BSides Knoxville 2018 (Third Track, Pres Pub)

you

you

all right everybody it's nine o'clock we're gonna see if we can get this show on the road and so welcome to b-sides Knoxville the 2018 edition and our first speaker here today is Michael Hague and his title is appropriately enough [Music]

morning

everybody have enough coffee you guys hear me okay

awesome good morning everybody my name is Michael Hague I work for an organization that's red canary and I'm M hagas on Twitter I recommend not googling haggis right now maybe after this talk I don't want anybody getting sick then with red canary since 2016 before that I worked for a horse and 150 and then kind of before that I worked at an MSSP doing detection threat hunting all that so pretty much leading up to where I am today red canary focuses on endpoint detection of response using carbon black responds and CrowdStrike Falcon and so all of our detection capabilities are built around those tools and we find all the kinds of bad things that way so

today's talk is on atomic red team this is an open-source project that we made to help organizations test their security stack and their solutions that they have and so more or less we're just going to go over how to test CDR solutions how we propose testing it against the mitre attack framework and then just different parts of the tools to help test that has anybody heard of atomic red team no this is great awesome so we've all invested tons and tons of money into security products whether it's the next sandbox or next email gateway all types of things down to the endpoint we're buying new AV products every other year because Nueva products have new things that are

next-gen and ml and AI and unicorn pixie dust so our current state right is we buy lots of things we put lots of controls and policies in place to try to and prevent all the evils we assemble Voltron we tried to build this cool security stack that we put a ton of money into hopefully it will evict apt when that time comes hopefully it'll detect apt when that time comes and then we walk away from explosions you know or we do disaster girl where it's just like explosion we're granting that it's all falling apart Voltron so how do you feel about those products today right you got a lot of security tools you got a lot of security are you

confident that a lot of it actually works you know I hear about all these recent breaches we see everything going down all the time our data is being stolen left and right lights are changing are we actually confident that these things are actually working and we believe it's working as its intended to we were told it was going to and right we bought the marketing that there was this detonation feature does every type of product file extension puts it in a sandbox gives you this cool sweet report but apt still gets through and you just hope that everything's there and it's working as intended so hopes appealing not a strategy so how do you know it's

actually working it's pretty simple you test it right so you probably went through like some kind of evaluation with this product you ran it through its paces hopefully it was preventing everything found all the evil stuff but a lot of organizations don't have like a standard like operating procedure about how they actually test products and what they do to confirm their stack is actually working effectively and constantly evaluating their detections or making sure things are being prevented as they kind of come out all the new types of techniques come out so obviously the standard of testing approaches here is we have our vendor supplied test and this will be like a stack test where it's like hey download

this malware from our website you'll just execute it in a VM and we'll detect it and we'll let you know on our dashboard it was like that's awesome that's great it works every time right because it's pretty much rigged you know might as well just pay him to do that all day you have your in-house testing which may or may not be the best you might just go on buyer's total download a bunch of ransomware and you execute it and then it detects it or prevents it hopefully this works most of the time and that's where a lot of atomic Red Team came out like the core foundation of atomic Red Team was we were doing evaluations at red canary

customer or eval come in and say hey I want to test you guys like Oh awesome they have a red team you know they got an in-house team maybe security team at that they're gonna do more than just execute malware I know these guys right hoping they're gonna break out like bloodhound do some PowerShell stuff download some Mimi cats try to go do some lateral movement do some cool stuff they end up just running ransomware and it's like oh cool a DS top number one thing you know and that's and that's where it was just like I'm over the AV you know execute the malware see if anything catches anything does red canary detect it you know and just kind

of goes on and on and so atomic red team's whole purpose was let's change that let's let's do something different where you can actually give an eval customer or prospect something they can actually do and it's not stacking the game in any way it's an open-source project and so what we're saying is here take the different techniques from mitre has everyone heard of mitre attacked by now once or twice so you haven't heard of miter will hop into that in a sec I'm jumping too far ahead I'm so excited so your comment approach outside of the vendor stacked game is your annual pen test you got your annual pen test that rolls through pen test your environment

you know you have some kind of problems with it which is your standard you know we're meeting compliance checkbox we find the cheapest pen test that we can afford bring them in they blow through our environment with a tenable Nessus can drop the nice eighty nine hundred page report of all the vulnerabilities in your environment it's amazing it could be expensive to write if you get a really really solid pen test internal external phishing assessment all of that lots of money dinner could be scoping problems can we get domain admin are we allowed to touch certain web servers don't touch those there's customer data there's pH I there's all this fancy stuff going on we can't let you guys get

anywhere near that and then of course not all teams are created equal you know you got the necess or what John Strang calls pen test puppy mills they just kind of rotate through necess can ship reports very basic and so that's kind of weird like the really really solid red team's come out that are out there or you just call hacker man or wait for China to do it whichever so solution another solution maybe just build your own red team kind of the hard part's that is it has its own challenges as well you either got a build up internally on your own hire a bunch of guys to come in and learn or who have done it previously

you might end up with the team of like six guys and you have like a very small organization so it may not be completely effective and most cost effective for your whole organization even the largest organizations out there have very small red teams so it's still something that's being built up out there and so building it versus just running a bunch of malware it's almost kind of like two different things right which leads us to why atomic red team was formed again so outside of the occasional poorly scoped pen test and rigged POC testing many orc simply do not regularly test their solutions and that's the beauty of atomic red team and that's what we

always try to push and recommend to organizations is making sure that you're constantly testing your security stack is your ad working as effective as as you hope it is is that new perimeter firewall UTM was being gadget on the perimeter actually preventing things as it comes in or even egress are you able to get the visibility of things leaving your environment or posting out to random websites out there it's all about that visibility with detection so we need an ongoing iterative testing solution something that you can actually measure objectively and then has a very low barrier to entry and pause for dramatic effect I already talked about it so Tom the great team so it's open source like I mentioned the

idea of it is supposed to be very easy for anybody to go in and say I want to be able to test my whole security stack from end and using mitre attacks so you can say all the way from the delivery all the way down to command and control I want to see each stage in my environment of how I have my detection built if you have an MS SP or if you're using an outside provider this is a great way to actually see if they do things in your environment how do they actually respond are you getting an alert for a new schedule tasks are you getting alert for abnormal situ whatever it may be in your environment and the

way we made a lot of these tests is super simple like just go to the website go to the github repo copy and paste drop it in on a box that you have access to and then you're approved to run it on run it see what happens did anybody alert you or any your products firing off is anybody doing anything about it so in my tour right now is probably like one of the hottest topics out there today everybody's been building on this we started this project last June I believe now so we've been working on this and adding things to the framework as much as we can as well well so mitre attack backed up a little bit

about what mitre is we had a couple people not on it it's a treasure trove of adversary TTP's it's mapping but also knowing group behaviors the neat thing about it is you're able to go in there and see like a PT 32 and understand that they run PowerShell register 32 they set up some kind of persistence on the environment and they perform whatever other activities and that's kind of the nice thing about mitre as it gives us that visibility can you guys see that's like I'll come down here but you can see over here on the this side which is probably here right this is all the pieces where mitre attack has been mapping out to so we have our

persistence privilege escalation again all the way down to command and control so the focus is down on that post exploitation area where we're now having visibility into which is really neat and the way we did it with our atomic Red Team framework here is it's on github it's under red Canaries Page atomic red team the way mitre broke it out was they have Mac Windows and Linux and so we built out all the use cases under each of those folders here Linux Mac and Windows and each one of those is an actual matrix The MITRE attacking matrix and we went through we built out each one of these different pieces so that literally you could go and have that low barrier of

entry copy and paste that execute it see what fires in your environment it sounds so simple right like just copy paste something drop it in most of them are that easy there are some in here that require like a you know maybe a c2 server on the other end just to get that full kind of like in the end visibility of what it actually happens but yeah you see dynamic data exchange that was a really popular excel word were dde exploit and all that so little things like that are in there which is really neat makes it very effective super simple and so the whole idea again was to have low barrier of entry you're able

to go in and test your environment make sure that sandbox actually works you can do small targeted tests you don't have to wait for that annual pen test all the time or you know pay a bunch of money every other year every year whatever it may be but you're able to start testing yourself for different techniques within mitre if you want to focus this week on persistence you can just go down the persistence line you know or we do we have visibility do we have our detections are we looking for this within our sim or is our other product pipe pieces actually helping us here in these areas or not and that's probably one of the most important things right

are these things working and also give back and help organizations out there get started with these things have better testing methodologies out there for seeing and proving out these products thought I took this one out so the origins of atomic just started out again just as something where Eva organizations can actually just run through and test red canary this is on my github page it's under bookish happiness if you wanted to go look at it it wasn't mapped to mightor back in the day which why it was why we moved to that today because it's a lot more effective and everybody understands it has that singular language we're all able to talk so next couple slides I'm

just gonna break down a couple pieces of miter attack and the actual techniques so this is technique 11:17 this is read surf thirty-two there's an AR way over there but any you guys ever see any of these types of attacks out in the wild with a navy or anything edie our products is anybody looking for this awesome this is where it becomes effective you can go on the website right now it's AMA grad team github repo check out 1117 under execution register 32 and you're gonna be able to run this quick command copy paste it you have two options within the repo there's a local command of it and there's also an external one so you're actually able to

pull the payload from github or you can just run it locally on the box and so in this particular case what we always try to do for everything within monatomic Red Team is we want to be able to break this down and show you different pieces where you can actually build detection around it in your environment so in this particular case register 32 is running on every Windows machine out there it's super noisy executing stuff all the time looking just for that isn't going to be the most effective way to detect this type of attack maybe you could do it on the command line switches /s you I maybe just Grob SCR hubs DLL maybe it's going to this

weird website right look up the network indicators is it hitting a different port and on standard ports is it going to a domain is it just making a network connection in general which register by its very nature does not do that and then that module SCR they allow all of that is very fishy Casey Smith found this I think a couple years ago now maybe two years now anybody know who sub T is on Twitter oh yeah okay so this he found this if you've been following him for a while he's been pushing this one around for a while so that's where this comes so within that matrix four windows under register of 32 execution this is exactly

what it looks like on the repo you can go in if you just do if you just pull the repo down to your local box you can execute it locally like this or if you want to download it you can do the remote here and so one of our examples that we have is you could just use PowerShell download the SCT and execute it that way to read serve it's really powerful and then the payload the SCT files down here at the bottom so we give you a very example basic example of the payload it'll just pop calc so is anybody monitoring for calc execution in their environment and so using atomic the way we see the lifecycle is you test

your technique technique did you actually detect it or not do you have you know the piece is broken out you have the telemetry from it are you building and tuning your detection capabilities and this is a complete cycle you either do or you don't have visibility for all these things or some of these things and so the idea is that you're continuously testing it's a full loop all the time and so that's the objective of it and it makes it very easy to just do one confirm and just kind of keep going down that line anybody have a Mac fleet in the environment in your environment a couple Mac's out there cool so I left

