Cookie Monster: Tasty Tasty Bytes

we're going to be having hair from and he's gonna be talking about a tool called Cookie Monster and also about actual trading data yeah so here's Eric well thank you everybody for coming to my presentation after the keynote when I submitted I didn't realize I was going to be this early so you know kind of rough a little bit you got to be ready early in the morning but on the other hand I get to become and listen as a listen to all the other presentations later but as TJ said here to talk about Cookie Monster and a little bit about actual trading data we came up with a tool that we dubbed Cookie Monster to help us during a pin

test a little bit about myself my name is Eric Keene I'm a senior security consultant for secure ideas federal security is for about two years but NIT for about twenty now really focused on systems architecture windows mainly before I was with secure ideas I was responsible for two very large Active Directory infrastructure one at a small financial institution called Bank of America and the other for the happiest place on earth Walt Disney World so Lawrence a variety of places that I've worked for hobbies I like to say I'm a movie enthusiast a gamer and I'm a father of four and honestly at this point with my kids with the ages they are I really don't have any hobbies

except taking my kids to their hobbies but at some point I hope to actually be able to go to the movies again a little bit about secure ideas because they paid for me to be able to come here we are security consulting firm we do pen test architectural reviews general security consult consultations etc one of the things that we like doing actually most more than the pen tests is actually education and training something we believe in significantly so data exfiltration very important part of protecting data right but honestly it's probably something most pen tests never go through right and maybe it's because of the pen testers they're so interested in getting shells right hey let's take

it as far as we can into this networking and own everything here and be happy but really a pen test is about the clients data right that's what they care about actually trying to do is we want to see if we can navigate through this network get to what is most important to our client and show them what faults they have and really data exfiltration is that last part admitted if this was a real job right where we weren't being pen testers we were actually people hacking trying to get into the network you probably have a path out already because you had to work your way in somehow but as a pen test a lot of cases

what happens is you go in you bring your laptop or whatever you might be using you put it on the network and you act as a compromised device right you're pretending that you found a method in and now you're trying to get to the data companies have spent lots of money and lots of resources at least a lot of companies had trying to prevent people from being able to get data out now maybe it's something that we should start considering now all clients aren't ready to have their data right attempt to have their data actual traded they're not mature enough they don't have the tools right maybe we can help them find them but there are lots of companies who

do have these mature processes right they've invested millions if not more in things like DLP software right proxying whatever it might be to try and keep their data on the inside and not let it get out to the outside and you know some companies don't want you to actual trade their data we have clients who you know regardless of what you say they won't let us use our devices right everything has to be done on their network on their devices including writing the report which as I can attest is a little bit more painful than writing it at home right you have to get back and you have to do the work there but these clients

might be the ones who actually need this type of test right this final level of validation that they have things protecting their data right maybe not from someone who worked their way in from the outside right which we're trying to prove but maybe somebody who's acting licious lee from the inside so data exfiltration what is it number one lots of methods to do it right honestly there's probably more methods to actual trade data than to get into a network right lots of options and it starts with just general Network protocols file sharing right SSH SCP secur caught the ftp RDV honestly if you're the group you're dealing with have any of those four open from your

device directly to the Internet there's really no point in even saying hey let's try an actual trait your data you can write if I can get to a file share outside of your network from inside the network you have serious problems right you're not ready you need to start blocking those down you can send data out through you know web traffic HTTP HTTPS once again if your client isn't proxying their traffic there's no point in saying hey let's see if we can actual trade some data for you right you're going to be able to you can send it anywhere you want they're not going to know there's no way of tracking it no way of detecting it then you can

get into other things like mail right once again hey let's just send an attachment pretty easy to do but at this point lots of car companies are starting to block the ability to send attachments right you just can't send it out and probably don't have open mail relays for you to just send email then you get into some harder protocols like DNS right yes it's possible to actual trade data through DNS calls this is hard to detect for a lot of companies there are some products out there and some some companies who have done it but from the inside if you allow your clients your devices to connect to a DNS server on the internet directly right and not go

through some internal DNS system you're never gonna see it happen anyways right once again you're not prepared and you probably can lose data very easily and these are just some protocols right there's even more there's there's records of people using ntp network time to exfiltrate data right using certificates to actual trade data the list goes on and on and on and on I mean so how to protect against all this it is mind-boggling once again probably harder than protecting yourself from getting hacked in the first place and companies aren't getting it's not getting any easier now right more and more people are moving to cloud services where you get things like SharePoint Online and and you know

