Jonathan Echavarria | Pwning pwners like a n00b

we're gonna be in so uh hi everyone welcome to my talk poning poners like a noob and for some of you that are Advanced this Talk's gonna be kind of pointless for you um there's gonna be a lot of really skinny stuff really entry-level stuff but at the same time that's kind of the point right my my goal is to show you that this stuff is really ridiculously easy especially when people make it easy so to begin with let me start with some general disclaimers um standard copyright text but the important parts to note is that anything in this talk that looks even remotely legal totally didn't happen it's uh all 100 fictional this was all a lab

environment and the any resemblance actual persons is only because I am really really good at Photoshop also any views expressed or my own and not represented on my employers so legal stuff mumbo jumbo out of the way so basically I'm not curious on anything new right I'm not going to drop any Uber lead exploits well okay I take that back I'm gonna drop a zero day but when you see the zero Day You're gonna laugh because it's that bad um I'm also going to go over how hunting works right hunting is something that's you know vendors sell it's a big buzzword and people talk about it all the time my point is really doesn't have to cost you anything

right you know people will sell you tools like in case that cost hey twenty thousand dollars you don't need any of that we're gonna do everything with free and easy to use tools that you can learn how to do all of this with just a week of Education and finally my point to make that I'm going to stress many times across this talk is that operational security failures make an investigator's job really easy I'm not going to sit here and condone hey go do a legal activity I don't care what you do on your spare time but if you're going to do something illegal be smart about it don't fail at all and you're gonna learn why

no matter what side of the fence you fall on there will be something relevant to you right so if you're more interested in blue teaming or incident response or you know monitor as a as a analyst there will be interesting points for you if you're more interested in the offensive malware analysis penetration testing red teaming whatever you'll hopefully glean something out of this talk as well so you're probably wondering who the hell is this guy that's standing up at the front and talking to us and looks like he's trying to act like he knows something um that's my Twitter handle underflow I work as a red team operator for a security firm out of Tampa Florida

Called relia Quest we do security research we do a lot of red teaming stuff we also uh have managed security services so essentially sock monitoring as a service I'm not a Salesman but go look them up because we're amazing I'm a university student I currently go to University of South Florida I'm a former slash semi-active member of the White House career security club so any weight headers in the room blue oh okay it's cool ultimately I have a passion for literally anything related to security right be it how a Lock Works to how to penetrate air gap networks everything about security fascinates me and I hope that you'll see this throughout the talk so to begin with we're going to start

with this background scenario of what happened right and we're going to start with a little discussion on ransomware so raise your hand everyone here knows what ransomware is we all know it I figured um so I'm not even going to read the definition I'm sure you already know malicious file encrypts everything on the hard drive and says hey you give me money awesome now there's a few typical infection vectors but some of the most common ones are through email and malicious advertisements just so we're clear I want to show you how bad these attacks are and by bad I mean bad badly attempted right this is literally what a legitimate ransomware attack looks like it's sent to a random blast

of multiple people there is literally nothing in the message body and there is an attachment called part1.zip that doesn't look suspicious at all right not at all so we opened the zip file and we come across another file that says part 1.js it's a Javascript file and looking at it it's heavily opsicated now we could spend hours and hours trying to reverse engineer it and get get it all back to plain text does anyone have any ideas on you know what that process would be how you go about doing it it doesn't matter I don't really care my point is I'm going to introduce you the wonderful world of Google that's it seriously that's it

the first result is a utility that I love to use called JS talks and essentially it's a malware analysis tool that uses static analysis the opposition techniques and execution featuring HTML Dom emulation to put it in English it's stupid simple stupid easy to use and it reverses opsificated JavaScript samples literally spend less than 30 minutes to set it up and you will analyze any malicious piece of JavaScript in less than 30 seconds I know it says five minutes but let's be honest it's 30 seconds it works like magic right what you do is you take the optificated code use the laser pointer here paste it in the top then you hit that magical analyze button

and then at the bottom it prints plain text and human readable code really really really difficult stuff to do we can all agree that right so let's take a closer look well let's take a closer look at what the uh the URLs that are contained within this JavaScript file so looking at the what could what do we notice about these URLs can anyone just throw out some ideas what do you see that's special about them WordPress that's right and what do we like why do we love WordPress because WordPress sucks and it's so easy to exploit anything else that we notice what do they link to executable and are they the same executable right on so they'll link to the