this one in here cuz I thought this was cool this is Apple script on all Max and this is technique 1141 within miter and its input prompt using Apple script and so specifically this is the piece peeled from miter if you go to my ders web page they give you the full details about endpoint input prompt how Apple script works on this side over here you'll see the platform what part is under so the tactic is credential access what data sources you actually need and that's a pretty important piece to collecting this telemetry so in this case user interface and process monitoring and the process for Apple script is Osso script OS a strip right

here and so this particular technique this is again from the repo it's just prompting the user for their password so if you execute this on your Mac box it'll prompt the associate for something and so like in this case here's the input prompt right here the full script is right here at the top so this is one way to run it and this is how we have it in the repo you just copy it you paste it you'll get a prompt on your back again is your product out there detecting that input prompt on the endpoint side do you have visibility into weird prompts happening on endpoints so in this particular case you know I need your password because we're

doing software updates today thank you and everybody's gonna enter it right so that's that's how we roll and then another way you could do it actually just just breaks down a little bit of the pieces here and broke into carbon black response you can kind of see it these anybody using carbon black response or CrowdStrike Falcon we should drink every time ask a question but so in this particular case OS the script that - II write there is probably one of the more important pieces when you're running oso script if you if you have a Mac fleet look for OSA script in your environment it may or may not be very noisy depending on the apps being used

it's launching system preferences and then there's your password piece this comes from Empire this whole piece right here so the Empire project was ported into Python and then they made it just like for Mac and Linux you can go hog-wild with it so this is one of the nicer ones that they had in there I believe in the project that self password is spelled incorrectly but we always see people inert anyway so again iterating through your testing so that was very basic ohso script call it execute it another one here to which you can't really see too well on the far end over there but it's actually just calling it through shell command so very simple just SH

echo the whole same command there so again another method to see if you can actually detect this some organizations might just do like wild card something looking for password on the command line very that's definitely one way to do it it could be very taxing on a sim or even carbon black so always be testing is the one thing to walk away from here abt so one thing that we started getting feedback from the community was we want automation how can i aughtta mate these you know simple copy/paste drop it in how can i make it faster how can i just run a bunch of things at once versus just copying and pasting and do one by

one test so we came up with this thing called chain reactions and the idea of a chain reaction is taking multiple techniques across the tactics from mitre and putting them together and just putting it in a batch file or a powershell script and is executes it so it'll just go through simulate a bunch of weird behavior or activity in your environment and you may or may not have detection ploy so the quick way to generate a chain reaction is you just what I always do is I just pick a couple different techniques across all the tactics and I just say I want to do some discovery if I got some credential access let's throw it in there too I

want to do some scheduled tasks or do some type of automated collection and then do some basic Expo weather Expo doesn't always mean you know taking it off out to the Internet to some Chinese website it could also just be compressing data and storing it on the Box staging it for expo so all those things I just want to make it happen in one bang I don't want to deal with copying and pasting twelve things at once so again here's the mitre attack matrix so what we're gonna do is account discovery file deletion we're gonna do some system security discovery and there's our data compression and encryption and change the size of it or slice our zip file up in multiple ways

after we all your doc files so Barry have a serial simulation-based right you guys find this pretty useful he's gonna go home and play with it all night yes love it then you're gonna do a pull request right awesome so this chain reactions called plutonium on the repo it's under atomic Red Team artifacts chain reactions and this one's plutonium very very basic we always try to start off with everything you know don't execute evil stuff in your environment unless you have permission and then below that begins all the fun stuff so in this case what I did is I just said well pop on the next slides that's where all the magic happens all right so here it is plutonium so this is

just the raw piece of it here's my persistence defense evasion this is my schedule task which you can not see over there I'm scheduling a time naming at atomic testing and then I'm gonna have it run read serve 32 I'm gonna download the content from our github repo which happens to be that SCT file and so it's gonna schedule that job on this box it's gonna do evil things it's gonna be pretty cool and then the next one down is discovery I'm just having it actually download a bat file that I created which is called discovery dot bat to make it super simple discovery dot bat has like 80 things of discovery all the techniques so net user net local group

met all the things right it just goes down the list runs wmic just executes hog-wild like just wild wild stuff the pieces you can barely see over here is after this after downloads of run discovery bat and goes crazy it will then add a user named Trevor with the password of smashed burg one two three and then it will add Trevor to the local administrators group and then after that it says you know echoes hey that was real fun you know so now you get to go back and try to find all that data in your environment and I always try to break it down you can't see the scheduled tasks one over there but

looking for these types of things in your environment and this is the power of using a product like a simple tool like atomic red team is now you're able to say do we have visibility into our scheduled tasks across our windows fleet do we know who's doing what out there and it's pretty generically busy and kind of noisy at times but if you filter out the noise you get down since weird things like this are you looking for HTTP that are being scheduled in that are you looking for in your proxy logs people downloading from raw github User Content calm and then also executing register 32 SCR stock DLL all those types of things down to you got people executing

PowerShell they're running download string from github again and they're dropping weird at files from the internet because we all do that for fun and then we've got to figure out once they made that file mod what's the output looked like what are they dumping right actors will dump all their data to a text file is password encrypted and ship it out slice it if they need to and then yeah are you monitoring users being added so you got lots of pieces of telemetry going on here one of our other chain reactions actually just downloads me me cats so again did did my sandbox alert on that did it execute it how do I know me me

cats is being brought in was I alerted on any of this that's happening out there one of the reasons why I like this one is you may get a tip-off just based on that scheduled tasks from your some of your standard alerting or even that PowerShell command but the ones that if people don't really learn on or monitor a lot is that using the adding the user and adding a user to local admin group there's other chain reactions I created that are heavy focused on discovery literally just looks for users runs a bunch of discovery stuff and then it downloads bloodhound at the end and it runs bloodhound across your ad environment it dumps the files on the

file system most of it's so noisy that people don't want to look at it in their products and that's the power of using something just like as a batch script or a PowerShell script it's a nice and easy so the next thing we did was well let's take a report from Mike Mannion like an apt report and let's simulate it because now we've got a quick way to take everything we built put it into a batch file well let's now simulate an actual threat group so now you're curious like let me threat model all kinds of stuff in my environment find your friendly neighborhood abt out there that's roaming the streets this week let's mimic that actor and then maybe

get some profit out of it so in this particular case we created another chain reaction in that same directory called Dragons tail we looked at it on miners web page here we see that they schedule a task they run register 32 and then they use PowerShell and they do other things right they have custom command and control they do fancy protocol stuff this threat group in particular changes their tactics and techniques pretty often almost weekly now so if you're following along with them there's a hashtag on Twitter called hashtag daily scriptlet those Nick and those guys are constantly posting the changes that these guys are performing weekly so anyway back to this report apt 32 this is exactly will be built just

for that test and this is a PowerShell script and it also has a macro you can embed into your word doc to simulate the execution from word spawning something else and then downloading something and kind of going down that full chain so this particular case there's your scheduled tasks we're running it we're deleting it to kind of help try to clean things up because we're nice like that well download more evil stuff here and then we create a holy hat we do time stomping in here so in this particular case yeah this is really cool Casey made this to 7:16 1945 where he changes the file date and time on that and then the defense evasion here is where does

deleting the text file writing to the host that it's done so really really simple to mimic an adversary we haven't gone through and created all of these from mitre all the different threat groups out there but this is just one quick example and that's part of the modularity of atomic red team is you're able to just say hey I want to run like five things and just see what it looks like in my product stacks or how's my network do I have visibility into this coming in or ship that word doctor email I've been like you know email gateway detect it this week so I'll do a demo I think we still have some time I'll do a demo here

in a minute so you guys can see how easy it is quick notes on simulating a PT is so this is NIC card he tweeted this a little while back but basically is I don't know that it's possible to authentically simulate the best apt groups the best we can do is get up to yesterday because they're constantly rotating and changing their tactics and techniques so tomorrow it's going to be something different they're doing something different even just malware spam campaigns they're constantly changing their techniques to bypass all the gateways then we have our Trump tweet here Russia has tremendous apt just tremendous so they have the best tradecraft you can't catch these guys at all but

they're great so before I hop into demo what's next for atomic Red Team what we've been working on now is making things to where it could be pulled into different automation frameworks and so in this particular case over on that side which is kind of cut off we've been converting all of our techniques to gamal so now it's gonna be even more machine readable you're able to now just kind of run through this with whatever product you want to use some of the short term is getting it pulled into boobers mehta automation tool or even miters call to era so you cannot just automate it across multiple machines in an environment makes it quick and easy

we're working on that right now that's the big one Lee homes over here on this side he he actually put a pull request in just like what you're gonna do here soon - he plays pull request and they create like a really quick automated powershell framework for the current techniques that are in there we haven't converted that to Yambol but once that converts the gamble everything will be from atomic right team into like a quick powershell script and you can actually build like your chain reactions right there in the framework so just ship them off like that very very powerful easy free so there's the repo when you submit that PR so it's just github red canary co atomic red team

there's the website as well atomic red team comm link right to the repo from there everybody's atomic this is open source contribute ship anything back you have feedback on the project shoot us an email at research at red canary comm you can always hit Casey up if you can't see but everybody knows them at sub t there's me and then Adam as well who's working on the project so if you guys want to see a demo see you guys alright let's see if we can make it rain

Oh awesome so this is atomic Red Team calm if you couldn't tell and I'm going to change my screen I'm just gonna mirror it much better perfect so this is atomic red team comm you click that link you go to the repo oh it's fine I'll stand back up so here's the repository on github and like I mentioned everything's here there's also basic how to use atomic red team on here in case you've never seen it or heard you know played with it too much all that data is here and so for the quick demo what I'm gonna do is what I like to do for a red kitten area is this is connected back to our carbon

black instance our test one and so the way they get our analysts that jump is just to start running every batch file in here because they all just go hog-wild so I'm just gonna click it it'll go through it's going to download that discovery bat file it just starts executing stuff and just goes crazy it's not on domain so it's gonna get hung up on a few things here and there [Music] alright so that was it that's how fast that one goes you could run other ones as well and they just go crazy this is a discovery one and so it's just going through everything on this box looking for everything out there generating telemetry or trails we call it so it's

generating information within carbon black or CrowdStrike or even system on and now you're validating you can go back look through your data see if any of this information has been picked up by your tools we do have some success with a be mostly picking up everything especially when we pull in like me me cats or whatnot and so those pieces will come this is a system on is anybody using sis Mon awesome good know what's this Mon is okay cool so everything's in here so again assist Mons collecting that telemetry that's being executed so here's a net view command running out of that directory from that batch file and that accounts domain this querying anything and

everything and this is that discovery bat file just going crazy here's that download string so as simple as that right should be getting a phone call soon yeah that's it it just keeps going within the repo as well I always recommend checking out like our execution PowerShell technique it has a lot of really interesting ones in there that I borrowed from like different products like Empire or he might just be empire but Empire has some really cool things that you can execute that I added in there you just copy-paste them drop them in just some really crazy stuff it'll download maybe cats into notepad save it and execute it does need things to see if you actually have cape

detection capabilities for any of these things out there hey the demo worked right so that's impressive cool anybody have any questions shirts we have lots of shirts and stickers yeah what's up yeah I have no idea the question was how how did we bribe Leigh Holmes to submit a pull request from what I understand he actually is a fan of the project so he contributed just out of goodwill and helped us out with that oh there we go anyway it's awesome yeah yep there's atomic stickers and t-shirts up here red canary stickers as well yeah any other questions

yeah I always say like if you have like no visibility or like no budget you just can't get anything into your environment like an enterprise tool like carbon black or CrowdStrike minimally system on just for some visibility you can up your windows logging an audit log again stuff like that too but again it could just generate more noise if you're a one-man shop you don't have all day to look for failed logins and everything you know even with system on stuff the other thing if you have Splunk or you can use a free partes glunk we also have a system on tap I created a system on tap which allows you to kind of go from 0 to 100 real quick just with

sis Mon data so that's a really quick way to kind of win at that front to this one is probably your fastest easy bet to get going and then over longer-term budget for something more enterprise that you can actually do more with than everything yep any other questions okay it's dark over there yes

yeah yep

yeah yep so the question was is there there any plans to like add like staging into atomic red team right now we haven't added that but I think that's where like the yam will piece is going to come into play once we get like meta using it and caldera and whatnot will probably be have better options and availability to like add those pieces for staging and across multiple endpoints especially like you do like a password spray and then you log into a new box or something it could be more hands-on - for the for the one-man shop attack our team you know to go through for sure yeah not right now yeah good question