Google Drive where it's so easy to right click and say share this document and you say hey yeah anybody with this link can access it well now anybody with this link can access this data right once again easy method for someone not thinking nicely to the gate data on the outside luckily this can be locked down right not everybody has to be able to share data then we talk about physical methods of actual trading data right USB drives laptops write papers themselves right all these are viable methods of getting data out all of them have protections right I like to think about that huge stack of papers maybe you know the amount of data we're actually trying to

get and maybe sometimes you actually want to try and print something but you can't get to the printer but hey this could work right I'm sure even with our clients that aren't the most aware their physical security I'm pretty sure somebody would notice if I brought a monitor and put it on a copier to try and get some data out at least I hope they would and then you get into some really interesting methods right hey I've separated my network all my important data is on a separate network you can't get to it but you can see it right you know everybody knows about the Bluetooth attacks right that's old news you know but that's one way that you can

jump across networks right bluetooth is enabled on another network you can just move across and start accessing it there but the really interesting ones are the other two up here probably my favorite is that the hard drive there's a documented record of people actual trading data by having the hard drive indicator light on a device flicker right and telling them what the data was I think a drive light conflictive like 60,000 times a second or something and they use that because I could see the light that's how they got data off the network other people have used fan speeds and fan harmonics right you want to talk about really high tech stuff really interesting things to do

all methods that you can start losing data from your network so how do you control this how do you prevent it well number one I said it right if you allow everything out to the Internet you've lost right sure you might be blocking people from coming in but once they get in you've lost your data if you're using firewalls to block ports you can start using the next-gen firewalls right that deep packet inspection that lets you see actually what's happening what they're trying to do whereas they send data out through there interception proxies don't have don't allow people to go straight to the internet with web browsing right proxy all the traffic look at it be sure

you're breaking any encryption in the ssl/tls etc DLP software right don't let people mount USB drives you know for multiple reasons but don't let them copy it or only approve devices right whatever it might be don't let people just pass data around drive encryption hopefully everybody at this point is you know using BitLocker or something on their Windows devices you know laptops disappear all the time right if you're not encrypting the drive the data is lost and then you know sure locking down printers and copiers this is actually interesting you know printers themselves right or are security risks in general multifunction printers they have hard drives they store data wonderful things for hackers to get to but just the effect of

printing if you're really worried about your data and where it's going there methods that you can have people have to log in to the printer or scan an ID or whatever it is before they can even use it it's actually a good method to make sure people like us pen testers don't come in and use your printers as a method to find a way to bypass any NAT controls or anything else right we can't see what the printer MAC address is we may not build move on so quick brief intro to data exfiltration right something that we probably should start testing there are lots of other methods those were just a handful so why did we

come up with Cookie Monster we actually had a client who has spent a lot of money right on making sure their data stays in their network they brought us in they had us do a pen test and then when we got to a certain amount of day that they said okay we want you to actually try and get that data out we want to see if you can do it they replaced the data right because we don't want to send important critical data to that you know from them out to the internet but they said here's something representative see if you can get this out and see what happens this client had very limited number of ports we only had

web traffic that's all we could do there was nothing else open out to the Internet they were intercepting it they read everything right they knew everything that was happening everything going through that proxy and they had a very responsive blue team we did multiple phishing campaigns to in the beginning to see what we might be able to hook into and if there's anything that looked odd they would have it within about five to ten minutes quarantined it they would start blocking the URL that it came from and then any other URL we had associated with our company right they were very fast they were very good and they did lots of URL and content filtering right we couldn't get to any

website existing out there we had to try and track one down so with all of this we had to find some way of getting data out we didn't want to try the physical route we definitely didn't have time to try and figure out how to get an LED blinker to you know move that fast so we said let's stick to that one thing we do have which is that web traffic now when people historically have tried to exfiltrate data vote via web what happens is you you find a website you can go to and you start posting it right you send the data you send the file up through HTTP as a post this means that

people have a very long web connection right your session is very long you're sending lots of data you're probably not giving that many responses back from the web server we didn't want to fall into that pattern so we said what can we do what can we do with this well number one we don't want to just try and send a file right that requires post it takes a lot of effort and it's gonna be very large so let's take it and break it down into chunks okay so we said let's take the file we're going to encode it just basic ste for no problem encode that data find a way that we can break it into small manageable

chunks and let's send it in cookies right instead of just as raw data send it in the cookie itself cookies go everywhere right that's how web browsers you know communicate with the servers they know who you are it's a great method it's always encrypted well at least almost always this time right can look like anything and it may not actually be looked at by some of the proxies and everything it might just be ignored because it's expected to be there and then we have something on the backend that can pull all this data back together and give us her file that was her plan that's what we did so we throw up a server out there Mike from the

company threw it out there he loves JavaScript so no js' bang no problem threw it up there threw up a web server did some proxying we chose Apache because a it's there and then we added a cert right if you want to use this tool I highly recommend putting a cert on it just because we even though the client might be able to intercept that data and read what it is we want to be sure that anybody is else out on the web can't see it right so encrypt the data itself make sure it's passing securely from us to the server and then we came up with a feeder at the client side you know we

use PowerShell right because it's available sure I know more and more people are moving away from PowerShell as a method to do stuff because Microsoft has introduced logging and more controls and all sorts of wonderful things but it's still on every system and you can use it to do almost anything and we made sure that we made this look like a fairly normal command right we didn't call dotnet libraries we decided to just use commandlets that way we didn't have to worry about if they did language mode or anything else you know and we made sure that we introduced things like hey make sure you look like a web browser when you're sending to the

data so it doesn't say you know PowerShell sent this made sure we use the right user agent we made it that it you know had a sleep function it didn't just send lots of requests really fast to decide that slow down take its time so two parts the feeder that actually breaks this data apart sends it on forward through web requests and then the server Cookie Monster itself that puts it back together so quick little demo hopefully I find demos or like animals and shows they work perfectly at practice and then when you actually try and do it it doesn't I have a bad bad time with them but we're gonna do our best here

