BSidesMCR 2019: Fun With Frida! - James Williams

so yeah this is upon me Freda we're going to look at using Freda to instrument Windows applications so I'm James I'm a security consultant MD sack if like me you know people buy let's quit handles I am this guy on the Twitter's so this talk is it's mostly looking at tooling so I'm going to give you a brief intro to Freder sort of for those of you that don't know it sort of run you through what we can do with it in the windows world over than the mobile world we'll take a look at some of the existing tooling that's out there some of it'll go through some of the issues with with that tooling and sort

of things it stops us from being able to do I've got some new tooling for you so a couple of tools to release towards the end of the talk and then we'll have a look at a way of sort of using some of this stuff without any extra tooling at all if you have like C two channels going and stuff like that and there's some videos and stuff in there as well so what is freedom why do we care about it so Freda is a dynamic instrumentation toolkit so this lets us inject into processes and then start hooking API calls function calls stuff like that so the cool thing is we don't need the source code for the application to do

that we don't need so like decompile stuff we compile it with extra details or any of that stuff in there it just sort of does it for us so if we have a thick client that's like a complete black box we can still get stuff in there and start sort of interacting with it using treater is cross-platform so Windows Mac or Linux iOS Android Q and X whatever that is I have no idea what that is it has bindings of other languages as well so like - net C bindings and a bunch of other stuff it uses JavaScript so free to itself is a native DLL some of the tooling is like platform specific but the way it works it uses the v8

engine from Google so sort of do JavaScript stuff so it loads that into memory and then your instrumentation is built in JavaScript and it's stuff C into the app for you and the cool thing is it's free and open source right so we can modify this we can use it for whatever we want with no license fees which is awesome so if you've heard of freedom before like if any of you have lightweight hands I guess you've probably heard of it for mobile testing right has anyone used it for anything other than mobile testing please don't see Windows testing so I was really worried that the whole room is going to go I use this a thick line

testing all the time and then you don't be bored for the next 40 minutes yeah so there were loads of tutorials for frida like mobile testing right and it's normally stuff like sir pinning bypasses or jailbreak detection by passive detection bypasses like you can find loads of walkthroughs on using frida with mobile and absolutely nothing for fit clients like very very limited uptake you fit quite interesting if you're not sure if you've used it and you've used the objection frame where sense post you've used it because it's a part of that framework but yeah we're not going to look at mobile testing for this talk so I said a couple slides ago it allows us to make API hooking it's

kind of important that we know what that is and why that's useful to us so API hooking lets us view and modify data past into and out of functions so if you have a block of code you have like your arguments defined and then some curly braces and then a return statement we can look at everything going into that as well as arguments and we can look at everything coming out with it we can't change what happens in the middle so if you have a block of code that looks for detection you can't change what our code does but you can change what goes into it and what comes out with it which essentially means you can change the

function right you can like switch the true to a false or a jailbreak check or something on that which is how most of those things were just modifying the turn values but if we can control what goes into a function and what comes out with a function we don't really have to care about what happens in the function because well we can modify everything is doing anyway and if you hook enough for these functions you can completely change the program flow depending what you try to achieve so for something that means we don't have to do any reverse engineering and you sort of recompilation about like we can do some really powerful stuff with this just by

API hooking well there is all this sort of hinted at limited uptake for Windows testing and I don't know why so I'm hoping this talk will sort of give you the inclination to go and start using this case in point if you look at this github repo down over there this a load of samples for like different platforms for snippets for free to expand the windows one and you get a wall cap right I don't know why personally I think there's sort of far more potential uses the Freda for Windows testing than there is for testing there were millions of fit client apps like that we can do cool stuff with the Freda so I'm gonna show you a demo we're

gonna grab some passwords and keep us so there's a reason I've chosen key pass for this this sort of set a demo so throughout this talk we're going to see a few different examples of tooling that we can use a Frida I'm going to use the same payload for each just because it's easy right but what I didn't want to do with this talk is stand here and say oh look at all this cool stuff I can do with Frida so I can do this with this up and this with this out cuz that's useless to you guys right like you might never see those apps again what I want to do is sort of give you the tooling

