Itzik Kotler | Goodbye Data, Hello Exfiltration

hi everybody um I'm about to start my presentation thank you very much my name is Isaac kotler and I'm the CTO and co-founder of save reach and today I'm going to talk to you about exfiltration if you're looking on the past bridges in a few couple of years you can see that the the ultimate end game for the attacker uh oh yeah that's actually for the video not for the speakers here so I'll try to speak louder to uh to mix to make for that if you look on the past couple of years and and the different breaches that happened basically you see there is two end games uh for the adversary they can either go in into your systems into

your computers and Destroy something or they can go in and try to steal something now these are two objectives and obviously there's benefits so to speak for each one of these however the destructive path is much more uh point in time because once they'll do it they'll probably blow up their cover while stealing information on a long period of time is more profitable so you see there's more and more breaches where the attackers is basically stealing and when I'm saying stealing and meaning assets assets can be different for a different company it can be a credit card in one company it can be intellectual property at another or it can be a source code depends on the

company and the target there's a different methods so in this topic today in this talk we're going to talk about how you can exfiltrate these assets if we already assumed the word Bridge mindset and we know that the company that we're working for are going to test for is being breached then the right thing to go ahead and do is basically run a red team simulation of how such ex Association can take place so basically um the red team engagements for those who don't know what the red team is I'll do a brief kind of walkthrough about the idea the idea is that you're going to be going into a company or into an organization and pretend to be the

hacker you'll simulate what the hacker can cannot do within that company and you focus on an objective and that conversation there is going to be exfiltration so I'll be giving practical examples of how you can run red team engagements and basically exfiltrate assets from a company in order to see if a you can monitor that and B you can actually mitigate that

the rules of engagements here so let's assume that we have a company company X and that company has a database and in this database there are assets the company afraid that the hacker might try to go ahead and steal what we're going to do in this imaginary scenario is we're going to spin up a virtual machine in that database segment that machine is going to be a Ubuntu just a clear vanilla Ubuntu it can be depending on the engagement different type of operation system but for this exercise that's what I've prepared to talk on we're going to have a standard account on that machine so again imagine this is a database machine it's running on a

simple Ubuntu and we have a user we somehow infiltrate the company and let's remove ourselves all to the point where we have an account on that machine we don't have any compilers meaning that we can't compile any kind of back door or Tool uh so you're going we're going to kind of use delay of the land approach and we also also don't have any interpreters no python or Ruby here and it's already the only file system essentially meaning that we cannot make any change on the machine we have to use anything that's already built in that to kind of use that to extract the information back to our server can be in the cloud can be in another machine in

another segment anywhere but that particular machine the second thing that we'll have to do in this engagement in this exercise is to choose the assets that we're eventually going to try to exfiltrate um of course depending on the engagement and the idea it can be different types of assets I'll start with a credit card just as a generic one and during the presentation we'll switch and see how we can counter different assets and different ideas and challenges that might be accompanied with that so we'll start with the network acceleration meaning that we have a machine it's connected to some sort of a network and this is how we're going to try to approach taking information from

it TCP been one of the major protocols that's been used today and we're going to start with a number of techniques that will be leveraging TCP um as the underlying protocol so the first and a very basic example will be to leverage any HTTP browser or downloading utility that's be will be installed on that machine and surely enough we have wget which is a free software that is bundled with Ubuntu and basically by setting up a server somewhere in again can be external to the network it can be within the network what we can do from our uh red team machine for our database simulated box we can then try to go ahead and browse

into our server and embedded the credit card here is being marked as at the red in in the URL itself so basically what we're simulating is just the user trying to browse someplace and by chance or by accident also embedding the payload in it again it's a very simple method but yet it works like a charm um I'll do a quick demo of it to see how it looks like

so again from our oh actually it didn't switch to the other screen interesting uh wait I'll try to do okay now it looks much better I'll do some resolution fixing over here so basically um on the right side we have we've utilized the wget and we set up a sample or a very basic not even a web server just a socket listing on Port 80 and as you can see the result did that me on the server side I got the request and the test payload was actually transferred as part of it so again it's a very basic very simple technique but again very effective one okay moving on

the next example is also leveraging uh HTTP and wget but this time we're becoming a little bit more subtle in the way that we're transferring the asset so the previous example we've used the URL to kind of pass our credit card in it now we're actually leveraging one of the default options that wget allow us to do and it's basically specifying our own header to the HTTP request so what we're going to do is we're going to abuse the cooking mechanisms and basically create a fake cookie and in that cookie we're going to pass the credit card the payload the interesting thing here is because cookies has different types of shapes sizes and and length there is not there is no easy way