Oh any other questions not saluting I'm just blocking the light awesome thank you guys appreciate it thanks for giving up early for me [Applause]

you

all right so it's ten o'clock we're gonna get started with the net stock in the preservation pub so our net speaker is Russell van tile and he's talking with the title HTTP to magic with Merlin

[Music] [Music]

hey everybody thanks for coming out appreciate you taking the time to come listen to my talk have you any of you guys been to the wasp talk on this before because if you have you probably have already seen it and can you hear me now all right anyway as I was saying thanks that have if any of you have been out to my loss talk this will be the exact same talk so you can probably save yourself the time and and go watch something else a little more entertaining than this one but if you have it glad think thanks for being here we're just gonna walk through some protocol stuff with HTTP to real quick let me

stretch my arm really far

feel like I need to straddle this mic alright so today we're going to talk about HTTP to as many of you guys heard of that protocol before if you raise your hand I couldn't see anyway so I'm just gonna assume you are raising your hand back there lots of hands went up lots and lots of hands we will talk a little bit about TLS and perfect forward secrecy the reason for that is because it's a primitive that you need to understand when we talk about some of the other capabilities that work with the protocol I'll talk to you how you can maybe look to see if you're using any HTTP to enabled applications because you probably all right now if you didn't

know it and then I'll get into my favorite part and we'll talk about blue team defenses and kind of red team activities and then I'll wrap it up with the demonstration of a tool I wrote called Merlin I think some of you guys are dying to know what Merlin is so isolated yeah yeah also I got a I got some free stickers if you guys want a sticker for the logo for Merlin come see me afterwards I got plenty to hand out that was a the way I try to talk people to come to my talk was by offering free stuff everybody likes free stuff

all right you can't you can't actually read that still but anybody want to guess how old HTTP is as a communication protocol any of you guys like been around like when the internet was first invented plus yeah 20 plus all right the very first version of HTTP was version 0.9 current version is obviously 1.1 and 2.0 0.9 came out in 1991 where some of you even born in 1991 yeah all right and then we came up with version 1.0 and 1.1 thing with HTTP to know is that when it first came out it was designed to be like a stateless protocol to have communications back with each other if you probably use an Internet when it kind of first came out or way

back in the day the web pages weren't that big you'd request something you'd get something back HTTP wasn't designed for the things that we use it for today most of you are probably pretty familiar with thick web applications and it's like just using a desktop app but it's in your browser leveraging that protocol in the background so there's a lot going on there on that and so what happened was Google had decided that you know HTTP 1.1 is a little too slow for the needs so they needed a new protocol and so they decided to come up with HTTP 2 well let me back up a second on that Google had a protocol before that called

speedy anybody heard of that one from Google speedy you've heard of speedy alright so it pretty much happened as Google was developing a protocol called speedy and then someone from the IETF said hey we need to turn that into actual protocol and they've pretty much adopted speedy and turn that into HTTP HTTP version 2 one of the key things that they had to do with HTTP 2 is make sure that it maintained backwards compatibility if you notice when you use the HTTP 2 application the URL stays the same you know it's the protocol and address you're trying to access everything has to stay backwards compatible that it wouldn't have to develop new tools and stuff to be able

to use that protocol there are a lot of unique things about http/2 that makes it different than version 1.1 one of them is that the protocol is multiplexed it means instead of on HTTP 1 it would just send one request and get one response and one request get one response well the multiplex they can send a bunch of requests at one time and one packet going off and another key feature of a HTTP 2 is that it's bi-directional communications can go back and forth like a regular TCP connection original web worked on TCP but I didn't act like a TCP protocol didn't maintain a state or a session go back and forth which is why you have cookies to kind of maintain

that state information but with HTTP 2 you can kind of go you can go by direction I'll go both ways and then any of you guys ever done any packet analysis on maybe a web traffic to kind of look at it in Wireshark anyone look the water sparking packets yeah and we need to open it up and you just be followed the HTTP stream what do you see you see the text you just see the text go so you can just read it in human readable text format HTTP 2 is a binary protocol it's not text it's not human readable you can't just like open a pack and look at it without a protocol analyzer to go on top of it so that

makes it more of a challenge it makes it great for traffic going back and forth because it compressed the data down and it gets rid of vulnerabilities that come with handling packets to figure out where the line terminations are and what the spacing character is and all that kind of stuff are so HTTP 2 is a binary protocol which makes it drastically different than an HTTP 1.1 and then if you guys have looked at web traffic you'll notice there's usually a stack of headers that go on every web request with HTTP 2 they use another protocol called H pack and they do compression on the headers so it's usually the same data going back and forth on a on a web

request usually the same header so that there every time going back and forth and so H pack just compresses that down so it makes a traffic more efficient going back and forth and I think the biggest one is that http/2 has this thing called server push and a lot of that has to do with head-of-line blocking anybody use like Facebook out there anybody yeah I don't know I don't know what it is when you request that web page what happens is your your web browser says hey Facebook give me the give me the Facebook web page and then it starts asking for all these other files like CSS files and pictures and JavaScript libraries and

multimedia and all kinds of other stuff but each one of those are serial they happen in one request and then they get one response and they can ask for the next one and if they don't get all the requests the web page doesn't load so back in the early days if you had any frustrations looking at web pages you're just waiting for it to load it's probably in the background requesting all those contents that won't actually display until it gets all the pieces in and so what that's called as head-of-line blocking there's one big thing that's blocking the rest of your web application at download while it's like waiting to load so with HTTP two

that have this thing called server push promise and basically the the web server says I know you're gonna need this so I'm just gonna go ahead and send it to you because they have that bi-directional TCP connection it doesn't have to wait for the client to request it the web server can just say I know you're gonna need this and send it off so that becomes super efficient when you're working with HTTP - the one thing you do need to know is that in order for that to work the web application has to be configured that way it doesn't just work out of the box you have to write the web app to say I'm gonna push that

stuff down so that comes in handy later on

so earlier I mentioned that http/2 needs to maintain backwards compatibility and kind of one of the quickest ways to do that is if you're talking on an HTTP 1.1 connection and you need to upgrade your connection to a version 2 connection that the protocol is defined sorry the protocol is called in two different formats either h2 which you see up there in the upper left hand corner h2 stands for HTTP 2 and H 2 C stands for HTTP 2 over clear text another interesting thing when Google was developing speedy they pretty much said hey this protocol is gonna always be encrypted we're never not using an unencrypted communication channel like you know regular HTTP if

you guys are from the with that and you can just read everything in the clear as it goes across the wire Google is very adamant I like we're not we're not doing any unencrypted stuff everything's gonna stay encrypted but they lost the fight against the IETF board on actually standardizing the protocol the board was like well what if someone develops a package I can't handle encryption and they want to go back so they ultimately lost and there is actually a clear text version of HTTP - but I will say that your web browsers won't support it so Google was like fine if you're gonna you're gonna allow that protocol that's cool but we're not gonna

actually support it in our browsers so your browser's won't actually supports HTTP - over clear text h2c communication channel but if you're using a 1.1 connection and you want to upgrade to a to do this happens on the back end you don't actually get to choose what you'll get is HTTP upgrade header and that will basically tell the web server that you need to upgrade your connection to a new one and when you do that what'll happen is you'll get back a 101 for switching protocols but here's kind of one of the neat things about the way the upgrade works what happens is the web server and the client establish a connection back and forth with each other and one of the

final steps after they finally got HTTP 2 going is as one final check to make sure that that both pieces can actually talk on HTTP 2 protocol they send what's called a connection string or sorry a connection preface or a magic string which you see right here and that magic string is the server basically sent of the client the letters PRI with a carriage return newline carriage return new line and the client responds back with the SM and that affirms that they can actually talk the HTTP protocol you know together that spells prism ID anybody remember like an NS a program like inspecting traffic called prism yeah so I think that's a PlayOn that I

think someone was trying to basically say we're gonna set this protocol up so it can't be affected by the prism program but I thought that was kind of an interesting fact it spells prism going on there

so here's just a screenshot like I was telling you before you can see the upgrade header and I have that h2c and they're saying at what protocol I want to upgrade to again D could be H 2 or H 2 C or there's actually another header called alt services header that you can use to upgrade to different protocols as well but this is basically how the web client tells us server that I wants to change to a different one and again you can see down here it's switching protocols with the 101 status message and it's responding back with the prism message

tls anybody know what version of the current version of TLS is 1.3 was actually just ratified about two or three weeks ago I was doing a presentation and someone called me out on it so that's why I know well I had to learn the hard way because someone asked me and I didn't know either so I thought I'd say that but one of the staples for HTTP to to work is TLS 1.2 has to be a thing TLS 1.1 is not capable of doing HTTP 2 so if you have an old application that can't even support TLS 1.2 you can't use the protocol at all and TLS 1.2 has an extension called the application layer

protocol negotiation extension it's an extension of TLS and that's what's required to establish an HTTP 2 connection earlier I mentioned to you that if a client is currently talking to a web server and it wants to upgrade the connection then that do that but there are cases when you can actually negotiate HTTP 2 upfront without having to do that that client server talking to the web server and you do that through the TLS a OPN protocol and so what happens anybody know how it TLS handshake works yeah typically a client sends a client hello message saying hey I can talk to these cipher suites and these protocols and the server will respond back on it with what they're

