BG - Getting the Data Out Using Socail Media - Dakota Nelson, Gabriel Butterick & Byron Wasti

koda Nelson Byron waste velocity okay and gay perder my good long time friend byron masti gabriel butterick grew up in tampa florida attended the university of florida for two semesters taking a variety of courses and software riding in biology after he transferred to the Franklin W Olin College of Engineering he has completed two semesters with his focus being in software design Dakota Nelson is a engineering student at Olin College in Boston as well and an intern at the Black Hills information security glue pen testing yeah and he has previously developed software for the DoD do II and DARPA and is you know probably someone you rather hear talk than me so I and Lauren is also studying

Electrical and Computer Engineering at Olin so you know you're probably going to know what they want to send your kids to olin after this presentation put your hands together for our speakers thank you [Applause] alright uh can already hear me all right good sweet all right so this is you you're a really good hacker right here at bsides to make an assumption there you're also responsible standard disclaimer etc etc so one day you're sitting around anything manic you know really like to go pop some boxes so you find some some hapless gibson's out on the internet and you do boom they're yours all right so at some point they're calling back to you for whatever reason

they're trying to exit rate some data they're trying to call back for commands for whatever reason and something stops them right i'm going to call this a firewall although it's probably more than a firewall is probably an IDs probably firewall proxy the whole package right but firewalls easier to say so something stops it and you're upset and you're trying all these different techniques right you try all the classics by the time you get to DNS tunneling and it blocks it you know you're dealing with something pretty good right I try maybe encoding the data and just none of this none of this is working at all but you're still really good hacker right of course you're at

these sides so you start looking around network and you see people using Twitter and you see people using SoundCloud and you see people using tumblr and Google Docs and this gives you a really cool idea and that's where we come in you know actually logo yet oh so so basically what we're trying to do here is X will trade data over social media so this is the team of six we're all only college students just outside Boston who have been working on this unfortunately three of them couldn't make it so you're just stuck with the three of us so alright so one of the big things that we really want from this talk sort of as speakers these feedback

from you guys so if you do have the time if you're willing we have just a quick survey it's like what do you think of this would you use it what should we do next it's interesting otherwise please feel free to ask us questions come up talk to us we'll be here for the rest of the con what we're trying to do here is build a tool that's useful for the community as a whole and like I said we're students so what we really really need is feedback from you guys as to what's most useful us or what you want you want to get out of it so we can build it as best we can so so one day

we're sitting around we've done a CCDC we bombed horribly which big thank you by the way everyone who puts that it's an incredible CTF and we had failed really badly at it we're looking for another project to come back on so I emailed my boss John strand over a pH is but like you know John there's there's a small group of students here we want to work on something what should we do and you just email back social media back doors just a three-word email and we ran with it so while we're talking about it Black Hills information security I'm an intern there it's a really cool company they do really good pen testing they

actually paid to fly me out here so big thanks to them if you're looking for pen testing good come here in any way all right all right I'm going to tell you a bit about what the sneaky creeper is actually first and foremost it is a data exfiltration framework for the most part it uses social media to move your information in out you can use C and C whatever your heart can desire it also does encoding a variety of things it is really flexible and adaptable so like maybe you're in a network and Twitter is your first choice but it's not working it's blocking you for whatever reason and that bothers you so you want to

change something else it's really easy to do that just a few keystrokes in the command line and you're working with something else also maybe you have a preference for what encoder you want to use it could be or be something else oh sorry you might have a preference of what encoder you want to use maybe you like one of them maybe like all of them that's perfectly acceptable it's really easy to just throw that into the command line and everything will be working exactly as you want to it's really easy to add too so we're not perfect we don't have all the social media or legitimate websites up there already and maybe you want to add your own maybe you have a