executable and they all and most of them have WordPress so we'll keep that in the back of our heads but realistically at this point we kind of come to a fork in the road right do we focus on the executables or do we focus on the websites and ultimately it kind of depends on your goal right if I'm a blue team and a company hires us to do this generally all they're really looking for is that we generate indicate as a compromise right I want to know what's something I can look for to determine when a machine gets hit that way I can just set it up to automatically block it if I was an investigator ultimately my

goal would probably be to determine attribution I want to arrest the guy who's running this ransomware operation or if you're a bit of an [ __ ] and we all have that inside of us we could go the route with trolling the troll because it's kind of fun let's be honest so that being said we'll take a quick look a quick lesson in our analysis reversing is hard I think we can all agree that I don't know assembly I'm learning it I hate it it sucks and ultimately I'm lazy hackers are lazy we can all agree being lazy is awesome now the great part about this is that there's tools that make all of this

super easy one of my personal favorites is cuckoo's sandbox right if you've ever used malware.com it's the exact same framework I prefer to stand up my own instance because it allows me to do configurations that aren't possible on malware I can use my own plugins I can pull a lot more info out of it than I can with malware.com that and I don't have to share my sample with anyone so going into cuckoo you can go there download it visit it later um it's a malware analysis system just upload the file it'll execute it in a sandbox and then generate indicators and you know what the best part about cuckoo is it's free so you upload the sample hit run and it

generates indicators in about 120 seconds right uh I don't know if you can really make it out there but here you'll see all the URLs it's talked to and then any hdp Communications is all nice and readable in plain text foreign so we'll take a closer look at one of these at one of the uh HTTP Communications that it made too so there's a website slash misc.php question mark and then the parameter is essentially just an encryption key that it uploads to the website there's multiple websites so there was some redundancy built into the sample just to make sure that hey even if one of the websites went down we can still get our ransomware out

that being said what else did we find running this sample through cuckoo obviously it encrypts all the files on your hard drive there's no surprise there it's ransomware um it points you to a DOT onion server which is located on tour so what we can see and visit the decryption server ultimately we have no idea where it's at because I'm not the NSA and I'm not the FBI and I'm not at Carnegie Mellon so I don't have any way of decrypting the actual location of this tour server and it all each sample always does one thing first which is checks the user's external IP address using the same site and they all reach out to something.php

on all of the dropper sites so since we know that all the samples reach out into the same external IP check and that's the first thing that they do we can pretty much generate an indicator of compromise that says if anything on your network visits this page you should probably block it before you lose all your files fair enough but now we're going to get to the fun part right the boring malware analysis part's over we did the really lazy mode binary analysis because again we're lazy and we're constricted on time so we'll start looking at the actual infrastructure behind all all of the operations now since we already know that most of the droppers use WordPress something we

could do is break out WP scan if you haven't used WP scan before it's really retardedly easy to use dot slash WP scan Dash U URL dash dash enumerate VP VT it'll pull up all the vulnerable plugins for that WordPress website it'll pull up all the vulnerable themes for that WordPress website and it'll even link you to the exploits that's awesome because again I'm lazy that being said because it's bigger than that right I could literally just dirt Buster the sites looking for common web shells and the logic behind that is most of the time these operations are ran on compromise sites people are really bad at cleaning up after themselves so they'll leave shells

behind why not just use one of their shells we could start looking for a simple English word.php this is really easy to do with their Buster some common names are setup.php which oh by the way we found a file uploader awesome some other ones you could use for especially for WordPress sites you always see wp-setup.php another comment shell c99 everyone knows about plenty of other shells but we're going to take that file uploader we're going to go ahead and upload our own web shells thankfully there's plenty of free rip resources online that you can use for shells a personal favorite is and I already forgot how to say the name b374k uh wso I see this one pretty common it's

all over the internet widely used but if you're using Kelly there's plenty inside user shell web shells here's pretty much what it looks like now that we've uploaded it on our website great so we know all of the droppers reach out to a specific page to talk to the decryption server so we're going to take go ahead and take a closer look at this page I don't know if you can see this here but there's a variable that says dollar sign you are equals I know I understand that I blacked it out but that says.com at the end Dot Com when originally the decryption server was dot onion it really shouldn't be this easy it's

completely useless if you link to the actual URL instead of linking to like a tour Gateway now I know where your server's at awesome poking around the websites did we notice anything else um aside from all having that same Gateway dropper whatever you want to call it they all have a folder that says slash cache and then some random string of characters looking closer you could kind of tell that it's got something to do with Spam still not 100 sure what it is yet right but we're just going to go ahead and take in closer look only to find out oh looking through the code we noticed they obserated the location of the C2 server using what