gonna do this is a screenshot of a client sending a message to a server so you'll have the TCP handshake and then you'll have the TLS handshake and then once all that done then they'll start talking actually HTTP to at that point so those these things happen ahead before you've actually established a connection with the web server itself talking on actual protocol do you notice down here this clients cable will talk in h2 which is HTTP to speedy 3.1 which I've mentioned to you you should probably still see that in some of your web browser traffic I believe Chrome's still supports speedy but again h2 is pretty much the latest version of speeding and then you can see at the

bottom my last service that I offer was HTTP 1.1

all right so I mentioned that a TLS is gonna be kind of a big big part of the game because that offers a encryption for the communication protocol and that's gonna come in handy later when I talk about Blue Team and Red Team stuff and it's kind of the premise of why this tool is very effective for me to come up with but one of the things that TLS are sorry that HTTP 2 uses is eff immoral diffie-hellman key exchange and elliptic curve diffie-hellman key exchange and what that means is that they have perfect forward secrecy you guys probably now have a web server and I probably have like RSA key exchange anybody from enough like that you know

you got that giant private key have any of you ever like tried to decrypt HTTP communication you needed a key to actually be crypt that stuff well with with Emerald key exchanges you actually there's no key to give anybody what happens is the client and the server negotiate well sorry they have a premaster secret and they use that premaster secret to makeup session keys and the session keys or what encrypts the traffic going back and forth if you're using the RSA key exchange method if someone has the key they can just go ahead and decrypt any any piece of traffic after the fact so I could capture all your packets now and then wait till two months from now what I'm

actually able to get that RSA certificate from you and I can just go ahead and decrypt it the RSA certificate is used to develop those session keys so you can go ahead and read anything perfect forward secrecy means that even if you manage to get one set of session keys that's only good for that session you have to continually compromise that stuff over and over again that's why it's called perfect for its secrecy the actual King data is never sent across the wire at any point on the web server sorry that the protocol specification for HTTP 2 says that if you're not using one of these two cipher suites or key exchange messages in your

cipher suites that the web browser will actually just send you back an inadequate security message basically refusing so all that to say h-e-b 2 has to use perfect forward secrecy cipher suites if it written correctly it will not use insecure cipher suites that are not capable of perfect forward secrecy and let me give you a quick so the the spec for R star sorry for HT b2 has like a blacklist of ciphers basically all these cipher suites are blacklisted according to the protocol let me show you that real quick

so what I'm what I'm showing you here is I'm just gonna scroll through like these are all the blacklisted ciphers according to the specification

all right so as you guys could see that was quite a bit of cipher suites going on there the main thing again the main takeaway is that the TLS 1.2 and HTTP version to use cipher suites that are good for perfect forward secrecy and that's again gonna play and say what I'm about to get to next

I forgot to mention up front that a lot of this worked on this protocol was stuff I had to do for a college class that I was taking and I actually published a paper on kind of some of this stuff a couple years ago so the work that I did initially is about two years old actual HTTP to protocol was actually ratified in 2015 and it's about the time I put the paper out that I had done the work on when I was doing the work I kind of checked all the browsers again Anna client hello message which comes from your browser it says I can talk all these cypress suites and so I went in and numerate at that list that

every browser could talk and then I subtracted out the ones that were blacklisted and this is what was left this is about again about a year or two old so it's probably changed on the Cypress Suites but this is what all the protocols that were left which is trimmed off the edge of the screen but that's okay if you notice they're all ephemeral diffie-hellman exchange or elliptic curve diffie-hellman exchange cipher suites that's all it's left for that

so any of you happen to know if you use HTTP two right now or not like anybody can kind of tell or not know so one of the ways you can if you're using Chrome you are using HTTP 2 by the way you just use probably don't know it when you talk to Google servers on the background they're a big proponent of it obviously but you can get a little plugin for your browser the last one that I use have like a little lightning bolt and the thing so that way it just lights up when you're actually using the HTTP 2 protocol so that way you know another thing you can do is look at the web

developer console and it will just say what protocol is being used so that's another good way to do it

all right so I was just telling you about how we're using this perfect forward secrecy and that it's hard to break the encryption to read the stuff especially if you don't have the keying material and that's kind of the big difference between this this protocol the HTTP 2 protocol is that again it uses perfect forward secrecy cipher suites and not RSA key exchange message methods or you can just decrypt Pakistan for the fact actually doing packet inspection on HTTP 2 protocol is really challenging so what my research have found that typically what laughs to do now or any type of intercepting proxy that's gonna inspect the traffic for TLS they're pretty much provided with the RSA key so

that way they can decrypt on the flying and keep going again that will not work with this there is no key to give anybody the King material for the session keys never leaves the client or the server stays there so you're like how would I actually inspect packet traffic on for HTTP 2 it's actually pretty challenging but one thing you can do is if you use an application that has the NSS library is used to compile the application and they offer an easy way to do that most notably that's Firefox Firefox is compiled with the NSS library and so what you end up having to do is you set an environment variable and your windows or Linux that basically says

write all the session keys to a file and all those session keys become what you need to actually be keep the traffic that works great if you control the endpoint if you control the workstation and you're using Firefox and you set the global environment variable then you can have what you need to decrypt the traffic but chances are you own a web server but you don't own the client so you can't control both sides of the communication which makes it hard also for network traffic you're not gonna be able to look at that kind of stuff so Wireshark is capable of actually looking at HTTP 2 so I encourage you if you get the chance to

go mess around and look at that by default if you do it on port 4 for 3 yr starts gonna think that it's HTTP 1.1 so you're gonna have to go in and tell it you know actually want version 2 then you're gonna have to also tell it where all the session keys are so we can go back through and find the key I mean the session keys aren't like just one password or one key like it'll be a giant lime list of lines for every time it establishes a new connection we'll have a session keeper connection going through so it'll be quite a lengthy file then you can go through there and do that it's neat that

Wireshark actually knows how to do the protocol but my initial work had shown that many other tools aren't actually capable of looking at the protocol whatsoever so when it comes across their device they don't know what it is if you probably mention it at the beginning of the talk the protocols binary it uses compression and it uses perfect forward secrecy so chances are even if you were using a web proxy and you are trying to do some type of inspection when you see the protocol you won't know what the hell to do with it anyways because your tooling doesn't understand it I have seen that tools now we're starting to actually come up with protocol analyzers

so that way they can actually do a little bit of work with it but I don't know any practical use cases where that's coming in handy and so again that helps defeat proxies reverse proxies anybody in here work for a company that uses a TLS inspecting proxy on the way out yeah I beta sure let's talk with you after what I actually don't have much experience with it but I'm trying to find out like what companies do when I do that first I know there's the problem of a lot of companies don't want to do TLS inspection at all because then I have to deal with the whole privacy concerns and all that kind of stuff so

some of them just stay away from it completely but what I'm interested in know is does your proxy open or closed my general assumption is that it fails open meaning if you can't inspect it or you don't know what to do with it you just continue to let the traffic go through anyways have you had to talk to someone who says it fails closed and then let me try it on the network to see what actually happens so it's a little immature in that sense the tool that I wrote because I don't know what's actually gonna happen but I would say by and large part of my experience most people are inspecting traffic at all

ever to begin with but even those that do I would say probably fail open and then obviously the same thing for a laugh it's gonna do the same type of thing trying to inspect the traffic going back and forth snort three actually has the HTTP two protocol analyzer in it I was trying to talk with one of the snort guys to figure out how well it worked my general understanding is that it just looks at clear text protocol and it doesn't do any TLS decryption to actually look at the stuff my question to the snort team was going to be well how do you actually do the TLS inspection if you don't have the session

keys I'm interested to see how people do that so those are some of the challenges of packet inspection altogether

all right so I just kind of like you know painted a bad scenario I'm saying you got this protocol on your network because you do right now and I'm like how are you ever gonna what are you gonna do with it from a security perspective how what kind of controls can you have there are a couple options one of them is you can do a protocol downgrade you can actually set up like a reverse proxy and down look down great a connection from HTTP to 21.1 however by doing that you're really just ruining all the efficiencies that HTTP 2 gave you to begin with remember I told you that HB 2 is bi-directional stays open

connection your Bates gonna say ma'am let's go back to the old way of making things really slow and do that so it is possible depending on kind of your environment that you're trying to protect but that is an option to do that you could do encryption downgrade a couple different ways if you actually control the server if you've heard me mention earlier the RFC says that you should blacklist that list of Cypress Suites but if you actually write write the code for the software for the server you can actually just tell it I don't care use it anyways you control the application at that point so you could stand up a proxy and intermarry a proxy

intermediary proxy that allows you to use a weaker protocol even though the RFC says it's not a good idea so that way you can have that the traffic and still stay encrypted you can set up some type of like little encryption corridor type thing we're like to use a reverse proxy in between two endpoints it uses a weaker encryption that you can't inspect and then put it back up going out is an option you can also just downgrade the protocol so you can maybe you can have an HTTP to enable a proxy and then when it comes in on encrypted you can just relay it back to the server again using a reverse proxy over the clear text

version of the protocol again your support for that's gonna be a little challenging clients don't support it but if it's just between a proxy and a web server you might be able to make that happen and so during my research I was I was looking at like what I did was I did a sequel injection attack over the broken web app from OWASP I did a sequel injection on HTTP 2 and it worked and nothing was able to detect it because it kind of went across that protocol nothing could look at it so what I ended up doing is I used mod security anybody for noticed that one on security uses the wasp core rule that's one of things

you can use I've been talking to you like it's harden and inspect the package you don't have the tools you need to decrypt the protocol you don't have the encryption keying material actually inspect it anyways well there is one saving grace if you use a wasp Court rule set on an HTTP to web server it actually inspects the traffic at layer 7 so it doesn't matter what level the christian comes in at it comes it comes up the stack and as it comes up the stack and goes off to the actual web server the encryption is actually removed by that time so mod security doesn't care if you use an HTTP 3 4 10 doesn't care what version using by the

time it sees it it's just processing requests it can actually tell what's going on at that point so that's one of my better recommendations if you're if you're fighting off that protocol you're looking at it or don't enable the protocol at all but and so I turn around I did the sequel injection attack again with just the web servers I could only talk h2 and a wasp or rules that was able to catch it on that protocol because again it happens higher up the stack and then maybe you can't inspect traffic at all maybe that's just something you guys are not gonna do what you're gonna see a lot of companies say they don't want to

inspect traffic to begin with you can use another technique called TLS fingerprinting that connection that happens between the web server and a client you can fingerprint that because it'll offer unique set of cipher suites not only that the cipher suites will come in a certain order depending on the tool that it comes from the applications that it'll advertise like HTTP 2 HP 1 speeding all kinda stuff so you can use that to generate a hash and you can use that for fingerprinting chip the fingerprinting traffic going across your network there's a tool called ja3 I believe it's from Salesforce that the tool does exactly that it does TLS fingerprinting it says it can detect malicious traffic just without ever

having to inspect the traffic's whatsoever so that's another Avenue to look at as well

