Tales of Red Teaming (Continuous Intrusion Continuous Deception)

[Music]

first of all thank you guys for being here we started very excited to give this talk hope you enjoy it my name is Aladdin this is a hole and we are from a three-team before I start basically just raise of hand how many red teamers are here in the room cool so we have almost 10 people here awesome so this talk basically is not just for red teamers so hopefully you guys all enjoy it so let me first share a few thoughts about red teaming before I start so we think about reteaming he want to basically simulate real-world attacks right as a Redeemer your goal is always want to take advantage of that and simulate that specific attack the

attacks are we're talking about attacks that are caused by human adversaries who actually manage and adapt right to bypass all your defensive and you want a other team or all the time you want to achieve you your objective right you want to have a realistic scenario you want to achieve and so if you work in a software company you're most likely will be hit by like a backdoor Rock software backdoor right if you are a hardware company for example you'll likely be hit by supply chain attack etc when you think about their teaming you want to perform your attack so with the minimum cost possible right simply because the attacker is not going to take an

expensive bath path if there is like a cheaper one available right so traditionally as security engineers we viewed the culture in this way where the attackers starts by doing reconnaissance they go all the way to do and shall compromise blah blah blah until they reach actually the the goal that they want to achieve but as an experienced Redeemer this is how actually we see it you basically have a goal and that goes always almost something that is not supposed to happen right and because in modern security or modern stacks you have multi layer of defense you've got the blue teamers or always right you've got everything behind to a PHA and also you have the production

trust boundaries you have Network segregation everywhere and this is all great right this is a typical organization graph which basically showing a network setup it has a firewall restrictions it has an IDs systems is very typical right it has various systems in corporate environment you know restricted paths to production and if an attacker wants to go and reach the high confidential servers he needs to work a lot right he needs to go and find first the low-cost path to reach a target and also he wants to pass all these modern technologies or modern the defensive technologies so we're using this set up as an example to show a different techniques of how an attacker might actually reach the goal obviously

there is lots of ways in which the you know the attacker might reach a goal what we're going to basically share with you guys a couple of power favorite techniques the favorite thing for all Redeemers what shells right so the first thing you're going to get do when you start reteaming get a shell in the organization right and you want your shell to be persistent but you know what the blue team to find you right so the reason for that is if you have this is a typical network corporate networking setup where you have basically a bunch of endpoints and you have the attacker who got a backdoor and these laptops we are rubber ducky we are like

spearfishing whatever the method is so the attacker will go and connect to his situ server right but if the blue team is watching they probably find one by doing forensics but you don't want if they find one to find the rest this case because we're using the same backdoor everywhere they'll probably find all your connections so what is the solution for this this is where we can introduce domain fronting and the holes gonna talk about that now alright so before I quickly talk about domain fronting I'll touch upon how a Syrian works and what the Syrian is so Syrian aka like content delivery network is basically a system of distributed servers that's used to serve content to the user and it's based

on geographical locations so content hearing mains like pages static files videos things like that so basically in a nutshell it speeds up delivery and helps with protection of like surges of traffic to origin servers it might also help with a small chunk of security maybe through apps or something like that but honestly as an attacker we don't care about all of this all we care about this this might look like a seemingly common set of domain names but there's one thing that links all of them together it's that it's all hosted on cloud front CDN so let's see the thing that little as an attacker you could somehow tunnel traffic through these domains wouldn't it be nice so that

brings us to this technique called domain fronting which is essentially tunneling your c2 communications via these high reputation domains and your traffic could be probably masked because it's tunneled through HTTPS so in super simple terms it basically means then that you're swapping in an attackers host header for HTTP traffic to these high reputation domain names like the previous like this how a typical c2 setup looks like and let's say you've altered on domain fronting on top of it this is how it would transform so the main thing you have to keep in mind is that you'll probably have two different domain names so in the TLS hello SSN I feel there will be your front double

domain and in your HTTP host header feed will be your redirector or maybe in this case your CloudFront distribution this mismatch is kind of touted as like featured by all CDN providers but it's kind of skipper guy thing I don't know but it's good to leverage the store advantage so all this looks good in theory but how do you apply this in practice and this brings us to this malware known as evil OSX it's an endpoint right for OSX so shout out to the folks who made this it's pretty neat this is we could use this for shelling maybe unlock boxes on the perimeter so and this was pretty nice and you didn't have to recreate

some piece of malware from scratch so essentially what we did was we made couple of enhancements to it so the first thing we did was we randomized the launch D label names and also the container names so sounds benign so this is mostly like services which look similar to your before services on Mac OS X we are at full domain fronting to it so anything from pulling a dropper till the final C to communication has done Y our domain fronting we do have a get like a patch ready so you just download the specific commit of hilo sex apply this patch and you're good to go also from another thing we did was a PR

script so you could set up all your infrastructure with it like all the underlying infrastructure you need for domain fronting so it sets up se two points a cname to the C two sets up your reverse SSL proxy sets of your let's encrypt so it sets up your cloud friend domain it does a bunch of good things so you as an operator all you have to do is just run this and you are good to go we do have a pull request on the way like we still have some cleanups to do so that will be soon this how it would look like when you bring it all together so basically let's say you have an unlock