and the delimited black beam at a background and give you an hour slot to go and build your own stuff so if you find like fit clients on any of your tests you can do like cool stuff the Frida and also as I found out last year like vendors tend to get a bit tetchy when you point out flaws in their product on the stage at a security conference and it gets like a bit nasty and a bit weird keep us is open source so they're not likely to try to sue me right always helps and keep us is already broken from a sort of pen testing point of view so if you've come across key personal and engagement and

it's running you can inject the DLL into it and grab the master password out of memory this was released years ago you can also add a trigger if you're running is a user and every time the user logs in to keep us it will dump like entire database of plaintext creds into a CSV file on disk for you or if you're if you have admin access you can drop a DLL into a folder and keep us all loaded and execute it and give you access to the key person bolt so I'm not giving you anything that you're going to go away in turn it's a malware here right like if you're gonna build malware for KeePass

please don't use this demo because there are far better ways of doing it so then the video I'm going to pause it as we go through and sort of just talk about what's going on so first of all you don't need special permissions to use freedom you need the permission sir relevant to inject into the process you're targeting so if you're targeting lsaps xqe system if you're targeting something like keep us you just need to be a standard level user so yeah there's no magic here I'm just a non privileged user on this box we're injecting into a process obviously the process needs to be running I could spawn it in my script really there's there's very little point

enough for a demo and then I'm running this Python script I will show you what this does on the payload we're using shortly essentially what this is doing is doing the free to injection in to keep us and then the user comes along answers their master password before any of you think I'm giving you credits to any of my accounts these are fake creds that ship with keep us so don't try and spray my accounts of ease it's not going to work and then you can copy stuff and if you see you are we up here we like stole the password associated with this just by sort of being on the same boxers keep us the little green bar in the

bottom is so keep us has a security feature after twelve seconds it clears the clipboard we can detect passwords being grabbed we can also detect the clip all cleared event which you can see here and then we can we can copy username type it as well so we've not doing any memory scraping here we're not going through memory of keepers and trying to find like creds in memory we're just doing some hooking of function calls then we're able to sort of say sex creds over the password manager this will work for any other sort of app that uses Windows support so it yeah so if you want to start building something like this yourself keep us as

open source so you can just go and be the source code and have a look at where it's doing this kind of stuff so that's what I did for this demo key paths you can just go and bead where it's doing its clipboard interaction and it turns out it's using the windows clipboard API if it was a black box test you could use API monitor so you move the output API monitor and it off the screenshot so it'll be here somewhere it has a list of filters that you can apply the sort of limit the number of API calls it returns and you can start interacting with the app you trigger the functionality that you have to instrument with reader and

then you go through the calls and you try to find out what API calls is making I knew you VP MSDN documents and it gets quite complicated quickly then you end up making educated guesses and this gives you all load amount as well so this is by far the hardest part of building instrumentation for you it's figuring out exactly what you want to look at after that it's really quite straightforward a parameter does support searching so ctrl F you can search of strings in like this out for this example that won't work the second board data takes a pointer to an address in memory that contains the text you want to add to the clipboard so by

searching for like password for example you won't find it if I'm a peer monitor if you want to start building this yourself start here and then look at some of the tools I'll show you in the next couple of slides once you've figured out what you want to hook this is the JavaScript payload or snippet of it for that demo so first of all you get a reference to the circuit board date of API from the MSDN Doc's we know that lives in user 32 and then we plus that in service intercepted or attached is here so we just passed the reference into the API call that we want to hook and then we have this on answer method

and on leave so on leave is called right before the function returns so it lets you sort of modify the return values or one enzyme is called just as you go into that function so we want to see the data that's passed into SEC report data so we're doing more work in terms rather than oddly from person to thing else down here so the next thing we do I said it takes a pointer to an address in memory containing the text that we want to sort of access in this case so this is part of the feed of API be pointer so that resolves the pointer into something a frida can actually read and then this

is where my code gets a bit hacking so we want to read data from memory the way you do that in frida is by using mead byte array we don't know how much data was written to the clipboard so there's nothing in the circuit board data call that says this memory location is X bytes long but that's not part of the call so we could go and try and sort of like look at malloc calls and try and correlate it like don't call malloc here and then you immediately call set the board data and think about how many bytes to read or you can just assume that it's always never going to be more than 32 bytes so I just grabbed 32 bytes