to actually determine whether it's a legitimate session ID or just a credit card or anything else that might be alphanumeric obviously Cookie by itself is is not the issue here there's other fields in HTTP such as the user agent the accept and the if not match to name a few that we can play on these to basically add our page surfing to our own website either outside of the company or in a different segment and by that we're passing the payload to another server

the next is a different example again different protocol what what we're doing right here is basically leveraging another built-in utility telnet but in a different way the previous two examples what we did was leveraging the HTTP to pass our payload now we're actually abusing a feature of a protocol so POP3 is a very simple protocol for retrieving emails from from servers and what we're doing is leveraging the fact that a it's a tax based protocol meaning that we don't to do any binary encoding decoding and like one of the first oh we can use the password field to basically push the payload in it now who's to say that my password can be this string or the other again we're

basically abusing the authentication mechanism of the protocol we're going to set up a POP3 machine in the cloud or again another segment and we're going to connect to it or at least attempt to connect to it and during the authentication we're going to pass the payload as a password so quick recap of How It's Working the telemet is a built-in utility provided in most Linux and even Windows platforms it basically gives the ability to connect to any host on any TCP Port second of all having a text-based protocol such as POP3 and the authentication is a process give us the ability to abuse the fact that we can write a mini client in manually and at

the same time abusing one of the faces to basically pass the payload uh in a way that won't be very easy to the defender to understand whether it's the real content or not of course it's not specific to pub3 there's a bunch of other protocols FTP can be one and HTTP authorization can be another one that can be abused to serve for the very same purpose foreign next we have a little lower level exfiltration again we're leveraging the telenet here as well and what we're basically doing here is abusing not a protocol by itself but that could the TCP protocol um by the look of it it looks like we're doing a bunch of connection attempts to

a computer which doesn't actually respond back and it may look like if there's an error or a problem with that but actually that's the whole point we're basically abusing the TCP Port parameter to try to split our asset to split our credit cards into a group of four digits and any attempt of this connection will receive on the other side obviously there is no service waiting but the effect that the scene packet will travel all the way to the other side just to see if there is any connection waiting will basically allow I'll ask the attacker to reassemble it back so it's a little bit more complicated on the receiver side to reassemble it requires a sniffer and

some very good timing to understand which of the connections are actually coming from our red team computer but the idea is that a bunch of telenet sequences can be then used to pass a payload and on the network element it's going to look just as an attempt to connect to a server that has my that has failed but on the overall picture it's passing the information using the destination Port parameter so the telemet again the built-in utility that has been provided within our vanilla Ubuntu deployment as well as other distribution the PC destination port which was a parameter that's been passed to the telenet application and by splitting the assets into group of four digits we're basically ensuring us that

we'll always be in the range of what's the actual valid scale or range of the TCP destination port

any uh quick questions on the TCP HTTP methods before moving on to the UDP yeah

yes of course of course you can monitoring these and the idea sorry well it's it's depends on the HTTP one it would look like um you'll see requests outgoing into a server and the payload will be here in the URL and over there in the cookie field on the POP3 example you will see an attempt of an email client of a sorts to authenticate but it will constantly fail and on the ladder it will be a bunch of thin packets being sent to a server or servers depends on how you set up the receiving end and the port will actually be the payload itself but it's always going to be very it's all going to be

able to monitor the network the idea is whether you'll be able to pick it up and understand that down depending on the vendor product configuration some will some some will not okay um let's move on to UDP um so one of the major uses of UDP in a regular or more normal traffic patterns is basically DMs and nslookup is a free utility again bundled with our Ubuntu and can be found on different a bunch of other different variety of platforms and basically one of the easiest thing that we can do is to go ahead and and use the query use the domain itself as the payload and by the DNS the DNS client to address our

own DNS server will guarantee to actually receive the payload on the other side so the scenario here is that we as the attackers um we'll set up some DNS server again can be in a different network segment or completely in the cloud we will then from our own machine our red machine will try to go ahead and look up different domains and each of these domain will basically include the payload and by controlling the destination of the server it will actually arrive to our own server um again it's simple it's straightforward but it's again works like a charm a more complicated or a more built up version of this is the uh real owning a

real domain using the subdomain option and using the name server I'll explain when register a domain when you buy a domain you get to decide what's the name server what's the DNS server that will basically serve as the alternative answer for that specific domain so you can go ahead and decide usually most of the companies that sell these domains also provide some sort of DNS services to complement that but you can go ahead and then decide that you want to host or be the domain server for your domain meaning that even without controlling the DNS server at the time using any DNS server eventually it will populate all the way to your DNS server because