all right so all that was kind of like the the precursor to what I actually do again I do penetration testing and I was looking for other avenues to help me out on our test and I've just told you about a protocol that's new that a lot of tools aren't capable of understanding and even if they were capable understanding it they're not able to encrypt it to decrypt it and I thought to myself that's perfect that's exactly what I need at doing a pen test so that way I can do my job without getting caught and so what that really helps out with is for evasion again if I'm trying to go through Network I'll have to worry about

our proxy looking at my traffic going back and forth even if there was that thing would be able to actually be encrypted to begin with so that makes it nice and then it makes a good actual command and control to traffic channel as well going back across the internet and you can use that for exfiltration again if you're trying to exfil large amounts of data if you're in a company that that's like trying to protect against that you might actually be doing TLS inspection stuff you can actually see if anyone's ex billing data but this this protocol would make a good candidate for that to get around

all right so finally we're here I was gonna introduce you guys to Merlin it is a tool that I wrote to kind of take advantage of all these things Merlin is a tool that I wrote in golang anybody heard of that programming language before yeah if I haven't told you enough about Google yet it is another Google programming language you know using Google's protocol using Google's tools using Google's programming language and whatnot and so look the way I describe Merlin Merlin is a post exploitation command and control tool post exploitation meaning the tool doesn't handle the exploit part you got to handle that part on your own how you get access to the computer how you run

commands is all up to you this tool does not do any any exploit stuff it just does post exploitation activities the reason I decided it goes go is because it is cross-platform anybody you guys use like PowerShell Empire problem is is it's only works in PowerShell that's the problem if you compromise anything that's not a Windows box your shells not gonna work and you can use meterpreter as well on other systems that are windows and it does have actually pretty good support but with go I can write one code base and I can just cross compile it to anything I don't have to change the code at all I can I compile it for for Darwin which is your Mac I can

compile it for Linux that compile it for Windows I can compile it for MIPS so anybody know like IOT devices or arm which are cell phones you can cross compile to Android stall on the same code base so I thought that was pretty attractive reason to use the protocol I was looking through the protocol list that the language supports there's another protocol called or not protocol there's another operating system called dragonfly anybody heard of that one well it's a it's an operating system and you can cross compile with this tool to run on dragonfly if you ever happen to run across it Solaris anybody for noise hilarious you can you can cry you can cross compile it to run on Solaris

actually did it for a little test you can it'll run on anything raspberry PI's typically run on ARM processors cross compile this to work on that so it just works on anything which is why I really like the lame which one of the other things I like about go is you can run it like a script if you guys have worked with a scripting language like Python anybody Python Ruby just regular bash scripting all that you know the beauty and those is that when you when you edit something and you want to run it right now you don't have to like run it through a Dane compiler first and deal with any errors they can

stuff like that you can just actually run it so go has a feature where you can actually run the program like a script and the reason why I use air quotes around life is because what's really happening is when you type go run and the name of the thing you want to run it's secretly compiling it in the background creating a binary and then it's executing it for you but it still gives you the perception that you're actually running it like a script so that makes it really handy if you're trying to do some like live development you don't have to like to recompile anything merlin comes with precompiled binaries if you guys have used git anybody here

use git before like it repos and go uses something like git they use these a command called go get and it goes through the repository it pulls it down if you're not familiar with that and you try and pull down the Merlin source doing that you're gonna run into a bunch of problems and it has to do with the way that go references the libraries I have had quite a few people put in issue tickets because when they when I pull down the source and I trying to work with it they did it wrong there is a very unique way you have to deal with go I left comments on the github page if in

case you wanted to do that but the short and skinny of what I'm trying to say is just download the precompiled binaries it'll save you a lot of time you have to do it the hassle of all that other kind of stuff if you actually get into development you want to mess with it let me know and we could work through that but for the average people I would say just download the precompiled binaries that I provide on the releases tab from Merlin do I sign him down I could [Music] yeah the one thing that I do which I don't actually give the information out so that would be useful is Merlin has a version number and a build number and

what the build number is is a hash of the glass pull request that is being compiled against and that's hard-coded into the axel compiled binary so you could technically go backwards and check the hash from the last pull request to see what code you're running if you wanted to but I don't actually like don't we can actually find that string is by running Merlin you can't like I don't put it in a file so you can read it afterwards or anything and then kind of why not PowerShell like again PowerShell was like getting a lot of attention and I initially actually wanted to write the tool in PowerShell but the problem is is that PowerShell at

the time did not support a way for you to configure TLS 1.2 if you remember me telling you it has to use TLS 1.2 that's the only version of TLS that has support for the al PN protocol today PowerShell does have support for Al P n R sorry does have support for TLS point 1.2 but last I checked it did not have support for the AL PN protocol so I don't know if there currently is a way I haven't checked on I'm like a year but that's why I didn't end up using PowerShell because it just isn't capable of setting the protocol up the way I need to actually do the communication back and forth

so this is a screenshot of the server here in a meeting I got to actually like a live demo what's up Zack

so here's the screenshot of the server I'll walk you through some of the components of the server I was talking to somebody else who does like tool development I was asking them like kind of what are the keys to success on developing the tool if you want wide adoption you have to make it easy for people to use and so that was kind of one of the underlying things I really had to make sure that I put a lot of effort into and the way I did that is by using tab-completion like if you're in the middle typing out a command you just hit tab little fill out the rest of the command for you if you were at a blank

prompt and you don't know what to do if you double tap it'll bring up a list of all the commands that you have that are available to you at that time to be able to use so I really make sure I put a good effort in there on that tab completion the server uses sorry that every agent that checks in uses a version for UUID string which are pretty long I'm not sure if you guys are familiar with that or not I've had people say that they don't really like having to type out that giant UUID string you can see that it's probably hard to see but you can see that blue colored a bunch of zeros

that's how long a UUID string is that's just an empty one but that's how long it is and people are like I don't want to type all those characters out give me a way to alias the command one of my co-workers is actually helping out with the way to alias the commands but my retort to that is there's tab-completion built in so if you know the first letter of the agent you want to work with like a and you push tab and there's no other agent of the a it'll just fill up the rest of the thing for you so I would argue that it's just as few keystrokes as renaming the agent to begin with if

you're gonna use to have completion for calling the agent another thing I made sure to do is that everything had a good help menu so any point time you can type help and it'll give you a table of commands that you available to you along with options that you can set for that command again my goal there was that you had everything you need to be able to use a tool I don't know have any of you guys ever like been using a tool and like they're trying to get out of but you can't figure out the damn command to get out yeah like that's the worst I was using I was using someone else's command

and control channel and I was like trying to get the agent to die and I just couldn't find the command there was no help exit wasn't worried and quit wasn't working like I didn't want just want to kill the program because I didn't want the agent to just keep running I'm not compromised computer the whole time so I tried to fight that by putting in a good help menu on here command alias was another good thing I try to put some time into any guys like big-time users of a tool like this not a muscle memory like when you get on the tool like you just type like sessions like that I just do that person out a

minute out of muscle memory like I'm on any command and control tool and all his sessions and I'm like sorry that's the wrong command so for this tool I've tried to put alias to like commands that you would run in in meterpreter or that you would run in an empire being one of the you know the two famous or more popular command control tools trying to ease that so I could be typed sessions and Merlin will actually pull it up for you that wasn't the way that I originally intended for you to be able to get a list but I put the aliases in there Merlin has module support the module supports honestly not that great

but it's better than nothing it's pretty much described in a JSON file you can look at the modules the key thing with the module support is that while Merlin is running you can actually drop in a JSON file and will dynamically show up in the list while you're doing it some some companies have their own tradecraft that they don't want to share with other people and this is great for that because you can just distribute the JSON files to your team and they can just put them in the directory and it will just show up and use now one of the key things is that you don't have to exit Merlin to be able to use the modules

like you can drop it in there while Merlin's running and you can use it Walter anything without having to exit out or recompile or anything like that so that's really handy and then another thing when I'm working on a pen test and I'm done sometimes on my King I just I was having a phone but I wasn't actually keeping track of what I was doing so I made sure to put a lot of effort into it some verbose logging both the server and the agent have pretty verbose log files though you can go back after the pen test is done you can read through the file and see kind of what commands you executed with timestamps and what the

results were and all that kind of stuff so you can back-trace your stuff if you need to and the last one is system commands like if you're in the Merlin prompt and you want to I don't know do IP config for some reason if you just type ipconfig and push enter it'll execute on the system the logic is if it's not a command that Merlin knows it'll just turn around and execute it on the actual system you're running it from I found that to be useful so that way you have to exit out of the tool or switch tabs or anything like that you can just run up there right now there's no collision I haven't

had any like the command in Merlin that doesn't go back and forth

and so that was the server component of the Asian component again I told you every agent has a unique identifier it's kind of long on it when you're running the agent that precompiled binaries are set to communicate back to the server on the loopback adapter that's the hard hard coded address that works great for me for testing it's probably not gonna work great for you on a pen test because your servers probably somewhere else not on the loopback adapter and so there's just a - URL flag you can specify at runtime any any other server that you want it to run on no shell restrictions I find this to be powerful some people don't like it

typically you guys all familiar like cmd.exe or powershell exe or bash or zs8 those are all shells when merlin runs it actually it doesn't run in cmd.exe it doesn't run in PowerShell use you can specify the shell that you want it to run and what happens is when you execute a command it checks the path variable if the command you want to run is in the path and it will execute that so it gives you more flexibility if you don't want all your commands running in a cmd.exe you can just just by a powershell and i'll work that way so offer some flexibility that way one way I'm trying to work on evading traffic or

sorry evading detection a lot of tools would do detection based off beginning so they'll look at a beacon size for a situ traffic going back and forth and one of those quick ways to detect beaconing is that it's a consistent every 30 seconds on that dot it's a message is a message a message and then typically the size of the message is relatively the same every time and so one way I try and combat that is I have a time skew so it'll kind of it'll the time of waiver so it's not consistent which is moderately useful but my my bigger win is that I had a message to every side so like you can set it on the

fly you can set it while the agents running but by default every time you send a command back and forth that has your regular command payload and then it has a pad of somewhere between 2048 bytes of data going back in and it randomly selects that every time so that way it's not consistent I do that to try and defeat detect and beaconing I don't know how well it works but again the size is configurable so you can you can bump it up to 4096 you can go as far as you want on the size on that and that goes both ways from the server to the client from the client to the sir and so that the agent comes in the

precompiled binary that you can run on Windows Mac whatever you want to run on but I also thought to myself you guys know what you currently have on you right now that can actually talk to h2 protocol your phone your phone can talk if you got a web browser web browsers can talk HTTP to as is so I wrote a quick JavaScript agent that can talk h2 as well the thing that does suck about it is you're stuck in the context of what JavaScript can execute so you're not gonna be executing system commands unless you have some exploit you're gonna run but you are stuck in the Dom or running that and then last but not

least is I have a dll object that it compiles to a really cool thing about go is that I have like 15 lines of code that's all I need to generate that DLL which comes in handy if you're gonna run like a run DLL across the network I've also taken that DLL and embedded it into a PowerShell script so that we can do in memory execution of Merlin by taking that DLL and base64 encoding and stuffing into one giant powershell script so that comes in handy as well invoke merlin powershell script is most the works done by the power sploit developers I just took and shove the Merlin DLL in there to execute it but