perfect idea for something that'll work for your particular job we've made the framework really easy to add to its really well documented and it'll do basically anything that you need it to do it'll take you maybe like an afternoon of concentrated effort to get things working and you'll have exactly what you need it's compa compilable to a binary in Linux which is really helpful but it only works from Linux to Linux we are working on getting it to work better for windows um it's entirely written in Python so we haven't done any terrible things to you like change up the programming languages midway through also python is a really easy to understand language so points

for that alright testing so there are two main modules that we have with this setup channels and encoders channels are where or how you send it that outs like twitter soundcloud google docs and encoders actually i'll go through those later um so here we have you read into the data into encoder you put it through a channel it goes to the internet twitter soundcloud whatever we have you retrieve it and then it pops out the data um we have another graphic of the same thing a little bit nicer so the channels that we have right now that we have built up our file channel tumblr Twitter and SoundCloud so the top three you'll notice are all text-based

channels but the bottom one is kind of cool just because it sounds so you can code the data and sound upload it soundcloud duke and play that sound it sounds terrible right now i'm working on that but then you can download it later get the data out and you're good to go I'm so the encoders that we have right now are RSA encryption base64 encoding and steganography segun ography is mainly for place to sound and image stuff we like to get imaging in later as well uh alright so so the current status of the framework as it stands right now and like I said this is actually a framework it's designed to be really easy to just sort of throw new modules

in as you encounter the need for it current status is second death star which is to say it's not done there's big chunks missing but the giant laser the core of it works just fine so we've actually will show a demo in just a moment here but you can actually successfully transfer data across hopefully this will work so here's a demo of using the Soundcloud channel um so here's a bunch of data i'm going to send out through soundcloud kinda just random data that put together I and here I just copy pasted the code or commands that you needed to upload it SoundCloud and here I open up soundcloud slowly it's all very slow um so

soundcloud takes some time to process the file i skip through all of that um just because you don't want to watch and like wait for soundcloud to be done processing so it's done processing here i type in the commands to retrieve the data which i sped up because it's kind of annoying type it all in um and it's going and it's going and there's the data and it was all kind of head steganography all in soundcloud you played the music it sounded terrible but um yeah that's soundcloud channel you'll actually cook yeah basically the the text there was encoded into an audio file and then uploaded to soundcloud so from sort of the network perspective it

looks just like someone code uploading regular audio to soundcloud sort of nothing unusual going on there but then on the other side here's one command line command away from pulling that data out extracting it and you know data exfiltration commands going in either direction you want alright so this is a quick demo of the Twitter module as you can see you've got a lot of information in that command line that was just me sending a little message on to the the Twitter account that we have set up so you can see there's nothing new there going to refresh the page real quick and then suddenly new stuff is on there and it's all gibberish and nonsense because

it's in be 64 but now I'm just going to quickly enter or make a minor change to the original line to make it receive the data instead of sending it and of course not echo anything and it'll pull down the latest tweet in the timeline which is hey b-sides that's gone yes so fundamentally just the whole idea is that is really easy to run your data through any number of encoders you want to be encrypted then bae 64 encoded you can do that in opposite order you can do whatever encoders you have chained them all together toss it up on a channel and then pull it down on the other side and automatically run it through those

encoders in reverse to pull the clear text data out yeah so this technique has been seen in the wild just recently actually a Russian apt group hammer toss they had a system retrieving commands the illegitimate web services sounds very familiar obtaining commands via images we don't have that yet but sounds very familiar and uploading files to cloud storage services which we kind of have with Google Docs um but so this type of stuff has been seen in the wild and this is actually a fire I report which is like six days ago on so it's very recent it's like a new type of TAC vector that we're trying to bring attention to and sweep all right so we're gonna try to finish

this out with just getting feedback from you guys so we've built so far sort of a proof-of-concept little shaky it's a framework it's a proof of concept right and we're curious as to where we should go next so again we've got the survey right up there that bright in a corner if you want to go to that we'd love as much feedback as we can get from you guys so we've got a couple ideas in mind for the future of this one of them is just push button data exfiltration testing so we basically got a client and a server you're on the client on whatever compromised host you're trying to test your on inside the network you