in memory which for proof of concept code works definitely well you'll see in a couple of demos later on it does occasion the overflow and just sort of spit up garbage data you still get a password if you were going to use this to make some cool malware fix that bug because at the minute you're going to truncate passwords and then this stuff down here so we have a set of bytes we call this function all this does is turn those bytes into into ASCII I think it's just doing like in utf-8 conversion I'm not showing that code because it's it's questioned it forwards you can find it on github like I did and then the way

keep us clears its memory is this two dashes so it sets two dashes and then nothing that's like the way it overwrites the clipboard data so we can detect that by looking which does the password start with two dashes if it does then it just keep us clear in the clipboard otherwise it's the data we want we just console.log that so if you want to defend your organization against this particular POC so all your passwords have two dashes because this will then never lock them please don't do that but yeah if you wanted to sort of use this for something like practical fix that book as well just just don't walk it there's no need for that to be in

there cool so that is a really brief intro to Freder I could like to spend a day telling you about how to build stuff in Frida that's there's plenty of documentation out there already that will get you started what I want to do is sort of show you the tool and we have some new tooling and how you can sort of start using it yourself so the first thing we have if you install free to a new workstation you go away and do Pistor free do you get free to trace via console and be playful oops if you did by pip so via trace is the starting point I suggest if you want to start

sort of building stuff so you've used something like API monitor or Steve access to the source code or some of its engineering if you have that skill set I don't but some of you will you figure out what API call you want to start with start monitoring you can do all this from command line so you just let you pass it in as arguments so you plus in the user user foot to do ow you passing the process name you pass it the name of the I call the API call you want to hook and then free the trace will manage all the injection to process for you and it just sits and starts listening for these

calls so the top call is me copying data at the bottom call keep us clearing the clip Walter seconds later and it also will build you some basic JavaScript scaffold in the underscore underscore handlers directory so you can then go and start interacting with that JavaScript with adding console.log lines to it and doing other stuff in JavaScript and use just be run free to trace and it will then load your new tooling from those JavaScript libraries so it gives you the bit like the basic Scalf all to sort of start building more complicated instrumentation you can add multiple API calls up here you don't just need to do what and you can then start sort of

intuitively interacting with the flow steps so if you've got maybe six API calls you think it could be any though is it I want to target use create a trace of a poke around me near a particular functionality you're interested in looking at and then this will spits out stuff that you can then start using other tooling as you sort of move on developing your proof of concepts so yeah this is a brilliant point to start but this is all it does you have to tell it everything via command line it doesn't do anything else and then if you've done mobile testing you've probably seen for you to console this gives you interactive access to the

process via Frieda so there's some menus in there that will do stuff I have no idea what they do because I've never really used it for that the way I sort of approach this is API wanna serve or whatever find out what I want to start looking at build the tooling if something like free to trace or some of the tools we'll see later on and then this I don't use as it is now so this do you give it the closest name and you can press it a script via the AL flag if you don't you just get the interactive console access to it right if you do it will inject and load your payload file and then it does the

same stuff that's in the JavaScript file we're going to see this later on with some of the sort of more complicated to land over like see two channels but I don't personally use this as it is it doesn't serve any purpose over like free to trace or like the Empire hooks so then we get playful right so if you install Frieda with pip you get access to this Frieda namespace up here so you just import it this is the beef the code that's doing the injection in the patellar you just saw so first of all we grab the process we one inject in c by name it does the injection we read our payload file and then we just load it in

and it starts doing all stuff for us so this is also right we get everything that Python can do which is basically everything and then we get access to free dough which does like this API hooking stuff really nicely so we can now build some really cool complex tool if you've got I don't know let's say 50 apps that you want to analyze for a type of issue you can script that in Python using Freder and just sort of fire your payloads out then war get off somewhere else my ultimate testing build really cool stuff you can like create some certs that you want to inject into processes and sort of see what happens when you

change values so this gives you everything that you possibly want like as long as you have them Sri demand platform stall on the same host that your optical targeting so there is a balton minute and we have dependencies everywhere right so you need Freder you need playfun if you want to use the Python hooks and those need to be on the host with the app that you're interacting with so if you're like yeah so we're going to look at how we remove those so the reason this came about is I ended up sort of doing a test where a client sent me a laptop with a thick client pre-configured on it but I had local admin access to install stuff if I