you're then again acting as the name server for that domain so for instance I own the domain safebridge.com and what I'm actually doing here is um it looks like I'm querying a sub domain um of the payload.savebridge.com because I am the name server of saybridge.com basically what happens is that that that query will travel using the default DNS server on that computer it can be that specific computer or that company but eventually because none of these will have the answer it will populate to my DNS server and then I'll get the query and I can log it so it's a bit more complicated it costs money obviously it's very hard to pick people um and it's very it's working very

chaining and smoothing operation meaning that even the number of DNS servers chained together different another different of levels all eventually we will get up to the name server domain

there are other UDP applications that I want two examples but uh feel free I didn't explore them that you can use these again as a regular traffic coming out of the machine as a built-in utilities that you have uh on our vanilla Ubuntu machine and basically creating the server side or or faking a server side and using these applications to go ahead and extrate an asset from our um own computer

okay um any questions on the UDP methods

okay so um we're now moving on to another protocol icmp and icmp is very famous for the Ping utility which people are using every day to troubleshoot different network utility and different network problems and basically one of maybe the hidden features that ping includes is oh I have a paper here on the wget one of the things the thing includes is basic ability to embedded a pattern within the packet so usually when somebody pings a computer a pale of this being passed but it's usually either random or timestamps but the Ping utility actually allowing us to um sorry to combine up to 16 different bytes in each transaction so again we can set up a server

um outside of the network or outside of the company and creating a series of things where each packet can contain a number a single byte from our assets or it can contain depending on the size and the complexity the entire assets itself in this example one request one ping request was sufficient for us to pass the entire credit card um from in in one ping um okay okay up until now we've discussed a case where our asset was a credit card um and that was easy because it gave us two benefits by being an alphanumeric string it was very easy for us to fit it into existing utilities we didn't need any need for encoding obviously

sometimes for the red team engagement the resume simulation will be tasked or try to do something that will require a buyer like PDF and for that we'll need a way to encode it because not all the protocols will be able to pass it as is another element was that our credit card was relatively short string again making this very easy for us but in reality we may face that our assets that have been trying to been extrated are basically large and for that we'll need to split it um so we're going to change a little bit the initial Rules of Engagement from I'd be able to incorporate pattern to do have a python and there is python

installed in our Ubuntu so it matches our no our no installation policy so we have python the system is still read only meaning that we can still not write files or save scripts let's see how far we can go with both encoding and splitting um using python without writing any complicated scripts um on the way so um what you see here is three different separate one-liners um we'll go to the first one the first one assumes that our asset called secret.pdf meaning it's just the file obviously doesn't have to be a PDF per second be a movie anything of a question and what python will do in this one liner is going to basically read the entire file encode it

as an hexadecimal string basically means that the output will be completely alphanumeric and then we can go ahead and embed this or use this for the HTTP example that we started with DNS example that we've seen in UDP and even for the icmp example that we had up until this moment the second example uses base64 encoding again it's assumed there's a file called secret.pdf and what it will do is it will read the content and then call it in base64. in in a short base64 is an algorithm that ensures that is created to ensure that the output will be alphanumeric screen friendly so this is basically the way email attachments and file are being passed over text

protocols so we're using this very own algorithm that works for legitimate users for our own use to encode our binary assets and making sure it's going to be text friendly and the third is an advancement on the on the base 64. so it's important to understand that while we um some of the questions here were pointing toward products that may be able to encounter or detect these techniques um both the X encoding and the basics before are reversible meaning that it's very easy for a technology for a product to try to decode it and see if it's indeed an asset that shouldn't be passing along so one way again a built-in way to kind of try to encounter it is applying a

very simple um I would even call it encryption but a very simple Cipher algorithm called what 13 which basically plays with the leather um in a manner that actually shoots them in a manner that won't make it very trivial for the products to decode them it will if the product or specific knowledge will Point them to try to decode the road 13 but again it won't open on a regular basis 64 and it won't as a regular X decoding it will require another step and again it can allow us or challenge or start to allow us to challenge these different security controllers in our Quest try to exfiltrate our asset splitting so as we mentioned

um there's different types of payloads and they can be large they can be small if they're small good then they can fit in different categories but if they're large we're going to need to go ahead and split them into chunks and these chunks we can then operate on them past them and reassemble them at their server side once all the payload reach our server again we have um three different one-liner scripts the first um is basically just set up the uh stage we're going to use an X encoded payload so again we're assuming that we have an asset that asset calls secret.pdf we're going to open it read its all content encode it as an hexadecimal string the

next thing that we're going to do is we're going to split it and we're going to split to 16 bits which is a relatively a very small chunk that should fit into anything between the DNS query into a ping payload uh and we're doing it basically by using a regular expression a very simple one that Taps into a pair of each of the characters so if you can imagine um a letter like a will be translated into a 0x for one this regular expression will then and go ahead and capture each of these sequence of pairs of letters and will giving us an array a list of those so we can go ahead and create action or save it and then create