so I have a little everybody see that or is it too small it's not there's not much to see but it's a little Lennox survived running locally it's sitting there I have Cookie Monster listening and so let's say I found this awesome file of credit cards there it is it says hi Charleston down there you can't see it but I'll put something else here alright so I found this great file admit it I'd expect something else to be much larger but we're doing a quick demo here so we have it we call the feeder I should probably import it and I'll show what it looks like in a minute

like any good powershell you need to have that verb down [Music]

make sure you have the right IP address

and I'm gonna proxy this as well just so we can actually see what it looks like

now and yet you should probably choose a file and so there you go he's just sending the data now I admit right we're using PowerShell so this is being logged if they've upgraded to PowerShell three five whatever it might be but from what we've seen typically even though companies might be logging this data they're not actually alerting on it especially from clients right from desktops and laptops it's there for auditing purposes so yes we have left a trace unfortunately but it didn't require any special privileges to do this right I just said send data and it's doing it and all right it finished so I'll just close this down and just to show you what happened

yes I can't do anything with Linux because I'm a Windows guy so it just took all this once again it just took all the files and then when it saw the last one it put it together I'll copy it down in a minute

I'm just gonna pull up down as a text file hopefully I got that right see

oh I sent cookie feeder didn't I ha ha that explains why it didn't come out right let's send the right thing because sending the script itself is boring like I said if it will go wrong it will for me

hey so as we go through let's actually look at this through burp right since I proxied it to show you how it's breaking it apart that's probably very small

so as I said it took it and broke it apart so it entered some data as cookies the f it's a file name we added these two little forward marks on the front of it so that it's not necesarily interprete Balazs text right because this is just the file name encoded so if I took it and I put in the decoder you'd see the file name automated processes hopefully will take the entire cookie if they're looking at it right not just the encoding and so that obfuscates it then we have an integer that says hey this is part three of 16 and then this is the data right just a chunk of data the cookie name yeah session we use session

to try and hide what it might be doing so all right now I have the right stuff in theory

hey hey look at that and then all we have to do is decode

and we have our file back right so there you go once again we just took it we base encoded it so it's just pure text sent it out through an internet picked it back up

so you know clearly this is not necessarily the best tool out there we understand that but it was something that we came up with in a couple of days to try and get the data it has some pros and some cons the good parts it's using a highest protocol there's web traffic everywhere it's seen all the time it's happening through your company right everybody is going out to the Internet for stuff it's using a get method right we don't have to post data we're just saying go somewhere and it looks like we're looking at a web page and once again cookies are typically encoded or encrypted in the first place right why even worry about breaking them apart now

there are some cons right as of right now because this is really in beta I guess is the best way if somebody actually browsed the web page they get an error so if somebody decided to go look at this they'd know something was up right but we weren't trying to fool people we were just trying to do all the proxy it requires a whole bunch of web requests to get that data out now luckily you don't have to do this all at once right you can do it in chunks you can do it over periods of time you don't need to just send it immediately so that's not a problem you're limited to the size right there's a requirement

that said that every web browser needs to be able to accept up to 4096 bits for a cookie 49 t3 is the lowest so you want to make sure that if you're sending data this way it's smaller than 4,000 bits or bytes and this can actually make some files even bigger so how do you go about detecting it well that's an interesting question we sat down we won to see if we can come up with it you see a lot of web requests right now there is no real web responsive than okay so that's not the great and you can do you'd have to do a lot of content filtering right or whitelisting really block every website

that you don't want to go to unfortunately that's not perfect right we found a website that we could use even though they were doing expensive URL filtering there's that expired domains net they're changing all the time right fine one and then all of the companies that provide you with URL filtering have web pages you can go to to see how they are categorizing it right takes a little bit of research but you can find a place and the domain that you could probably use to send data to we do have some future future plans right now it's not posted out there but we are going to post Cookie Monster we're gonna put it in our org and

professionally evil we want to have it do more than just okay we won't actually have it return some data so it looks like people are browsing stuff maybe return some do cookie values we want to change encoding so the number that says hey I'm part 1 of 16 is also encoded and then you know try and find a way to pick up a lost session right now once again Cookie Monster may not be the best tool out there there might be some better tools but it was something that we came up with to try and get data on that side this part of the test that's probably not done very often even if you don't

have a pen tester or you don't do it for a company hopefully you can encourage them to start testing write whatever they have preventing data exfiltration everybody is focused on you know preventing people from getting in we need to be sure the same focus is on can they get data out and that's it ten thirty on the nose any questions

well thank you for your time the chunk your right but not the whole file you can encode anything you want but yes yes sir

what are they using that the gamut is huge I wish I could give you one specific thing that says what they're using the manager structured data well honestly a lot of people are still having problems with that structured versus unstructured right data management is a huge issue it's amazing what you can find an open file shares still yeah it's amazing what's out there so I wish I could give you one specific product but I can't any other questions thank you for your time [Applause]