Str rot 13 that is unbreakable encryption if you use that the NSA will cry it's uberly so for those of you that don't know Route 13 it's a very simple character substitution I'm sure you can figure it out there's no way we're going to find this server at all at all so we're just going to go ahead and visit the server and then oh crap we're blocked by a login screen now at this point I still have no idea what's going to be behind the slogan screen right I could spend hours and hours and hours looking for vulnerability on the website just crunching time away on burp or doing whatever but again I'm lazy so

we could just pop out hydro and Brute Force the password now you can do both of these at the same time right run Hydra in the background and then start looking for vulnerabilities the great and wonderful thing about Hydra is that the weakest link in security is the human element and humans are we'll all face it everyone's a little bit stupid so when your password is literally one two one two one two it takes 30 seconds to get into this you should probably use a better password probably so we get in and this is what the panel looks like anyone here read Russian you that's it I'm sorry I don't read Russian most people don't look hey

dynamic generator you know how we make this even easier Google Translate

awesome [Music] it's so now we're in and you know I like to play around a little bit so we're going to get real experimental with this server start getting to the second base if you will right so we're going to start playing with the functionality and then we come across another page that seems to generate a file given some input we'll take a peek at what it looks like right now I didn't put the Google translate version up there but essentially at the top um you provided a block of text you're supposed to provide it a key parameter and then it'll insert a whole bunch of spam keywords based off of that the second one links to other text files

that are sitting on the server and these are pretty much just lists of keywords there will be one link per each keyword if that makes sense and then the last section is pretty much just the output file name that you want to use so we start submitting things and then this is just a hyperlink to our new file that got generated which ends up looking like this okay awesome now why is that special what does this mean that we have on the server at this point realistically thank you we have right access on the server which pretty much means we kind of have arbitrary file upload right now because it's going to take whatever text

we put in and make a file using whatever file name we want we could probably upload PHP code but the only issue is out of the list of keywords there's no file in there that only has one single line of keywords so we need to ensure that whatever code we upload only executes once does anyone have any idea on what the best way to do this would be you could but that defeats the purpose even better just use comment blocks honestly right I start with a closed block for an HTML comment and then PHP comments and it ensures that every other line of PHP code gets commented out this ensures that whatever we're doing is only going to execute once

so we upload our web shell and if you you can't really make it out but in the upper left you can see our first little HTML comment block it's really that easy it shouldn't be this easy now we don't have root on the server necessarily right we're running with the web server permissions but we'll go ahead and start poking around on the website turns out we come across yet another login panel we owned it um so with the findings we see the new login page and it looks like this now let's use inductive reasoning here right it really can't be this easy there's no way this guy's that dumb that he used the exact same credentials for this

login page no way in hell one two one two one two and we wait I know God damn it so it worked using the same passwords credential reuse there's your vulnerability but there's even more right we start looking at this new login panel and I don't know if you can make it out at the bottom here and I wasn't even using Google translate at this point but that string says system by an email address active shells at this point was 30 960. but that email address though

we start looking around on the site we see it's a single web server but there's many other URLs that will work it basically has got like an nginx proxy and then you know different serves up different pages depending on whatever domain you're visiting it as turns out there's a bug tracker located at track dot the c2domain.org there's also a legitimate website running on this web server as well and by legitimate I legitimately mean legitimate it's just the Russian car form that operates as a business now now we're getting now this is getting a lot more interesting but we're going to go ahead and just take a peek at the bug tracker real quick and unfortunately one two one two one two

didn't work in this case but since we have access to the server we could probably find a file that has hashes in them which we did right there's an APR hash now with the thing with hashes is that if I don't have a word list that has a password in it there's no way I'm going to get into this and since I'm not root I can't edit the hash regardless we're going to try our hand at cracking it there's a great utility I use hashcat if you have a powerful enough video card you can use oclash cat or Cuda hash cat depending if AMD or or uh Nvidia the fact that I have a 980 GTX