that's on the dev branch for the git repo as well this levy here's a screenshot on my iPhone I basically ran Merlin on my iPhone cuz again my iPhone currently has a web browser and it capable talkin h2 there's there's blog post if you want to see more on that

here's a quick demo of kind of the server running let me see if I get a bigger real quick

the I kind of put my comments on there so you can read it so I don't really need to talk what's going on but here I'm checking in some some agents real quick

there's a list of the agent so you can see Linux Windows Mac I have agent running on all those [Music]

there's a tab completion for the agency just hit tab and go to the one you want

I'll let that keep running again there's burr Beau's commands on there so you can kind of see what I'm talking about on there but that's pretty much the end of the the talk I do have another example of the JavaScript agent which you can pull all these from my blog on medium I'll pull that slide up here when this is done if you want to know more there's actually a pretty good write-ups I tried to make sure there's a really good wiki page that way you're not left confused on how to use it to begin with trying to get very verbose on how you can use any of those things so I guess I'll just turn it over so if you guys

have any questions while this slide place through if you if not you can catch up with me on board yes sir

nice I said gentleman was saying that in chrome you can go to a console and enable an h2 proxy so you can see the data frames going back and forth so I'd be pretty handy as well again it's probably like the same thing I was talking about the wall spot time has gone into Chrome all the decription already happened so it's just looking at packets at that point in time that are meant for the browser to obviously understand so the decryptions already happened

yeah as far as like companies that not in the context of security yes I've seen a ton of it like Akamai advertises h2 I use digitalocean I'd recently got an email from them about a month ago talking about how they have support bridge 2 and we're just talking general server support yes I've seen a ton of adoption for h2 the google has been using that for a while as far as security tools I have seen an uptick and that as well I did a quick check about a month ago and like Imperva map is using h2 but they use on one of the techniques that I've talked about cameras when it was there either downgrading the traffic

to 1.1 or they're downgrading the encryption and when it comes back in one thing I didn't cover too much is if you if you control the proxy and you set a TLS termination point then that point that encryption is obviously done because you set a termination point see that's always an option as well if you're gonna terminate the TLS connection established a second one on top of that that does give you an opportunity

so I actually wrote Merlin and only offers up to Cyprus sweets right now I'm gonna go back and make that configurable but only offers up to I'd haven't heard about the work on the elliptic curve but but I will say this no I'm not worried because most of times I'm doing a pen test nobody even knows I'm there so I'm good again any other questions all right well thanks for your time and come see me if you want to sticker appreciate it

you

you

all right so it's 11 o'clock and we're getting ready to get started on our last talk here at the pub and it's our last talk is being given by Travis Palmer who works for Cisco and the title is deadly lag behavioral security ARMA 3 UDP bad packets and dead people [Music] as much as I'd like to rave out for about an hour or two I don't think I really want to do that so I'm gonna be given a talk today that's well it changed over the course of making it originally this was going to be really heavily focused on behavioral security and I was gonna get really into the nitty-gritty of this and there's a lot

of like lovely theory about a lot of the things to do with this but unfortunately part of that was well I want an example for all these bits of theory and I chose my favorite video game ARMA 3 and then I started finding exploits in it and then I kind of started steering the talk to something a little bit more fun so someone was kind enough to tell me that I probably should actually tell you folks of where I'm going with this I don't want to waste your time so first off forget to give away too many disclaimers there's really going to be way too many oh I will get through them as fast as I can but it's gonna be what

it is broader context what I wanted to originally frame the talk as I and basically the kind of idea the framing of the way you can look at this and hopefully gather something useful out of it don't get me wrong a lot of you in this room may not learn something new but at least you'll be entertained I'm gonna teach you a little bit about ARMA so you can at least understand what I'm gonna be talking about I understand this is not a familiar game to majority of the people in the room so that is quite all right and I'm also going to be bringing back some exploits that far predate me which is amazing.i they're

still around they still work and of course I'm gonna be looking towards the future a little bit and this is gonna get back out into that broader context of the things that people don't think about that ruin everything and then belt and then why all the way back out

this is how you know there's a good build quality and Max so disclaimer is around zero there's going to be a lot of repertory O's on this I will not follow all of them all the way down there's gonna be a lot of unappreciated and kind of clever ideas and I will get a little bit into them but not very far it's kind of what it is there's also going to be a lot of really niche considerations that I'm gonna have to explain which is why there's a ton of rabbit trails I don't I wish I could do without them more importantly though there's going to be a lot of really grand and interesting concepts that I do not have the time nor

the dignity already a capacity to dignify and explain with any amount so they're gonna get cut short and there's another disclaimer so all of the opinions the statements made in this presentation are mine not Cisco's Cisco did not pay me specifically to pursue this research especially what's directly in this presentation and the assumption that a corporation would directly bring engineers to go things and hack things that are not directly in their financial interest is kind of ridiculous isn't that right Talos folks stay awesome so there's also gonna be guns and violence I keep it minimal as I can but if I'm gonna show you what it actually does in-game it's gonna have to happen up here this is not to encourage

cheating please you're shooting yourself in the foot both literally and figuratively you play video games for fun so as soon as you stop making it fun it stops being fun you ruin it no pubs were harmed in the making of this I worked with some folks in within my organization Black Widow company to keep this stuff in-house for what test stuff we need to actually test and the rest of it was done entirely on a dirty nut and not everything in here is a complete POC I'm sure it's Travis Goodspeed would probably hit me over the head with a journal if he was here but he's not other things cuz I am NOT on the dev team I cannot give you perfect

information a lot of stuff I have is based on public accounts public record things that Deb's have said so I guess you're probably wondering at this point why am I even qualified to talk on this so that's where my life went I wish that number was still accurate for those of you who don't want to do the math I've been working at Cisco for a little under a year I've been playing this game for a little over a year in 40 hour work weeks no not all at once I've been playing it for about six years but let's get back in the broader context what did I really want to give you this talk about this is where we get into

those grand and interesting concepts hats off to Thomas Thomas dalian now some of you who are remotely familiar with the paper that this comes from probably already looking at me and me like Travis non-finite state autonomy tell me more we're not gonna go there very point you really need to understand is that if something is complex enough that a single human being cannot understand all the inner workings of it guaranteed no one understands the inner workings of it that's how the facts rolled out and even worse as soon as you start getting more complex in the boundary and this is a really good quote because this quote is directly true in my opinion is that as soon as you get

beyond a certain boundary it is exploitable and people do not appreciate where that boundary is that is very low now there's the other part of this which is behavioral and this thing I'm not going to be able to give you answers for I don't think anybody can give you answers for its how do we take code that we want to do not even the requirements I'm not even talking about the checkboxes I'm talking about what is this thing and what do we want it to do and when we're done writing it how does it how does it avoid how do we avoid getting it to end up like a tomato with edge detect it is not a thing that is

solvable I do not believe it ever can be solved and frankly you tell me a better word than behavior for what this is this isn't just about what it can do it's about what it ends up doing so part of this and part of the reason why I go down this is the best way to look at this is an industry that cares more about behavior now I I gave this talk just a little while ago sisqó internal and really the core of that was hey even cisco doesn't care about behavior that much we don't believe we don't believe in behavior anywhere near as much as some of the end other industries do video games are

great exam the entire gaming industry is behavior as soon as you get something that does not behave like it's supposed to the game is ruined the entire core product is a behavioral artifact so to speak and it's 26 point seven billion dollars in just the multiplayer market of that and that's a ballpark at best that's outdated so just because they have something that's really just because it has something that's necessarily different than yours doesn't mean that they don't care about the same things they have the basically the same amount of threat actors they basically have the set of threat actors going after the same things which is disruption causing money producing money in any way possible you exploit it you

sell the exploits you get money and the always third for the lulz the kind of underappreciated one which is really unfortunate

so part of this I do have to actually give you guys the proper disclosure about how far down the radical I'm going here let's say this is the entire video game market I know it's a lovely graphic we're talking about a PC only game which is admittedly a large part of the market and this is probably not proper market share ammo so this is probably mobile but this is a military game this is a sandbox simulator that's pretty large and it is full scale and incredibly slow-paced so this is really kind of small part of the market of that though this was made specifically about sex who have a decommissioned tank this is an incredibly small part of the market and

I did so just just so little research on this graph but the important thing is and I'll bring this in in the end ARMA 3 is the core of the market clearly I I don't think you could I don't think you could take those devs and make them any happier other part that we have to talk about and just have in the back of our minds the entire time here because part of this in video games you don't need a reverse shelled aronia you just need to ruin the experience sometimes and people will pay for a performance even in the smallest bit it is kind of amazing what gaming considers an advantage people will take literal

thousands of dollars for milliseconds of input delay of extra frame times they will push it to the absolute ends so if you get something that gives you an advantage in the middle of seconds it is worth thousands of dollars imagine how much you would be worth if you can get it into the seconds range and welcome to the high visibility black market I did not have to go very far to get this advertisement to pop up it's around everywhere I wasn't even in a hacking forum so just before everybody falls asleep and/or gets lost in their heads here's a good crowd exercise here's the call of duty period VR hosting model per Call of Duty 4 and 1 we're free - there's a lot

of things that are kind of wrong with this but I'm gonna core it down to the one problem I think I see the most with this which is hosted Zagreb Earth would be picked based on the combination of sensuality ping NAT type upload speed and the host basically does everything sends the maps in the parameters enforces the behavior reports malicious clients and does all the stat reporting what's the wrong with this model hands please you can shout it out if you like too

what if the host is the bad actor yes this entire model is based entirely around the security the host if that host gets compromised you are completely Sol centrality you're always close to somebody amazing how peer-to-peer hosting works that type it's just checking if it's open it's checking if it can actually just host you get that done you're good and then the other thing is the upload speed which is reported it's not even a good estimation or a good guestimation just pretty much the box has a rough idea of how good its network is and then decides to report that up for matchmaking and this is a function of the ping and host speed so imagine you

compromised your PlayStation your Xbox and you tell it it has a hundred terabytes of upload speed you're the host every single time it's amazing how that works and so this is naturally a problem if you're wondering why Call of Duty did not use this same model for PC it's because of this as soon as the host broke down there was nothing left so call of duty on PC was necessarily on dedicated servers which leads us in the other problem you can't really do that anymore you can't depend on purely just the host security and how hard it is to break the box to save you as soon as you start getting into modern games it's

gonna be multi-platform because you have to make more money that way and guess what more money more problems Thank You biggie also you want it to be multiplayer because that's like a standard now supposedly of every single game it kind of has to be multiplayer and furthermore it has to be model so a lot of games especially ARMA the core almost all your content comes from mods Skyrim folks you know what I'm talking about if you don't have this and it especially holy grail you can have both of these at the same time what could go wrong so this is where that's where I have to give you guys a little bit more now you understand already that ARMA is