needed to but for sort of proof of concept code using using Freder you you do it and it we report saying like an attacker with local admin access could install frida and python and do some research as the user and then build this cool payload which steal some stuff and it rapidly becomes a non-issue whereas if we can remove these dependencies we can say oh well they can drop this binary that they just pull into and get up and do some cool stuff like it makes it far more impactful for the report right so the first thing if you want to sort of build stuff like in that situation fermion by fuzzy sack this this guy on the bottom here you can pull

this off github it comes as a zip file you unzip it on your like workstation that you're your target process is on and it gives you an IDE for like building tool English reader so you give it process IDs and process names over here and then this is like the IDE window right so you can tell you sentence you get key bindings you don't need dependencies it shipped to the sweida dll this is I think one of the JavaScript framework for n-type apps you don't need to install anything he just looks so this is also right like this is now what I'm using to sort of build my instrumentation with readers so you identify the API is you want to hook

might use for you to trace to get the scaffold JavaScript out of it and then it's straight into here to use the intellisense and all that kind of stuff and you you can just see if they develop payloads to user freedom but it doesn't do anything else right so we've lost that like sort of cool stuff if - we can't do that with with fermion we don't need to install Python but we now can't do any of the sort of automation stuff that Python supports so it's also quite large it's like over and that you make binary so it's not like you're not gonna be dropping they saw like a red team engagement for example like you're not

gonna like open RDP job fermium on there start into activity building payloads like that's not gonna happen rather than come to a log it also uses send so it means the the payloads you build out portable so you would have to go through and like find in a place like send with console it's not a huge issue but it doesn't mean you can't just I couldn't give you a payload and say bug nets in this tool because you'd have to make these changes so this leads us on to some like the first tool I'm gonna release for you so this is using c-sharp to wrap reader as a DLL I know like the normal sort of way of naming these like

C sharp tools it's like like sharp something but sharp Freder sounds terrible when you say out loud so free the sharp it is I will stick this on github for you like the repos there I'll give you this the link at the end of the talk so then I will run the video there we go so the first thing we're going to just yeah I'm still just a standard user on this box this is a new VM it doesn't have freedom installed which I will show you in a minute so yeah I'm still just a standard user I type first do one I'm not recording it and there we go so yeah if this box have

freedom install you'd now have free to console open on the screen so this is it doesn't have freedom install yeah it might have - I don't know that we're not using - so it doesn't really matter and then we run the the CTFxC and we get this sort of UI window so there's a reason why we have a console window and the UI element which also explained at the end of the end of the video but we press it the process name we give it our payload script obviously keep us needs to be open and then it will do the injection for and then we start sort of seeing console button so it's identified the pit belong

to keep us it's loaded our script into it and then user comes along starts interacting with the password manager copying stuff and we should see output so it's it's in a different format it's in Jason my god that's people on the screen but we've still got the password coming out here and this is the garbage data that we've read because we're reading those hard coded foods we've rights yeah it does all the same stuff right it's just it's now internet rather than play from skip the rest of that video so there's a reason why we have the UI element sir yes I can use this this bit is a WinForms app set to output as a console app so if you build the

contour type in dotnet you get the main method and as soon as that method returns your app exits so what we're doing here is asynchronous right we're loading a process we're waiting for user to do something and then we're sort of handling that sort of two way communication between like this stuff and keep us over here this stuff so we could try and do this roof reading and they're like ac weights and all this kind of stuff or we could just use like it WinForms up which handles all this for you you don't need to show this UI component this is here because when I built this I was sort of it like running multiple scripts and stuff like that you

can hide that you can hide the taskbar being over here you can hide all that from the user and make it completely invisible and still benefit from the sort of built-in threading that you get with wind forms up just hard code everything into the after you can bake the script into the app as well if you want to it's not net you can do whatever you wanted it but yeah you do need that sort of automated threading support stuff that you get with with building a console if you thought throughout there was a console up you get the access to console so you can just do console so yeah it's a seashell proper around free to DLL and

there are no dependencies in the sense that you don't need to store anything you still need the free to deal out white that still needs to be on disk we can't get around that so free there is a native DLL which means you can't load it by reflection so the first thing I've tried of this is zip the DLL embedded as a resource unzip it in memory load it reflection doesn't work because it's a native feel when you can't do that we've got sort of all the sort of customizable stuff back so we don't have play firm but we have got Annette and you can do everything but that you can do it Python dotnet is on pretty much