check the boxes say I'd like to test all of these different methods of data exfiltration and then it tries them all and out on the server the server registers which one's worked which ones didn't I can you know prints out a report for you boom done rather than having to do the manual sort of data exfiltration like well can i email it out hmm well can I open an outbound socket well can I do so sort of a one-stop shop for doing this sort of testing that's easy to add to an easy to change versus sort of a full-featured implant think more g cat here like we just saw not too long ago more of an

actual implant that sort of made for doing very offensive penetration testing versus the sort of broad-spectrum exfiltration testing above versus maybe there's a third option we're completely missing here there's any third-party tools that anyone knows that we can integrate into sort of ways to actually turn these communication channels into more than just a channel and into sort of a fully useful package we'd love to hear about it so we have a couple ideas in mind but we're looking to you guys to figure out which way we should go next and as well sort of now what even if we stick stick with it as we got right now so what modules do guys want to see what

services are out there that are real cool what sort of encoders are really useful for you guys which sort of things have been known to get past firewalls past dlp solutions in the past we're looking for these kind of things so we can roll them in like we said it's really easy to add new modules and we'd love to keep adding new ones and making this more of a fully-featured framework so whatever feedback you guys can give us is fantastic so if you're interesting going grabbing it it's all up on github it's under active development there's a couple pull requests open right now and we're always happy to see more so so it's completely open source go take a

look we're working on some really cool stuff as the next steps so we'd love to have as many eyes on it and as many people using as we can so you're interested there it is I have if you have any questions I think yeah there's a microphone in the middle here that should be live anyone at least one question please otherwise I have to put down in the former there were no questions there we go and they lose their scholarships please won't you help the Wiener conduct you were accelerating the data from what you creating the Twitter account or was it already available for employer-employee so you do have to create an account on whatever

service this is I don't know it's kind of hard to see in the very small text up there but basically when you run the command you have to specify three things the first one is just which encoders you want to use the second one is which channel you want to use and the third one is just a JSON configuration string so basically says you know for Twitter use this username and here's an API key yeah and for soundcloud is basically the same thing here is you know here's the username here's here's the password and here's the you know the one file that you want to go find so yeah you do have to manually create the accounts right

now we can't really oughta make the account creation process because it turns out Twitter doesn't like people creating accounts automatically but that's a relatively easy thing to do because Twitter wants to make it as easy as possible and then from there you know you can use it to your arse in 10 so on Twitter so the limit is really small if you even if you are encoding you'll not be expelled rate tons of data so how do you plan about that so what we actually do right now is we you so Twitter's 140 characters we revert we reserve I think it's the first ten characters from everything for sort of a miniature packet protocol so

basically what we do is however much data you feed in we chop it up into the size pieces that fit into that channel and basically when you write a new channel you just there's a parameter you specify that says like this is the maximum text length of this channel and it just cuts it up into those size pieces appends a little header to the front of it and then puts it all up and then when you go and grab it on the other side it automatically pulls down all of them reassembles them and print them out as one full package again so I had a didn't want you to lose your scholarship I just a couple of quick

ideas Oh one of them would you consider so a lot of us use something like textsecure where it doesn't actually do SMS mms encryption anymore rather decibel data would it perhaps be a good idea to maybe considering coding it Oh for use by download by textsecure perhaps using google voice or skype since that's really common in the workplace oh also has another idea since you said a compile to a precompiled binary maybe it would be a really good idea in order to make it look like a more legit binary so that IDS's won't pick it up as easily oh whatever it's running sounds good so you're saying we should basically just encode it over a