a very military game it is often the pigeon-hole simulator land but you do have to understand a little bit of its background the company that made this game actually made proper military simulators used by the Army Marines and Navy of the United States and probably a number of other countries as well I don't really want to do the research on all of it but you do need to know that the virtual battle simulator that they're released and ended up turning into the consumer version of ARMA cold war assault and virtual battle simulator - which was a great upgrade way back when almost ten years now - ended up turning into ARMA 2 so naturally when BBS 3 released with a

brand new engine and deformation and all kinds of other stuff ARMA 3 was made out of BBS - thanks guys just whenever you want to get around to fixing that that'd be great there is a countable there's a lot of inherited quirks from this though because the environment of a do it all in-house military simulator well it doesn't really carry over into consumer products I I got to give all the props in the world the people who ever decided to start moving this engine over and try to lock it down because the idea for this was it was gonna be on a closed network for some military personnel who are doing training so you don't have to

worry about the network you don't have to worry about the internet you don't have to worry about hardware and well because it's you know a military contract we're gonna check all those boxes and we're gonna make sure that they definitely have everything coming to us and we have everything they need yeah that's great except nature proprietary things no one else is looking at it which brings in the other fun this does have to be entirely on PC for its origin they're not they're not running playstation freeze in the simulator section of military bases that's that's not a thing there's also gonna be a lot of surface area now let's talk about all this feature this game

has voice over network custom maps join in progress dynamics scripting it's amazing it remind you on the scripting yes it has its entire own scripting language which can be passed to clients dynamically joining middle of the game I don't know how much of this was in the military product but I know for a fact it was all of this and more and yes how open is the scripting language very you've got basically everything you need here you've got Kansas fans you've got sleep statements you've got the ability to check whether or not you're on a dedicated server you're able to do remote execution on to other machines yeah what could possibly go wrong there brings us lately into

ARMA had a lot of problems with script injection it's funny how that works when you have a dynamic scripting language and you can cause execution directly in other clients within the game normally people start abusing that and started doing it abnormally pretty quick thankfully biz has gotten pretty good at doing a lot of this and they've actually built a lot of protection in again not perfect information but they are able to actually get a pretty good sandbox around all of this I have not heard of any reports of people breaking out of the sandbox in any meaningful way to be just executing whatever they want on machines but nonetheless they've got other protections in there too so they

actually do have battle I working with them as well as a completely independent watchdog program to basically pay attention to the core files check around check things around on the machine itself I one of the things disclosed by the developers is back pretty early on when they had a lot of people cheating hackers would produce tools and then sign those tools because if you're a notorious hacker you wanted to know it's yours why not and so naturally this watchdog would just check the system for a signature oops you're banned there's also a lot of really kind of cute things like basically the core trying to self maintain and make sure that you're not messing with it I can't get too far into

that because I don't actually know most of how it works but I do know how illegal action detection works which i think is a fantastic feature and should be honestly in more games and more obvious in more games basically checking on the server side hey hey server I just walked through a wall server says no you didn't that's a wall how did you know that's not how that works and unfortunately in this case I'm pretty sure this is entirely done with just ray-tracing so if you decided to walk through a crack in the wall the server would do a quick race race and be oh yeah you're good it does some other stuff later on

intends to catch you doing that despite that but it doesn't do it immediately and a lot of games just don't do it period so there it's a lot of steps in the right direction there's also a lot of things that just prevent you from exploiting this game in general the packets are proprietary encoded we actually to my knowledge I don't think anybody knows what the encoding is currently which is a good sign the server is an absolute arbiter in all cases the server basically determines whether or not something really works the server also confirms all the client states and this means every single file you join this server with is going to be hashed and then checked with signatures

in the full works and it includes the mods too which means you can actually join the server with mods and have it be validated which is great because we we rarely ever play the game vanilla the server also has some level of script detection injection again shaky public knowledge but it does make sense if the server has a rough idea of how many scripts it's going to have and what it has in memory there's no way it's gonna see something new come in that it's never seen before and be like yes that's a very legitimate I should totally accept that it doesn't it just outright rejects it and then probably kicks you off and bans you also the client has

auto destruct now some people in the back you read that early have been like giving me this query I look yes yeah that that is a real thing ARMA 2 was notorious for having multiple layers of DRM well if you were able to disable the first layer of DRM you were fine and you're just able to start up the game without a license key hey just keep on cruising along of course you do that for a little while and then a kind of week goes by or maybe two weeks go by you're gonna notice your aim starts to get worse like not just like you might be bad today or you're just bad at shooting

in general but no you're standing literally in front of a barn and cannot shoot the barn it is impossible and then you die and turn into a seagull this is not hyperbolic you literally turned into a seagull and then you could only ever be a seagull this is the greatest free trial and DRM I've ever seen in a game it is a fantastic idea there's also the people barrier unfortunately because a lot of this game on multiplayer is going to involve other people playing the game they're gonna see what you're doing and they know roughly what's legitimate and what isn't so if you're gonna do something you better be tricky about it because there's a lot of stuff to prevents you

from doing nonsense there's kind of a slow pacing inherent in the game so people are gonna see things and they're gonna go the extra mile if reporting you on a forum takes five minutes cool you've been playing the game for about three hours so that's nothing I'll just hide in a bush for a bit real quick there's also various mods plugins and licensed scripts in Finnish star shadow they do a pretty good job of actually checking stuff in more specific environments to prevent people from doing stupid and silly things almost entirely private dedicated servers means that there's always a server admin and an admin team who cares very deeply about you not being on their server and

also it's full of really technical people and I'm not just you know stroking my own side here this is seriously actually quite ridiculous this is the quick reference for the controls now those of you who are shy on counting this actually isn't even all the controls in the game this is the this really is like just the most used ones and all of three categories and they actually intended for you to cut this out and like have it on a little flip thing so you could have it like in front of your keyboard and then change it out because that's totally a thing you need to be doing in life and death scenarios is reaching off of your keyboard

flipping the controls and then squinting your eyes to try and figure out what's going on now mind you this is this gets worse with mods not pretty common mod called ace the advanced combat environment adds about another 20 controls on top of this now mind you you don't need all of these controls to play the game but that does bring our total number of controls above all of the controls for Emacs we play this for fun and you Toria sleet terrible terrible for new people script editor or code editor or general editor should not be your stand point for what is fun there's also the EULA and I'm purely putting this up here just to make sure that

everybody knows I didn't break it [Music] basically your fundamentals here are you do not have the ability to translate reverse-engineer disassemble decompile derive source code or anything of that sort without that the prior written consent of the licensure I do not have the prior written consent there's also this bottom one which is you cannot exploit the program for any of its parts and this is actually did concern me until I read the rest of it which is for any commercial purpose cool I'm an individual I'm kind of a personal person so I just won't touch the binary I'm good so here's where it starts to get real I like graphs and visual things because they

certainly help me this is gonna be a pretty simple one and I'm just gonna hide underneath the projector screen here this might be helpful let's assume let's assume an unsecured client and assume an unsecured server and then a whole bunch of in the open UDP packets well let's add in start laying and there are layers of protection first off we have some server enforced house and signature checks which does keep you from modifying a lot of things in the client you have a legal axe detection on the server and the UDP packets are proprietary encoded you have a watchdog protecting client core checking on the memory servers doing all the arbitration heuristics script injection on the

server basically to prevents you from finding new things and and a lot of heuristic environmental checks to prevent applications that are messing with the client or we're doing things they're not supposed to do on the clients network and there's also a lot of cheeky developer honey pots protecting client I'm looking at you self-destructing code and centralized reporting all of all suspicious clients yes you're all the servers actually do phone home which is nice there is one thing wrong here [Music] there's kind of not a lot of protections on that Network code it's I think it's encoded and it's definitely UDP but is it exploitable well that funny thing they brought the entire thing on UDP

there seriously at no point do they ever send a TCP packet which means for those things that are kind of important like bullets they actually have to send this stuff along and it has to get checked so they actually reimplemented a lot of TCP backup at layer seven for those of you familiar with the OSI model all the way up the application layer those of you who are not familiar with the OSI model basically this means they can't see anything of what's going on at the network because that's how the OSI model works and they reimplemented stuff that's supposed to be very far down very high up it will generally works out all right they don't need all of DCP and UDP

is very fast but it does cause some concerns if you start thinking about other things like locality this is pretty standard across a lot of video games how do you keep things moving smooth for all the players well if the server has to act every single foot step you take you're not going very far so naturally we have to give control over certain things to all of the clients the server is obviously the final arbiter but that doesn't necessarily mean that it's the first dumped I mean ow max this there's also kind of that issue here with best effort fairness that falls out of this and to illustrate that I present to you the bullet time problem you're

gonna have to forgive my drawings let's say and your client a guy comes in between two walls you shoot at him and you hit him good job you unfortunately on his screen he's already gone behind the wall he's completely clear and you're shooting thin air what happens server has to decide server has to decide in about less than half a second because anything more than that would be ridiculous while you're thinking about that how about another one and this is actually getting him fortunately pretty chopped-off so I will do my best in local space here to hang this up let's say that guy actually made it around and your client you didn't see you still

haven't seen him move and you're still shooting him and you've dumped about half the mag into him on your screen and you're starting to think that he might be Superman and you're being very concerned meanwhile on your client he's gotten all the way around the wall and he's shooting back at you what happens now seriously you're the server and this actually happens well armors answer is everybody dies like a good parent I so what the owner of a server actually ends up doing is it looks at all of this it looks at your story it looks at his story and like a good parent it looks at both of them and says how both of these

are very good stories and both of these could be very legitimate so I will punish you both and you are both now dead this welcome to some exploit Nomex me welcome to some exploit necromancy I will not take credit for a lot of this and a lot of this is really old stuff and frankly is not even that technically crazy if it's a really low bar the bar is incredibly low here because the issue is is you can't necessarily fix it flag is an issue seldom used to sell them abused intentionally so people still do though and it's always present and everything because you cannot possibly fix this entirely if you start cutting on people who are lagging too much

suddenly the majority of the rural United States can't play your game that's gonna be a bit of an issue for your bottom line now this does of course bring up the other thing earlier UDP does have other baggage which is acceptable losses and the server can't see anything of what's going on with that and because they rebuilt a lot of the TCPS players all the way up on layer 7 on a stateless protocol if you start messing with the stuff on a lower level good good luck good luck really what happens is armies to cope with the reality of a simulation that's not just a joke this simulation is happening sometimes seconds away from each other

at Lightspeed now my judo I understand people are gonna look at the globe and be like oh you can't possibly you know say they're seconds between here and there yep fiber optic lines do a lot of zigzagging and not all of its fiber optic lines unfortunately so you do end up with some issues this is not new at all in fact it's so old that people have been attaching light switches to Ethernet cords for a long time now there's obviously there's the obvious solution here as a hacker cheater whatever you want to call it I'd rather not call it a hacker it's just cheating you can just interrupt all of the traffic now there's actually some suit significantly allowed