every Windows endpoint that you will ever encounter now it's sort of in by default so you don't need to worry about installing anything you can build this on the box if you want to if I chemists build it still work and we've got the size down from like 90 Meg's of 45 Meg so if you build this 3d DLL in release mode on 64-bit is about 45 back if you build it in debug mode or 32-bit it's a bit higher and combinations thereof that we've sort of half the size of fermion it's better but it's not great right you're still not going to drop 45 make dll's all the Caretti engagement that's a bad idea

so yeah I'm already using this I've used it with a thick client sort of assessment on the clients upload laps what I was talking about solves a bunch of problems not all of them we're getting better right you can if you want to use this for a traditional fit client test tomorrow you can pull this off github drop it on a like a customer laptop because the workstation built in tooling and start using it like it works it solves a lot of problems for you so I've talked a lot about sort of manage languages like playfun c-sharp there are other options I'm not gonna dwell on them too much because well I don't understand C to any sort of depth but

you can use three two if C so you have Frida gum which is user C API does not have JavaScript support so you have to do everything via like C API calls I don't understand C at all if you do and you want to go down the sort of - language group there are options for you feeling um Jeff's house the v8 engine baked in but it sort of inflates the size of the XE to get out of it so this blog post down here from sense post if they used Freda - persistently bugged or else house until an action people anyway so this payload blob here essentially modifies the return value from Alsace to say a password is always

correct for the user and they they built it with free - gum and it comes out as 40 mega by the time they compiled it which for me who doesn't know see I don't see the point in going down that sort of pain and misery to save five mag if you mean to see like go through the options are there so we still have to be local to the apps that we're trying to assess right you you still have to have some way of putting tooling with like RDP session or SAP physically in front of the machine on the host the target process is running on like we don't have a way of running these tools over C to shuttle so

we can use this with it glide tests but there's no way we can use this for committee engagement or a traditional pen test where you might have compromised an endpoint and just have some access to it but not like for anything so I want to be able make we want to change that we want to be able to use this all over the place there's no point you building some awesome tooling so I don't steal passwords I'm a VPN client or whatever the backdooring else asks if you have to like be at the terminal to use it that's kind of pointless right so this is where we sort of introduce the next bit of tooling so

this is free to gadget so free leakage it comes with freedom it's a shared library that's designed to be injected into processes and it just listens for sweetie consoles talks of it so that's what Frieda console was mainly used for right if you are using three different mobile testing you normally sort of have a gadget running on the I also enjoyed out and you talk to it via a 3-2 console over USB yeah same concept but now it's over TCP not USB and it bios blunders currently it's all with 17 mary thoughts like that way better than 45 Meg right this is this is portable this is something that you can potentially start choppin to disk in places and like using

in sort of more traditional pen testing red teaming type stuff so when you inject this DLL it starts listening on TCP it doesn't do anything else you're not going to get with those shells out of it it doesn't talk back to you it just listens on local host on to 7:04 to by default you can give it a config file so you can change that port number if by some weird coincidence it clashes or something that's all that workstation you can change the port number and it also gives you the ability to run scripts on startup so sense posts else has backdoor you don't need to interact with that once it's running right it just does the

thing it's meant to do and gives you sort of access via alsace by putting in like incorrect passwords so the demo as we've seen from my stuff you do need that access but if you just want a backdoor elseís for example you can use this config file give it your payload J's file drop it all on disk inject Freda gadget into the the Alsace process and it will just one your script for you so you don't need to do anything else at that point I'm not going to go into this in too much detail like there's actually documentation for this on readers get a page if you few three to the documentation is pretty sparse in places

this is actually well documented so you can go and read about this if you think it would be useful to you so this gives us the possibility to inject free to get you into a process and then it's on localhost so we have to be able to appear on localhost right that we can do that five socks so if you use cobol strike and beacon you have socks baked in like c2fo mugs do this as well so you can now run Frieda on your attacker machine over a c2 channel on to an endpoint where the process you want to target is and use Frieda to interact with it so that's fairly awesome right so I'm going to show you something else

that I'm going to give you the end of the talk or freedom inject this is nothing special at all is literally doing DLL injection I've sort of called it freedom inject it will inject any DLL you give it it's just using Windows 32 API is to inject dll's I'm going to like give you the code for I'm getting up just so you can use it if you want build your own like it's not that complicated really so this demo is slightly more complicated so over here we have a new Windows 10 VM this is are compromised endpoint in the sort of red teaming situation up here we have COBOL strike this machine is already beaconing