does not hurt at all it's ran it through a word list and the admin password ended up to be bang q2w3e ASD that at first looks like a secure password right if you have a keyboard in front of you look at the look at the password it's just a hand pattern there's plenty of word lists out there that take stuff like this into effect right so you just pull some of these word lists down try it against the hash and then you're magically in so now that we're in the bug tracker and this is ran through Google translate we start looking around and it's the it's the actual bug tracker to that legitimate car form website

the thing that I found interesting was we came across this part here that says team or engineer statistics now I don't know if you can tell but this right here has a name associated with it Sergey our homeboy Sergey as I like to refer to him as that email address oh yeah that's the same email address we just saw earlier which kind of brings me to my next point right about attribution attribution is supposed to be really really difficult the NSA uses a technique they like to call third-party collection and what that essentially means is that they log in and they find botnets on the internet they take those botnets over and then they put their own botnet hidden on that

server the reason for that is if their operation ever gets compromised attribution is shifted from the NSA to whatever guy is running that botnet right the whole goal is that I'm placing the blame on someone else that again if done correctly attribution is supposed to be very difficult the only issue is if you want to feel Elite and you want to let your ego get in the way and then you put your email associated with things or you're running illegal stuff at the same time as legal stuff that you have your name associated with that's just the major opsec fail going back we see system by blanketlive.com and then cert or homeboy Sergey and his email address which is

the same email address no that's not solid proof at all right we're getting close but it could just be the same kind of case but at this point we every guy is he's possibly associated with legitimate website and the spam operation so we're going to talk about open source intelligence with Google it's really hard to do this all I had to do was take Sergey and Google his email address very difficult this takes us to another website another Russian car form which gives us drumroll please anyone oh hey I know what Sergey looks like now right he's got a girlfriend apparently he drives a BMW E3 he lives in a the city is given here but he lives in the

Ukraine oh and I have his last name now okay we're getting somewhere so back on open source intelligence now we have additional data points we can use right so we're going to do a little bit more OS end and can you guess what I did aim plus the city plus the country what do you think we came across next

VK so VK is quite literally a Russian version of Facebook right now I didn't have to create a profile for this this is all publicly available and I know you guys see this all the time you know so many some of you may have kids that have that that share everything on their Facebook profile and it's all set to public looking at the photo you could tell he's probably a little code in there but PK stalking this guy right I want to see everything that he's posted to this website because he doesn't have the foresight to make anything private so the first thing I come across is yeah

homeboy Sergey was born in 1995 he's 20 years old this is his driver's license and he's really proud that he's now able to drive a car so of course the first thing he does when he gets his driver's license is snap before it upload it to his Facebook and say oh look I can drive cars now we're going to start going through a little bit more of his photos and we come across this here right and you know some sometimes people have the need to talk about work on their Facebook this still doesn't tell me anything but we know he's familiar with PHP this is all PHP code and he's basically makes a comment here that says really as though

this plug-in that he's analyzing is crap but that being said we know he has some familiarity with PHP the great part about this was that everything else we looked at was all written in PHP okay fine still not 100 sure that this is the same Sergey until we get to this photo which is a kanban board right now I don't know if you can see the hashtags at the bottom there but one of them is tagged hashtag the URL to that Russian car form website which is the legitimate website running on the C2 server the next hashtag is work as in I work here [ __ ] at this point it's pretty much solid proof that this is the same survey that

we were looking at before which is a massive opsec failure don't suck at opsec it's just really really really bad so we're going to learn a little bit more about Sergey because hey Facebook's talking people's fun right he loves to party I mean this this guy goes out in clubs he drives an M5 he had a hotter girlfriend before but I was told I couldn't show that photo his new one really is kind of like uh he likes cats and he takes a stereotypical photo of throwing money on the desk and with his I'm not even gonna go there I'm sorry

so the best part was what he dressed up for is Halloween the smiley faces just make it more creepy I'm sorry so we're gonna touch a little bit on his massive opsec fails and some takeaways from this right if you're gonna do anything legal on the internet don't associate your real name with it that's just not smart to do at all Greg always gives a great piece of advice you use a different handle for every different operation that you're going to be doing right this this has caused so many fails uh low SEC is a great example you hack the cia's website right but you never change your handles so the next hacks that you're doing and

