Offensive Rust Tales

okay ladies and gentlemen uh we have our final speaker of the morning session andres tevez speaking with us about offensive rust tales not too offensive we hope no definitely not okay so i am happy to be here and after the past two years behind webcams this is great um okay who else did participate in red teaming in the past years in the room okay at least one guy that's something okay would you like to execute my binary okay that's good so how many guys are you using corporate laptops okay some of you most of you use windows i assume and do you use office like openoffice or microsoft office if microsoft office then this will be an interesting presentation okay about me i am andres davis currently working as a senior i.t security researcher at kujo ai i have more than 15 years i.t security experience on different fields like i was a developer researcher penetration tester and i think many more things you may run my code in production if you use syslog ng for example then that might be some of my codes okay i have done security research in the past 10 years more than that but it's rather hard to present on a conference if you are not called a security researcher so when i was working at a bigger company like morgan stanley and i am going to my pr team that okay i hacked this and i would like to present about it then they said no please no please don't so i changed and now i am trying to present something the presentation will be mostly about red teaming 101 because we have only one guy who participated that's great it might be helpful for you guys i will provide some details about when should you do red teaming when should you execute it what is it called who should it look like who should do that and of course why should you do that okay so a red team is a group of professional people hopefully professional and this is the key authorized to do something like emulated attack achieve something gain access to your systems and is it is it familiar for you so did you do something similar like maybe pen tests yeah it's similar if if you go to a pentester company and ask them to do something they will focus on an application or a website or or some mostly simple thing and they will have a limited time because you won't pay much enough for them so in most cases it will be 10 days or something and one or two guys will be there or will help you so time is limited and the penetration test in the most case is rather noisy so if you have a team who can detect they feel detected if they are not sleeping red team on the other hand is a bit different because in that case you have those guys so red team is is more complex because in that case you are not really focusing on generating as many vulnerabilities as possible in a network rather you are focusing on how to do it end to end and what will happen from the other side so if you have a blue team most of most of us don't have a blue team but if we would have one then that blue team should detect an attack and if the red team is good enough they can fight and that could be interesting so red team is more time it takes more time it takes more resources and as well it takes more money but it should be more silent than a simple penetration testing maybe you have heard something about ransomware gangs is it similar or is it yes it's rather similar but in that case you pay much more and you lose some data as well so not that serious so why are we doing this i am doing this because it's fun and it's interesting and challenging from a customer viewpoint or from the business viewpoint it's a relatively safe option because you know who is coming you can define a target you can tell them this is the service that you should reach this is our amazon production service if you can reach that then we are we are happy and and please document what you did okay next up is the who if you are a big company then you should have a right team so it's an internal one you maintain that team you pay them lots of money and then they play with your network and if they are good then they will kill the network and everybody will be happy in hungary the more realistic way is to pay for someone and search for a professional company who can do that for you i am not sure if there is one in hungary but did you see and other question is then should you do that if your organization is prepared and if your organization is at least partially confident that they can catch an intruder and by catching an intruder i don't mean that grabbing his hand at the gate and then taking away to a back room rather catching them on the network and if they are doing something like executing an unsigned application on your corporate laptop and then gaining other excesses and you can catch that then you are there you should you should start a red team exercise so bvv i found this for my presentation when i was looking up for documents this is a great representation how all the teams should cooperate in a network or not in a network really in a company this is valid for a huge company like fortune 500 14 000 if your company is let's say 100 people then you definitely won't need this or all of this but you would need some yellow team you know yellow team most of you most of you are developers so if you are a developer you are part of the yellow team there are green teams devops sec devops something like that yellow that was okay so orange team is basically training if you are learning something about fishing if you are learning something new then that should be done by the yellow team orange team and i will talk about red teaming and i am blue team is the opposite of the red team they are trying to defend the network if they catch you then you might get fired if you have a paper that you can do that you might not get fired you might get a promotion and the purple theme is when you are mature enough and all your red teaming is willing to do blue team stuff and the other then they are merged into a purple team okay let's see at the typical attack scenario how this should work normally we start with information gathering if you have an internal team this is rather easy you sit down and go and ask the users if it's an external company then they should go and look up data in their wasn't way so go to showdown dns dumpster execute port scans go to linkedin maybe you could go and try to get a job at the company just saying if you call hr hr will provide you lots of information like what systems are we using what uh competencies are we lack of because we would like to hire someone so we should not have that right okay the next step is to decide how to evade