who mi's up to the server yeah um we didn't really want to push out a full c2 framework because you know ethical concerns and all that so we did it that way because that way if anyone uses it they'll probably get detected that's right hopefully because everybody knows who mi is the immediate notice that you've been compromised right who am i equals you're in trouble the only people that don't know who they are people that don't belong there so the feeder still using powershell i like powershell right windows guy i like powershell i know it's protected right you can do all sorts of things to see what's happening if you've turned on the logging and everything else many organizations still haven't it's a little bit more customizable you can set any user agent you want it has a default that looks like a windows 11 box you can set it to go through your own proxy you can reconfigure the cookie size to be anywhere from well pretty much anywhere but you don't want to go over 40 4 000 bytes i think is that the limit uh and and now it adds some other things in there right it goes to a random page itself it kind of picks some random page to 72 and it has that heartbeat option and yes we did originally have the idea that we wanted to to accept commands and do functions based upon commands but that was a little bit more we like the idea of this being a way of testing your ex filtration controls right now more than a command framework it probably could be expanded out but uh we'll let that up to you if you want to do it so now everybody needs to like with me hope please work that the demo is going to function because as you all know they never do but hey we'll see what happens all right no minimize thank you all right so here we go here is our file of credit cards i don't have dlp on my box right but you know we'll assume we got past it just random credit card numbers and just to show that it's a new thing uh where are we we're in b sides las vegas all right so over here we have our feeder so it's a simple little ui can everybody see it here let me make it a little bit bigger here there we go so you know you can change a couple of settings you can add some things oh we're out of frame we're not a frame sorry i'm going to start the server and so over here we can look at the powershell if we want i just have my simple little uh script it says invoke the feeder cookie monster feeder give it the url i want to go to the base url a proxy because i want to send it through burp so we can see what it looks like and the file name and now everybody crosses their fingers hey all right we are we are successful it worked at least it started so here we go we can see that it's getting data and if we look in burp right it's sending us to random pages and to top it off the server is responding back with data right yeah this is a big win you know it's not just something you know that says hi uh yeah it's a small selection you could put more in if you want but it's our small selection and it's running through you can see it's doing all the gets we have it doing again it'll do any web method you want what we've found is you know miter and many of the other groups that are seeing how data exfiltration happens it's via posts so if that's one of the things your data exfiltration is looking for it's not going to catch us because we'll do a get or a put or whatever we feel like it delete it doesn't make a difference trace or we can make up our own method whatever we want yeah uh and we can see here we go the cookies l