time gaps and a lot of games this is multiple milliseconds sometimes a second or more and default Armagh it's eight seconds now mind you there's some server settings that you can mitigate this with but they are not the defaults and yes this works in so many things it's unfortunate and it's important that people are aware of this so that we can all keep trying to fight it there is the major advantage of this which is rushing because if you're not dealing other people information in regards it to where you are if you walk into a building and see where people are you can see where they all are and you haven't entered the building yet that's

kind of an issue you can start shooting them you have not entered the building yet on their screen it's a problem there's the one drawback of it is that the world keeps on turning so I'm gonna run through I did actually make a script that I'm gonna be using up in the upper right hand corner for a lot of this this is the server telling me where it thinks I am and is a script that is entirely running on my private server just so that you know we can have solid confirmation of this so I as long as I'm walking down the street I give both updates and position updates and if for some reason I were to generally stop

sending the server information

those position updates completely stop until the leg switch stops now some of you were looking at that more like well why were you still getting updates yeah we'll get to that pretty soon I did not record this perfectly but this does bring in the interesting problem and that especially in the default ARMA settings you can kind of just cruise by hostels that are going down the street and basically be the Invisible Man it's really unfortunate that this is the thing you can do in the default ARMA just willy-nilly now mind you likes which does not fix everything and as we're it's about to become immediately clear if you don't have good gunplay or you're recording this at 3:00

in the morning you will still die even if your point blank range away from somebody because when the server starts talking back it changes how you're doing for a more obvious example if you decide to walk out in front of some folks and they were moving before you turn the lag switch on it's amazing the good parent ARMA is who informs me very quickly that I already have three magazines worth of bullets in my stomach and I cannot continue to exist mind you I did shoot them all in the head so they're dead too this is a problem gets worse so this is probably the immediate idea that you come up after this of like well you know

it's important for me to know where they are so if I can just not tell them anything and you know know where they are at all times I become John Cena now this does you can do this more or less on a Windows Firewall but it really doesn't like doing this and that's probably just windows being windows but if you can see them move and they can't see you move this should be ideal should we'll get to that in a quick second but first of all I have to address this this is the more modern iteration of your family lag switch this is a foot pedal for you folks that can't see this very well I

kid you not this is actively being sold on eBay mind you these are not the brightest of people doing this when I said this was a low barrier to entry I was not kidding cut the outbound signal on the ethernet cord that's not how the ethernet protocol works this is still cutting both directions if you can tack a frame you don't get another one also a nice gift for your gaming friends or family play with your - hold on a minute what kind of person do you give this to hi Steve you seem like a horribly you know horrible gamer who can't you know do well on their own and it's kind of prone to cheating have a leg switch Merry

Christmas wait just just no but in the general case you can really do a lot with this especially an arm and especially on the default server settings even if you're a bad shot and recording this at 3 in the morning you can really just walk into the middle of hostiles and with clever use of the lag switch be generally pretty eh okay

and this is a lovely case of watching a server catch up the worst part about this is as long as you're giving information the server eventually the server is pretty eh okay with it it's not going to stop you not gonna really give you huge amount of problems so you can really just cruise around and do whatever you want this is the lovely point where I'd like to remind folks that the audio is not working so if you couldn't hear any of that I couldn't hear any of that all right we can run this presentation without audio but as a fair warning as we get later on there's going to be some sound effects that I have to produce with my mouth and

that's gonna be bad for everybody involved there is the other part of this that people seldom think about which is stopping the download now you might think not getting information anymore is a problem but the thing is is you're still talking back to the server and the server is very happy when you talk to it which means you can do this for longer and of course you can do the other fun bit of this which is a basically client telling the server well what do you mean they're not there anymore I shot bullets at them and the server like a good parent says sigh fine I guess you're you know this is legitimate you haven't been

receiving these updates and so yeah naturally become one of the worst Rules Arnold Schwarzenegger has ever played and the iceman natural application for this is sniping because and this is really not as far away as you need to be in order to be able to do this you could do this multiple kilometres out because bullet travel time is real in Arma but when the server catches up suddenly a dead body appears and everybody heard the sniper shot about eight seconds too late of course you can also do this if you're in an urban environment and let's say you know you hear a tank coming down the road I hear the audio it's very soft and you

happen to have some explosives now mind you this tank crew is still cruising down the road on their screen on your screen however you're really just going through the arduous process of setting up a satchel charge and finally your client does actually get angry at you for chopping this traffic off for so long but the tank is on its merry way and the server is quite pleased that you're finally talking to it in proper again I don't worry this there is Zeus enabled so I can actually show you what happened that tank continued down the road like nothing was wrong cuz nothing was until it exploded randomly it's a problem seriously now mind you as I've

been clarifying there are settings to prevent this in Arma version 1.56 I love you Bohemia and I love you finally giving us this granularity but it's a little bit late thankfully you can actually as a server admin really decide where you want to put the cutoff line where you're deciding that someone is no longer someone in Idaho with a bad copper line from AT&T and is now someone who's genuinely abusing it so you can do set things like the disconnect timeout how long of just no traffic and send do we just outright do an action either kick you or log you silently how much desync how many individual updates are not acknowledged by the client the

maximum ping everybody knows what ping is hopefully and the maximum amount of packet loss how many packets are lost before the server basically says no and again these are all definable actions you can silently log people or you can kick them or you can instantly ban them there's you have to go through a bit of extra work for the instant banning deal and it of course is only on your server but you can always report this stuff on to publisher later on and if it's particularly rampant I losing game copies over this is definitely a thing that can happen so obviously people are curious what the previous example looks like when the server is cracking down

now I left the leg switch running a little bit long on this one but I'll tell you at which point the server has disagreed with my existence unfortunately you guys can't see it because this is a little bit short but there is a yellow chain that appears on the very corner that it not appear in any of the other previous examples that means the server knows that I'm not doing this right or rather the client knows that the server knows that I'm not doing this right I'm long disconnected before anything happens and it immediately freezes and I can't do anything ARMA does a pretty good job once you actually get the right settings so obviously this brings up the other

question of like okay well there's other things you can do without knowing what the network traffic is like replay attacks and this was pretty bad and something call of duty games did I say one grenade no I meant a hundred grenades here you go server you said the first one was valid so the rest of these are probably valid too right thankfully you can't do this in ARMA although it is in our understanding of the model very difficult to detect on the small scale it is very difficult to do this because you actually have to be able to read the packets and every single one of them is both enumerated and checksum so if you

start messing with it it's not gonna work out great for you now mind you you could do this with you know theory on with the source code there networking no biz no we're not we're not looking at this so skirt just just go away it'll be fine I swear so naturally if we're not gonna able to look at the source code if we want to do anything remotely more complex we have to actually start pulling apart the network traffic anybody by enforcer uh blind packet analysis no I'm not getting any excited looks this is a graph purely on just bitmap if you can't see anything important in this graph good neither did I this was very disheartening but if

there's any propaganda in my field that has told me anything it is that offensive security says you must try hada now I was gung ho about this I actually wanted to find something so I hunkered down I grab some caffeine I was ready to cook at this for multiple hours at a time and of course in my hubris I was I'm professional I can totally knock this out in a day so I went back to Wireshark and no I did not spilled Legos on my Wireshark but and this is again this is really what's going to kill me there's a whole bunch of colors here I'm gonna have to use my hand for this because this just barely doesn't go the

length all everything is redacted out in this but there's a lot of colors on the far end of the length field here all you need to know is that everything that is the same color is the same length there's all bunch of length 24 stuff I'm almost entirely certain that these are the knowledge mint packets being sent either client to server server to client but there's a lot of other stuff and if you're noticing here for those of you can barely see it there's a lot of blue up there a concerning amount of blue in fact there's barely a there's barely a mix of color diversity in here at all how little diverse is it there's really

not much going on here is there so this is moving in a server and of course I look at this and I'm immediately filled with both disappointment and glee because this is going to make my job incredibly easy because there's only really three types of packets that are coming in and any degree of massive frequency and as soon as I cross-referenced that with what you're doing idolan server yeah there's two of these bars the Mac and hold up that are very very very suspicious I now have a 50-50 chance to catch all of the movement packets so yeah I'm totally connected and you're missing some like packets say it in so how does the server react to

this wow you would expect because it doesn't violate any of the existing server-side checks maximum ping while I'm still connected and the ping didn't change maximum packet loss well let's see my movement packets outbound verses 30 to 60 other people on a server and did I mention that there's updates for everything including the vehicles bullets and falling rocks literally anything that happens on the server has to make it to the clients so what ends up happening is you can do this borderline endlessly I'm gonna give the course example here this is what happens when you walk out of a building towards AI in Arma and they know what you're doing and they can see you and they can

drop you immediately they're very vigorous with their firing but if you're doing this in blocking movement packets you really can just call out and if their positions changed you would see it and you'd be fine and you can really do just about whatever you want to do now I'm short on time here so I'm gonna be cutting off the tail end of this talk and we're gonna be quickly breezing through a lot of the simpler stuff which is alright because I wanted to give many but basically as soon as the server finally does catch up your explosive starts on its timer and then goes off now mind you there's a more obvious case here of why are you using explosive just

show me what you can do normally

and basically what you can do normally with this is you can walk out the front door and then just continue now the main important here and unfortunately this is going to eat a ton of time is because the main problem here is the length of time that you can do this for and have the server acknowledge everything you've been doing because mind you you're still talking to the server the only thing the server isn't getting is your movement packets so all of those shots were registered with the server the server is just curious where you were when you shot them so when you tell the server everybody dies mind you this has been X this already has been disclosed to the

publisher they have already gone through and fixed this there's another thing you can do this to gunfire was of a stable length surprise if you can keep it from if you can keep people from knowing that you're firing bullets it's really hard for them to shoot back at you or know that you're shooting at them obviously this is pretty short time period that you have to do this in a reasonable case but there is a lot of legitimate ways to do this in the game I understand but you can still do it and all these packets were very discrete and they're very long classes so back up to the bigger picture and I understand I'm going to cut the bottom part of this

talk off so unfortunately you get to don't get to know a ton about where we go out from here but the time-sensitive operations can become adversarial any of them in the open case if you can think of any protocol that is insistent about people staying connected if someone can get in the middle there or you can hold your things until the absolute last second this can get adversarial very quickly also just because dropping specific messages and is unusual doesn't mean you shouldn't have to account for it this is Ben getting back out into the blue side of this maybe you need to write the code with a lot of exceptions and a lot of checks network is hard but you have to

do it and there's also the other problem of this which is you don't have to be a state actor to manipulate traffic everybody in this room ought to know this and I'm sure a lot of people do so the brief because I've been given the flag already the rest of this talk is purely based around the idea of messing with parameters the itty-bitty little things I love to get it but I'm out of time so the fundamental here is basically changing things that you thought didn't matter like these small sub parameters that never get edited in the game like mass and orientation and center of mass there's a lot of terrible things you can do with this but that's

where I'm gonna have to leave it so any questions

all right [Applause]