and how to get into the system most cases most companies are using emails or slack but email is more common because it's more integrated with the external world so you might get an email in the past time you might get a phishing email protection training like what you should not do like click on a link and don't download it if you download it don't execute it if you execute it then don't let it drive your show why so infiltration gets somehow into the network physical access in in the modern world like best from here you can you can do physical access red teaming like get into an office and use your lock picks and pick the office door and get into the office and see how can you get access to a server room normally we have a server room that's well protected but there might be a back door and that's direct aiming for okay let's assume that somehow you did send in an email or you did you did send in a link and you have at least one user who was somehow asked to execute that binary we call the stager the next part of the presentation will be more about stagers and how they should work okay corporate laptop yes no i don't want to do that so gain initial access execute something it can be a file it can be a binary it can be anything in a microsoft environment you can execute help files and those have files can execute other binaries or you can execute you can open an excel file and those extra files could execute binaries like commands or poover shell you know excel is great in powershell and if somehow you executed your binary then that's the last phase then you are going for the target just an example if you have a production system production system is running on aws then the red team should get access to the aws systems like use vpn but vpn is very protected is it not like security tokens passwords and and sessions and and all the other stuff okay let's move forward so as i mentioned with sending an email the victim is somewhat known we did our homework we did collect his i don't know laptop we know that he's running windows we know that what components are running on his laptop like we know at least the antivirus maybe we know the version maybe we might know the firewalls if there is any he downloaded the binary or stager and then here we must bypass some protections like if you download something from the internet the browser is telling you that don't do that don't execute it no no no but you are executing it because you would like to do something you would like to update a system so if i for example call you by phone and tell you that i am from i don't know an antivirus company and i will push you an update and this update is rather important because if you don't execute it then your ships will die or i don't know or your apes will be lost that's that's better you you will lose your apes so you execute it the execution will download something from the internet that's the red theme in my case in this later demo i downloaded pp and i will dab it later poopy because it's it resonates better how we should use that application so it's poopy and puppy and also we have a component called hiddenvnc but my sorry whatever so let's hide them vnc behind that connect to me item vnc will be interesting at the later stage and if hyden vs is rather similar to vnc you can get access to a computer and you can run applications on that computer the good thing is that you can see the output of that application but the user can see so you can copy things and execute browsers you will see the browser window but the user won't see it you will have the same session and with that access you you can access anything in the browser like cookies tokens sso if you have password save in your browser maybe then that's also there and it's also accessible so that will be the demo later let's get back to information gathering here i would like to provide some details during my investigation how to how to discover valid users in a system i did run into this i tried to report this but nobody really was interested and after i think two days two or three days ago i discovered that this is well known so it was just new for me but it's interesting so information gathering do you know microsoft yes yes we know and do you know azure most of you are using i assume azure ads maybe maybe microsoft office from the browser how are you authenticating to that yes it's out2 and o2 is great because it's integrated all the user likes it they can get in without providing new passwords so it's a great thing this is a window if you are trying to log into office you will see this window and it depends on what data you put in if you use your private email address it will show you something if you use your corporate email address it will show you totally different thing and there is an authentication backend for this and the authentication backend decides based on many things like you provide an email address it has a domain part and it has a username part and it will provide you details about that specific user so if you send something to these endpoints then you can figure out what the email is is it a valid email address you might get login with that is it logged out is it throttled maybe you'll see it later so you set an email address you get that window and you might get a simple login window if you are keem at g something something you might get this window if you are came at d something something something hopeful nobody knows this window okay try to remove as many features as possible and there are interesting places when you provide one email address you might have different authentications for that so you can authenticate directly and you can authenticate with a federated authentication this is rather strange i didn't know about that okay let's see what's behind so there is an api called get credential type if you type in your email address you will see those like we will know that you have a certificate authentication param can you authenticate with facebook can you authenticate with fido google is there a password at all and we can oh microsoft did remain in okay so if you go down you see much more stuff like what branding information is there but logos are the company using in an email so imagine a case that you would like to send an email a phishing email and you don't have the logo for the company here it is microsoft stores it for you you can download it from the cloud and then you can use it i think this is great for phishing and i would like to highlight this here is the most important part if that's zero then we are okay if that's other values then we are more okay okay let's see some