action for each of these uh individual payloads on our way to extrating a much bigger assets obviously this can be changed to create a different a different map 16 bits can be 32 if we add two more dots 64 if we add more and Etc and Etc it's also important to understand that this uh the resolution of going by bits and bytes here actually helps in creating these to be a generic way of splitting obviously if there is a specific payload that has Pat friends or something that makes more sense to split by it can be a space a semicolon anything that makes sense it can also be used here to create the different chunks

but obviously anything can be divided by bits so this gives us an overview function to how to take in any assets and divide it and do you emphasis the point of the delimiter again what we can see here that we can take our payload and splitted by specific characters here I choose an arbitrary pattern FF but again it can be any type of character any type of payload that makes sense and a split will give us a list of the different chunks and then we can go ahead and operate on these chunks individually and reassemble them back on the server side if you combine the example that we saw in the beginning the encoding example

and the splitting we can create a very interesting play and what we're seeing here is again is a very short script that basically takes an asset a payload and translate in into a series of directories on an FTP server it's very trivial if you're looking for ways to exitate information to use an FTP to upload an assets that's obviously the function of the FTP protocol however what we can do is basically create directories and these directories can then be a payload and the other side can then go ahead and reassemble all the directory names back into a file so let the script and see what it does it assumes there is a specific FTP server

again will be as the server side simulating that FTP server it then go ahead and can connect into these uh into the FTP server next thing it will open the assets the secret.pdf it will read the entire content and encoded as an EXA and then what it will do is for a series of um eight characters uh it will go ahead and capture these sequences and create a directory with a counter starting from zero so basically imagine it will say zero underscore and eight bytes and then it will say one underscore another eight bytes of the asset it will go again depends on the the size of the assets divide by eight it can go until it will

finish and then the interesting stuff is then on the attacker side on the server side we will can go ahead and connect the very same FTP server listed directories and by the order of the counter from zero till depending again on the size we'll then able to see all the chunks all the sequence and combining them together concatting them into one string and decode that string from hexadecimal will basically give us that file in the binary form on our site before moving on any questions about these techniques or this example

okay so in the up until now we've discussed expectation in the means of a network we've leveraged different utilities deployed on our Ubuntu machine to go ahead and try to connect to a server or a number of services depending on the configuration to pass them but excitation is not limited to network it can also be a physical issue so we can go ahead and explore one interesting Avenue to do it again we need to change the rules a little bit here in order to accommodate this example so first we have to understand that there are obvious ways to take information from a computer and obviously using Medias like City ROM or connecting a USB or thumb drive are all

very normal ways to do it but then ahead it's also a very easy normal ways to prevent from doing so so getting views of the table we need to be creative here the second thing is that we'll need to actually use a python script it's a little bit bigger program this time so we're going to bend over and basically remove the read-only file system again we're still having a Ubuntu it's still having a built-in python interpreter in it just this time we'll need to go ahead and download The Script so um obviously in the presentation you can then go clone this git directory download it I'll demo this uh to you right now but the idea is as follows

obviously we can modulate every single beat every single data into um sound into a signal and then we can use our sounds our microphone output or speaker output to basically capture that information and once we capture that information we can then go ahead and replay it in a different computer record that and reverse the process into basically beats again um it's actually a very old concept this is basically the way modem is working we're just taking a very automatic or algorithm idea and dividing it into a manual process so um let's see how it looks like

okay

foreign by having a message okay assuming this is the payload that we're looking to uh to extrate and the next thing is we're going to actually convert it into a sound and now this is basically something that I can play out and I'll I'll play it for my computer right now

[Applause] thank you

foreign

so the process that just took place the modulation of the information our message into a sound can then be uh played more quietly um through the sound card into anything from an iPhone or an Android or basically any device that's able to capture that sound and then we can go ahead and replay to another computer and then basically reversing that this process and get back the payload so as I mentioned this is this is not a New Concept at all and this is the way um computer networks has been operating um for years basically we're modulating the information and one side and we're going to demodulate it on the other side to bring it back

um a thing that needs to be noticed here is that as opposed to network communication that is actually using these techniques or different layers that is designed to handle anything from Transmissions to errors obviously in our very small POC there is nothing of this sort so the information can easily be um not 100 accurated maybe several copies needs to be made in order to ensure the Integrity however it's doable um usually for small payloads large payloads obviously the statistics is against us any um 3.5 Jack can be used basically to take the output and the input um from any standard laptop or an iPhone so there's nothing special here no special equipment that you need to do or

to run in order to make it work

that's it thank you