box on the perimeter djibouti's domain fronting to pull your dropper script once that's pulled it would connect to another printable domain so there's no reason as in why we used two different domain names we are just trying to be annoying for the blue team like you could just do something Dominion so let's say it's connected to a front double domain then it connects your readers to your CloudFront distribution which in turn would connect to your actual c2 server so this way we have got full domain fronting and from a blue team perspective they wouldn't be seeing any direct traffic from your c2 to the victims MUX it will always be tunneled through CloudFront and obviously this should make it pretty

hard for them to detect you so right now we have a persistent shell but all the good stuffs usually behind 2fa and that makes us sad but there's a way to hijack to a Fae and that makes us happy so the first step here would be like clicking a user into authenticating so this could be like any way possible probably to spearfishing or some way like but V that will show you like an interesting vector so what do you think is wrong with this image yeah so basically there's a miss configuration and an incoming web hook on the stat application plus there's an small UI bug so you could basically impersonate anyone in the channel so

let's say like someone impersonates another person and like the attacker forced a fishing link this someone could click on it and throw in their credentials in like basically the point here is you could do some kind of attack and get a person to click on your fake phishing page just get creative so now the user visits your fake as so page they put in their credentials then probably they'll get redirected to the - of a page so now the user would be clicking on I push request this ver a bunch of interesting things happen so I'll show this from an animation point of view so this is where the victim is they'll probably connect to your site

after that the credentials goes to the c2 server the c2 server spins up a headless browser the credentials get passed from the headless browser and you login to the SSO site now this is in the exercise the headless browser would click on the push request so within a few seconds the user would get a push request on his phone and this how the code snippet of this looks like we'll be like publishing this code later on so now hopefully the user will be getting a push request they'll think it's coming from the realest I mean it's obviously coming from the realest so they'll approve it and now the attacker has a valid test so session and from the users point of view

there might be slightly annoyed because they'll get redirected to the realises of page but I mean we don't care we have a valid disassociation and we are good to go so right now our situation looks like this we have access to the PowerPoint environment we have access to a lot of juicy things like Vicki's code repos our emails ticketing system and what is behind SSO but we're kind of greedy and even more so desire to do some more things so for us to continue this attack where the attacker basically needs to achieve the objective here is a couple of things also to finish so this is where basically we bring up the topic of pipeline panitch so how this actually

works now the attacker needs a path to production now the attacker has valid as a sauce session in corporate environment but he needs to reach the production so in the typical CI CD pipeline you have the developer who commits code to get the code gets built and deployed to artifacts and those artifacts you deploy to production right basically everyone knows that Jenkins is great features to give give you shells right but why you stop there you basically drink is just one of the one part of the ecosystem that you know build production code so what about the packages that get deployed to production right are in there was really great target for the attacker what about the package

dependencies they give you a straight path to production what about how this actually works in real life so this is an example of cheery module it's NPM package it has six outgoing dependencies but if you think if you look at this carefully there's actually a lot of dependencies here huge tree what if they actually the attacker gets into one of these packages and backdoor them right and push them to production but there's a trick here let's see how this actually works so you have developer one and developer two and they completely have different pipeline push so the developer two gets the code also built and push to get and then it gets built and then deployed if you

notice here in this picture there is two different directories on the artifacts that gets deployed but the point here is it's normal for a higher version package to be pulled to production developers don't have necessarily to have access to production this is where the deployment gets from the production side this is an example of an NPM package the JSON file well if you see the carrot range is basically an attacker needs just to push a higher version and that will get deployed this is how it actually works so the attacker push higher version package with additional codes this called a backdoor it will override the package with that basically code it goes to the same process commit that code

build it and then push it now the attacker backdoor is actually in the artifacts once they're deployed all get basically the higher version now the attacker has straight path to production where his code is actually running a production imagine if you take a common package like that clone it and add a reverse shell to it isn't this a great idea to get shells everywhere probably the attacker will make it less restrictive by adding more checking and the backdoor itself by checking for example the host name so he can actually target specific servers cool so the attacker now has got access to production but still he has a few steps to get into the goal so this is what it

comes the unknown for the attacker the attacker has his code the backdoor is running and production but it's there's lots of ways that that code could be running and it could be running inside containers for example right like docker is a nightmare maybe not actually there is actually ways to get around that stuff so one way to basically escape docker is so the way the way darker works is basically there is a client that communicates with the daemon process using UNIX domain socket basically that domain socket runs as root so any process that can write to that darker demon socket also has root access so if the attacker is able to write to that domain socket he'll be

able to get a privileged access let's see actually how this works so I'll probably show you guys I don't know if you guys see this but the attacker will go and basically and so let's see this in a demo it's easier see the mouse okay there's a tricky all right so this is how it works so the this is a secret on the host the attacker is interested in reading and what happened is this is just to show an example that we're running with darker sock mounted inside the docker and then the attack basically is inside the container wants to escape and read that secret on the host the attacker needs to do something a trick