back to COBOL strike so we have C to established already this terminal down here is on our attacker machine so the scenario here is this is in your clients environment your 50 user you've got beacon they're using keeper you wanna steal credit from it over c2 so they're gonna I will pause the video in places that actually matter for this so the first thing we're going to do is use execute assembly to launch free to inject in memory so for those of you that don't know you can launch dotnet apps in memory using execute assembly in COBOL strike over c2 frameworks do this as well so our actual botnet actually that does the DLL injection does not have to

touch disk for this the free the DLL does so that is this DLL here I just renamed it freed up on a sweetie gadget because like typing is hard so this come on that I'm typing here you give it the path to the XE you want to inject which is on a Tucker machine the name of the process keep us and then this is the path to this dll on the compromised endpoint so you just use the upload command to drop that to disk right it's on desktop because that's easy but like Windows 10 bits you're fine so ya pecan will call back and say that it's done the injection for you and then if I remember

you I start doing like stupid things and I recorded this demo so what we're doing here is I'm trying to use proxy chains to make free DPS like poxy aware but I didn't actually start the socks foxy via beacon so obviously it failed to connect so then we go back into COBOL strike and just tell it to spin up a sock server so what this does is it opens a pore on the team server for COBOL strike and then cobol strike manages sort of sending sock stands a beacon on the compromised endpoint and then once you spin that up in proxy chains conflict i've just told it that there's a socks for a server on

port 33 33 or the team server IP that's not not particularly complicated to do so three two PS this is something we're not seen yet but this looks for reader enabled processes on a host that you give it right so if you use this in the mobile world you give it the USB argument and it would find gadget or the USB in this instance we're pointing it at localhost it's found our injector gadget if we run this about book to James it would look on this workstation of this workstation because it's a box of chains it's now proxy where so it's appearing here essentially so we can see we've got this this gadget process like

they're ready to be communicated with so in the previous demos we were interacting the key paths right what we've done here is injected gadget into keep house and then we're now interacting with gadget so it's slightly different but we're still within the keys bus KeePass space in in memory so yeah then we do the same thing of books your chains in Frida so this connects Frida console to gadget on the compromised endpoint over or Sox channel for Osito yeah again I put on I recorded this video it didn't give it the posis name to inject into so it's not magic you have to tell it what what process to inject into so use after touch

a gadget and we gave the the script file argument as well right so we're using the same payload script for this demo and then the user on our workstation at some point comes along interacts with key paths and we start like capturing credentials here so apart from a DLL somewhere on disk on this workstation like cito we don't need anything else now like we could start interacting with these processes oversee to grabbing data from some possible merges or interacting with other apps whatever you need to do so yeah I'll give you the github link for this at the end of talk it's pretty soap-like straightforward to build your own version you don't need to use mine

before I'd give you the examples c-sharp up so we can like want it in memory using XQ assembly and it just uses Windows 42 API so do DLL injection it's it's not complicated you could inject any deal all you do this so yeah we know how freedom via beacon so we can do it in memory except for the DLL free Lee County DLL at the minute is a be safe if you run the hash for virustotal it's not detected by any engines I'm sure if you all start using this to build cool malware then it will be pretty quickly but we can solve that problem at some point in the future right like you could modify the

signatures of it or whatever else you need to do so this gives us the potential to use freedom and way more engagements now you can build your tooling using might you exploit scripts using like tooling on a host so in this situation you would install keep us locally you'd build this tooling and then you'd use it on an engagement by situ it turns out we don't actually need any tooling at all we still need Frida but COBOL strike has the ability to do DLL injection natively how's do like many of the c2 frameworks so you don't need to run my like hacky stolen from github c-sharp you can just do a fireball strike so this is the same demo

setup compromise the endpoint our socket is burning over here and 53 all I've done between like stopping the pit must video recording this one is killing keep us and me launching it just to hit me to catch it from memory so yeah I have to inject it again so we'll do the same thing only this time we're going to use DLL load in COBOL strike so DLL load will take the path to a DLL and it says must exist target and just inject it into a process for you and it needs the peered not the process name so if we want to invoice or tunning commands on the endpoint we can use P a sinker ball strike which uses