VoIP stream and then send the boys room to server on the outside the way it looks like any other phone call it looks good all right it's good idea I think that what you guys have you thought about any defenses against these kinds of communication channels and how would you defend against it if you had like a social media platform well usually there's a normal or natural amount of data flowing through any of these channels so you can watch that be sure that it's not fluctuating because if it suddenly goes from like a few megabytes to like 500 megabytes you think maybe somebody's moving something that they're not supposed to also you could just straight-up strong-arm it and blacklist

websites that could be used like this or probably also whitelist just because there's so many of these different websites like basically we can build a module for any website that lets you put data up to it and then get that data later which is a lot of them so yeah my game said just watching the signatures as it fluctuates it's a little harder for command and control because there's not a lot of data they're going across honestly unless you're one of the content providers unless your Twitter or something I'm not sure to be totally honest what would you do if your Twitter so one of the things currently something we don't have yet is is intelligence

sort of rate limiting or jitter in there rather so right now what it does is it just goes right up to the rate limit and then and then sits and waits for a little while and goes right over the rate limit again so things like that where there's just sudden huge bursts of activity are maybe a little weird and worth looking into we haven't we haven't really done a long-term test on our accounts yet to see if you do like suspicious stuff for long enough if Twitter will find you but I mean the account that you've been using for Twitter testing has been running for a while and we haven't used it for any kind of large scale but like we've been

testing with it here and there and nothing bad has happened to it yet and then you're also making the assumption right like maybe even if twitter catches it any of the other platforms might not that's one of the problems here is there's just such a breadth of things available even if one does good job catching you the others might not cool oh yes mark multi-channel I'm sorry do you have multi-channel capability built-in so we don't yet that's one of the things we're looking into as far as integration into further tools is sort of a spectrum of you know specify multiple channels and send fragments over each right now you just basically you just have to say like all of this

data goes to this channel this data goes to this channel it's easy to script again it's just a single command line on you just use echo data into it just pipe it in so it's pretty easy to script so you can do it manually but we don't have anything built in for that yet no what's your message size limit for SoundCloud and have you thought about also using photo sharing sites as your place that dump your data yes so the message kind of limit for soundcloud is really just how big the sound file is i can't remember off the top of my head but Sam cloud does have a limit to how much you can upload 180 minutes for the

free account total yeah so once you've uploaded something up to delete it in order to upload more once you've had 180 minutes but you can you can upload a ton of data via soundcloud and we are looking into image stuff that's what i really want to get up and running I think that'd be fun yeah image stuff is definitely on the way one of the problems with the image file image-sharing sites is they usually compress your image when it goes up so if you do some sort of steganography into it once the compression process is done it's really difficult to extract out so something we're looking into to see if there any that don't compress or

if we can find some techniques that are resistant to compression just a suggestion for exfil from corporate networks a lot of the time all of those websites will be banned but you can always get to the internal microsoft outlook web access server so that might be an interesting one to look at also maybe using outlook web access in a way that's not obvious like rather than just sending emails like say creating calendar entries and then deleting those calendar entries and then i'm checking those excellent okay also what i would find interesting is if you could do a bi-directional like standard in standard out channel rather than just messages so if you could have a standard in standard

our channel you could run ssh through that you know it will be slow but if you could achieve that through any of these channel stop interesting that would be awesome yeah so we're one of the weird things is it's asynchronous you put it up there and they have to check it later but yeah that's a we're not sure whether we just do periodic checking and then sort of try to stream it through like that but that is a good idea we look look into it do you have any type of check something that you're doing for data when you're putting it up or taking it down like four soundcloud my biggest concern would be accidental compression

or mistakes because they do some compression are streaming i'm guessing you haven't run into that yet yes so it's soundcloud it's interesting if you try and download it just from soundcloud it does try to compress it or if you try and play it you can strip it just from the header i do this like he pull request thing little jank I don't know how long it's going to keep working but you can just get the full it's not compressed at all but yeah definitely I think looking into kind of getting a hash type system so we can do checking on it would be good yeah yeah that's that's a really good point and a really good idea

[Applause]