here where he needs to run docker inside docker so he can actually do the escape so the attacker goes ahead and installed docker inside docker and then once that completely installed the attacker will the attacker will go ahead and run docker marking the route host into the actual host and then changing route to the host and then running bend bash and then reading the actual secret and here's the Bob alright expected

all right so this is all right so okay so there is another way the attacker could actually escape docker if the capability dock that research is actually inside that docker container the attacker might use it so the doctor before 1.0 allows the doc research capability which basically grants access to assist call called grant by handle at this process this is called basically allows the your process to read sensitive files or sensitive data from other private privileged processes so let's see how this works probably don't want to show the demo again but this is act like like a high high level how this works actually so the attacker again has interest in reading the secret on the

host and this is just to show that we're actually running this with that research and then the attacker assuming that he's actually inside the container he'll go ahead and run a couple of commands such as this and then who will fetch a tool called or a code called shocker it's been known for a while use that charcoal to basically use utilize this capability to read cystic files on the host such as this one so I mean I could show the demo but too scared okay so now the attacker has find a way to basically escape docker containers right but there is also in the modern stack there is also other stuff right such as communities there is community

deployment almost everywhere now so if the attacker shall end up inside kubernetes what the attacker needs to do to get around that stuff so one possibility is to escalate privileges using service account talkin right so when if you're familiar with pods and kubernetes it's like a bunch of containers they're actually automatically getting a default service account token there's this service account token is used to access the couplet API and it usually gives a cluster level access and less like role-based access controls used code execution might be possible if you have basically if you can if we can't lead that talk inside the container so the way this works is you've got the attacker this is an example front we

were running just a part on the kubernetes and the attacker verifies that he can actually read the token and then the attacker will go ahead and fetch cube control inside the pod itself the attacker will go ahead and run the this command which basically what will do it will create a busy box container inside that pod if you pay attention to the privileged true and that's basically the trick of because that service talkie allows for privileged access by running this the attacker will be able to mount stuff on inside that busybox container and read the actual secret and the host this is all cool like with demos right but you can do it the other thing I want

to share also with you guys that the attacker also might might not basically find service token privileged so he can't basically use that attack so there is another way basically in kubernetes by default the couplet service lessons on tcp/ip port 10 to 50 there is no authentication or authorization on this and anyone can basically reach that port on the network if it's not restricted and execute commands so the way this works it's kind of interesting so the attacker needs to first find the actual node IP he can just run in map inside the container and then once the attacker finds the actual IP he will go ahead and list all the paths running he might be interested in

looking at specific secret information inside one of the containers and the second thing you'll do is he'll go and call that blanc command curl to get into the actual victim AB container and once the attacker excuse that command it gets a 302 redirect in to the domain to the WebSocket and that would socket the attacker basically used the other cur command to read the actual secrets from the other pod which he's not supposed to read by default should I play this demo yeah I'm gonna risk it guys all right so here we assume the attacker basically landed on a compromised app hope so they compromised AB now he's interested in reading the victim AB data so he will go

ahead and install a couple of things like curl and JQ for parsing the JSON and then he'll run this command so he figured out this by just doing an map find this port open he run this command this will basically dump a lot of information about the Copernicus deployment and but he's actually only interred enlisting the actual pods so he's interested in reaching that victim if you can see it and in the middle picked him up so he want to read some essential information from that up so he runs this command give it the victim AB and then and then run this command called environment variable which basically is going to list the environment variables

so he gets three or two redirection to this websocket he's gonna go ahead and use another curve command to read that socket redirection once the attacker runs that he'll be able to read the actual password and DB password in the top you see so the attacker now has more privileged access right now he got into also ways to read information that he's not supposed to read so what is the next step the attacker is gonna do well the next step is basically the attacker is gonna connect whatever information he collected secret password secret you know private keys whatever from each each host and then use it to SSH and do some tunneling to the proxy and then to

actual breach his actual goal with that he's cannon now Schmitt mission accomplished so this is like a small like journey story about how the Timmers might basically pivot from completely from outside into a very sensitive system inside the organization so what are the key takeaways basically don't trust completely to two-factor authentication you have always to have multi layer of defense you need to have your blue teamers looking at persistent shells they don't necessarily have to be a simple person shell could be used with the main fronting and that makes it interesting you need basically to trust you build systems but not completely because some attacker could actually backdoor any of these packages and have a straight path to production and

finally the the most the most important thing here too to mention is that you've got your comparative deployments and now it's everywhere so make sure that it's completely locked down and it's audited and and you're not exposing anything that it's not supposed to be exposed and with that I would like you guys I would like to thank you guys all for being here too and if you have any questions please feel free to ask yes/no questions oh yeah hi

they don't say say that's an abuse yet probably it's well-documented such shocker is fixed with the darker I think one the album's like one point zero but not but if you have this capability enabled on darker it's gonna work anyways if you have this capability dark research it'll enable even with Marlon darker installation you're gonna have this problem yeah so if that's added it will probably like privileged container missing any questions guys are there any more questions in the audience if there are no more questions was thanks our speakers again [Applause]