great animations so we have two things we have federated authentication and non-federated authentication federated in this case means that someone else is doing the real work and microsoft is just interfacing with them and then microsoft creates a token and you can use that token there are token click click click ok so depending on your domain you will get a federated url and the federated url will do the authentication this is not really important for us because we need to go to the federated endpoint and figure out some data about the users but if you are not federated then there is exist result value and let's assume that we have a random string in our email address that is exists result value will be one if we have a valid email address then the value will be zero so what happens if you would like to figure out an email to attack or to figure out an email a victim's email yes you try three four times and then you will get an email and there is no authentication happening here so you can basically ask thousand times million times maybe at the million you might get a throttle but that's it there are also other values here there is one for throttling so if your authentication is throttled then that value will be two if there are some errors then it could be minus one four and five and six is for federated authentication or it might be federated authentication is this similar so did we hear something like this in the past like a web application and if you go to a web application provide your email and type in a random password and then what happens the application tells you that okay your password is wrong but the email seems to be okay so maybe try some new passwords because you might figure it out or the other way like normally we should tell the user here that go away something is broken we don't know what or your authentication session did not happen try again but definitely not telling anybody that it is it's a valid user in the specific domain so infiltrating infrastructures infiltrating this might be interesting so as i mentioned we sent in an email and in my case it was a simple email and the victim downloaded the binary and he executed it because he was instructed to do so by his boss by someone what happens in a system if if you execute first let's start from downloading if you get an email and there is a link in that email you would like to download something so go there click on the link and chrome and edge will tell you that it's an exa don't do that don't execute it but you will because you are people if you have a huge binary like more than 65 megabytes i think then the browser will simply ignore it if it's a if it's an exa who cares it's a big access so we don't scan it let's go through okay next up marco fab have you ever heard about marco fab okay some some if you download something from the internet most of the browsers will use alternate data streams to store info about that data so it will be marked as it's an external data it's from the internet mostly it's from the internet so it's not safe please don't execute it smart screen might yell at you that don't execute it but you will execute it those markov maps are interesting because if you download the zip file and you happen to use 7-zip then 7-zip is not really using markov web so if you unzip something from a zip file 7-z if you simply drop the barcode web and you will be safe because you are the danzip the other option is that you simply use an iso file you download the iso file it's a huge iso file so we don't mark it and the iso file itself is marked by the markov web but if you click on it windows will happily open it and mount it you will have a virtual cd-rom and no markov web in the virtual cd-roms so you can execute binaries without any yelling in my case the small disc footprint is 1.2 megabytes so it depends if it would be a virus then it should be much much much smaller but this is a small footprint my application is doing some data gathering like figuring out what user is running it which domain is it running in so if we are in the proper domain and executed by the proper user then we are happy and we will download components based on those if you are somewhere else like you are executed in a sandbox those sandboxes won't have the proper domains so application won't execute this helps us target a specific attack and it will also make the life of the protection so the blue team much harder because normally they won't have any details about the attack they will have a binary that's downloading something from somewhere but if they don't know specifically the username and the domain then it won't be downloaded by them so everybody is happy except the blue team sandbox evasion please raise your hand if you have seen a sandbox with more than eight gigabytes of ram okay okay have you ever seen a sandbox with four cpu cores okay might be can we detect these values like is there an api to carry it yes sadly but there is so those two values can bypass mostly all of the sandboxes and that's it as i mentioned i will have plugins i will talk about it later plugin in this case is a simple hexa binary i could encrypt it but basically i used https so don't have to encrypt it again but we could specifically target it for the user and based on the username and domain we could encrypt it as well so if someone downloads it there is a there is no key really because the key is based on the environment the key is not in the binary so if someone is looking at the binary they won't have that key one of my plugins is the vnc implementation i should definitely switch off the wi-fi so the height and vnc is great for accessing browsers and other applications we'll talk about it later and as i mentioned we have multi-factor authentication you know if if you use multi-factor authentication like two or three or four steps and biometrics and other stuff what will be the end of an authentication what do you have some ideas like hash or cookies you will have a cookie right do you store those cookies in the browser yes okay so what happens if we copy the the browser's profile and then re-execute it in another process we might have that data yes okay so this was a short introduction so far and let's talk a bit about rust rust is a great programming language it's from the reversing viewpoint it's it's rather hard to understand it's doing stuff rather differently its main advantage is that the code is ugly and the binary is ugly as well so if you if you try to reverse some some other programs this might get interesting it has a static binary so if you compile something it will be a bit a bit bigger than