you're still claiming oh this is under the banner of low SEC or this is under the banner of Sabu whatever you can kind of start doing pattern-based analysis based off of what with this hack was similar to this hack since we know that the same individual was performing it also you probably shouldn't run malware on your work server that's like come on now and stronger passwords I mean there's things out there keepass LastPass why why my point was doing this was extremely cheap right and the hacking was laughable ridiculously easy none of it was hard you can legitimately learn how to do any of this in a week and I guarantee that goes for every single person in this

room the best part was everything was 100 open source and free that being said here's my contact info uh you can contact me on jabber if you hit me on jabber please use OTR there's my fingerprint you can follow me on Twitter that's my Twitter handle um and here are some resources that you can use offensive so as far as offensive tools Kali Linux usually has a lot of really good stuff there's other things hidden on the repository but realistically the best tool in any hackers toolbox is Google I'd be out of a job if it wasn't for Google you can pretty much get anything that you need on Google as far as investigation tools go guess

what the first one is Google um cuckoo sandbox again makes this ridiculously easy JS detox for deoxificating JavaScript and as far as offset goes I will really praise grug he does a fantastic job at making suggestions or doing analysis on opsec failures read his blog posts follow his Twitter and just absorb the information that he puts out there because it is really good now if you need a new identity and as far as identity you know make shell accounts right for different operations use fake name generator.com it provides you so much info that you have to do literally no thinking you hit go and it'll give you a name it'll give you an address it'll give you

a fake Social Security number it'll give you an entire identity that you can build shell accounts based around the last resource I'm going to talk about is Hemingway app and the reason I talk about this is something that's called like language analysis right so if I write a piece of code I tend to have as my own personal unique writing style as I write more and more code or as I write more and more malware even if I go and and take into account oh I'm using different handles I'm using different infrastructure if the writing pattern is still the same that's still something that an investigator can use so take a block of text upload it upload it to Hemingway

app and the whole goal of it is to make a block of text simpler so easy a fifth grader could read it right which essentially will change your rating style entirely you can write however you want upload it change the code or change the the text around and suddenly it's no longer the same sort of style that you use does that make sense so that's pretty much all I have if anyone has any questions hey we have plenty of time for questions

nothing illegal I mean it's literally nothing illegal it's not like it's going to give you a real identity or anything it's just a block of text oh I'm sorry I'm sorry so the ques the question was uh what are what were the legalities associated with fake name generator foreign [Applause]

how did this hypothetical situation hypothetically end there's a few things you could do and again that goes back to what I was saying it really depends on what your ultimate goal was um hypothetically if you were contracted by organization to invest get a piece of somewhere we found you find the attribution of this guy so you know who the guy is but at the same time he also generated NK is a compromise that's pretty much all you have to do um I'm not going to go to the FBI because a I really hate talking to the police and B I don't like dealing with police um so I'm going to leave that up up to

the the customer that I'm doing the investigation for is it really worth their time to chase after this guy probably not you know um hypothetically you could do a number of things at this point right something that I would suggest would be to actually just hey keep your shell on this on this guy's server right not only do you own literally everything he owns not only Can you steal money from him at any point in time right hear me out hear me out hear me out the important part is the fact that you can actually monitor and see how these operations are going right so over time it'll evolve he'll sit there and update the code he'll put the new versions of

dindor or whatever he's using and you can pretty much just generate new indicators based off of that and he will have no idea

uh it's hypothetical I don't know as far as far as the laws that are going on from getting into an outside server again hypothetical situation doesn't matter laughs so basically if you hypothetically get into the company's website make sure to check LinkedIn to see if they work there and then tag either your name but buy and then whoever works there preferably programmer and then attribution problems solved because you just pointing them to see what he works there and you go absolutely so the the comment was um essentially as an attacker you could literally just take someone else's email address and Tack it on to there sure yes that's completely true and again that goes back to what I was saying

attribution is hard and that's something you certainly should do but that didn't happen in this case hypothetically

yes the hypothetical scenario was there ever any thought given to basically loading ransomware on the web server and then um absolutely absolutely absolutely so the question was hypothetically would it be hypothetically possible to upload ransomware and encrypt everything on the server and hypothetically I may have hypothetically thought of taking that same malware sample and encrypting all his files using his own ransomware because that's just hilarious right hypothetically any further questions all right this has been owning owners like a noob [Applause] [Music] [Applause]