like API calls do a process listing so it is down here to keep us so we then the scores called the ll load give it the peer to give it the path form disk to the feeder gadget dll beacon will go and inject that dll for us into the keepers process and then we can do the same thing by epoxy chains we can sort of check gadget is loaded using 50 DPS I talk quicker than I type now that's cool wait for the past me to catch up we've currently there you can see we've got gadget loaded into in to keep us again and then we can do the same thing just pop the chains feeder console load our

payload script into it and we've not used any code at all rather than like the DLL that has to be on disk yeah well let the video finish because why not we have time it's going to do the same thing as it did so the user will then come along interactive key pass start from pin data copying the user name this time we get the days index will treat down there cool so we near the end from it's almost beer time so we will take a quick summary and I've got the tools to release for you so I've shown you an example of what Frieda can do right so what I didn't want to do is

stand here and just show you like payload enough to payload because it's not gonna be much use to you you're never gonna see these up to get what I want you to take away from this is like the ability to start using Frieda in your own engagements you can do really cool stuff with Frieda in fit climb world like if you look at fuzzy sex repo for fermion he's got some examples in there which is far more complicated than this so I have a look at those there's a really good starting point for stuff you might want start building off there's got a couple more tools and techniques to use three doing more engagements so

until like now I think most people were sort of using this like on the seams of an endpoint as the fit client and then maybe sort of building a custom exit I've got it on a sort of another endpoint we don't need to do that anymore we can do it 5c to we can do about dependencies so yeah most up to you really there's definitely scope for further work here so you can inject a dll into memory completely using this sort of concept of reflective DLL so if you have a look at this this guy's github link he explains this quite nicely so I've tried to get this working in time for the talk and

just fail for some reason so there's a tool called SR di which will take a DLL like a native DLL convert it to a reflective DLL and then give you the shell code for it and COBOL strike and other frameworks support shell code injection right so for I can just generate this DLL shellcode inject it into the process it will just work and then we don't need to at all it turns out it's not as straightforward as that so that sort of saw like a 17 make more bash shell code that beacon just appears to not be able to handle it just endeavor Twitter's so I built a small c-sharp app which pulls up all the shell

code like over the wire into memory and then injects it from some white from C sharp so we can load that app we've executed sembly and doing all the memory right if you pull the DLL that just launches calc and then run it through si di and inject it into key pass it works perfectly use or calc if you take the free account at DLL and do the same thing it just kills the process instantly I guess it doesn't like having 17 make of shell code like stuffed into it if we can get this working that means we don't need to such disk at all for this so don't need to top the URLs on

disk anymore we can yeah just do it all from sort of an attacker machine of a socks which is awesome because then there's nothing there fight the blue team to sort of see chopping details or so far huh so yeah this is rapidly approaching the end of the talk if you like this kind of stuff and you want to work with awesome people and me we are hiring so speak to me or Tom or Adam or D over there and yeah I'm gonna chat about it I will put this slide back up in a minute take pictures these repos are made public this morning so you're free to go and like clone them do it if you wanted

them if you find books like feel free to fix them if you like this sort of research and want to see more it normally ends up on my Twitter that's quite either links to blog posts or just random stuff but if anyone has any questions shout them out like thank you for coming to see me you have a choice and talk sometime why I'm chuffed that you came to see me so yeah take photos of the slides questions shout out boys

also there are any questions or you're happy any questions hope it good you've had a few questions got a bit of time to finish off yeah so um yeah that's a good point I didn't touch on so USC shelf as I was e in it yeah so don will be able to come out of file Meza but there's I think the standard version is four five that comes with Windows knows it when not to go change we don't know that for now so what more people are using this like ghost Parker stuff um they're just logging there were framework versions of the minute which sort of forces it down a difference or at one time okay yeah

that's a really good point yeah use all the versions of c-sharp the older you go the less likely you are to run into issues anyone else know so I've heard from a couple of guys on Twitter who sort of I've done a couple of war posts on this sort of stuff already and somebody said they used Freder on an engagement like on a red team over c2 well I got no more details on how they did it I assume they've probably done something like this there's not many ways you can interact like go and have a look at what's actually built before either there's limited sort of things you can use I assume they were using

sort of this media catch it over c2 I've not seen anything if anyone has seen it like I'm wait yeah it'd be awesome to sort of the chat with those guys but as far as I know [Music]

thank you I appreciate it so much [Music]