Dailydave mailing list archives
Context, and in which contexts context is important
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 13 Nov 2012 12:19:15 -0500
CANVAS added HTTP/S + Proxy support to Java MOSDEF last week for the release. <http://www.immunityinc.com/news-latest.shtml> This means that when you attack people with Java client-sides you get a much higher rate of success against Financial and Federal Govt networks, which is awesome in its own way. For some people this is very important, and for others, much less important...and I've been trying in my head to figure out what the lines in the sand are here between groups, and where CANVAS and similar tools fit into these processes. As a tool vendor, one thing you realize is that every penetration tester out there has their own favorite set of tools and methodologies. But this implicitly ties them to an ecological niche that is very hard for them to switch out of. In a sense, they often have to give up their entire toolkit, training, habits, and mindset to switch ecological niches, like a caterpillar learning how to drink from flowers instead of eating leaves. The table below comes from another document, but helps illustrate these issues (and many of you, of course, will disagree with the table below because you are cooler than me): *Sample Test Environment* *Toolkit Characteristics* Your local network (or one you have reasonable physical access to) at a modern large US corporation (or local/State governments) * Shellcode callbacks are optimized in such a way that it is smaller and simpler by not worrying about timeouts, dropped packets, or other network irregularities (i.e. early MSF shellcode always made this tradeoff - not sure about now). If you see "recv(size)" rather than "while recvedsize < size: recv(size-recvedsize)", then this is where you are. * Sending really large files is commonplace and easy - network protocols assume low latency and high bandwidth (c.f. "Syscall Proxying") * C&C done over TCP (or ICMP/UDP perhaps more rarely) - no covertness levels needed for standard C&C. You'll see people ignore HTTP Proxy support here. * It's easy to maintain a concrete connection from your initial attack point to the very edges of your penetration - this effects your situational awareness and operational plan significantly. Essentially this level is where many commercial tools really shine today. Financial and Federal Government Sector While large, complex, and heterogeneously managed, these environments often include strict standards which restrict outbound connectivity to one of two flavors: 1. All outbound connections must be over HTTP/s Proxies, with NTLM user authentication. This is the most common. 2. WebSense or another proxy is used to ensure that only reputable sites are reached (i.e. a whitelist approach is often taken to new websites). This is less common, but when it is in place it is significantly harder to manage by commercial toolkits - meaning the threat to these organizations is poorly modeled at the moment. 3. DNS is logged, analyzed for anomalies, and in many cases filtered so new domain names don't "exist" - breaking most standard callbacks. In terms of good news for penetration testers (and our APT friends), you generally have plenty of bandwidth and latency and storage is rarely a problem in these networks (latency being something banks tend to hate with a passion), but connectivity is going to start to force your C&C into a wheel-spokes configuration, with particular boxes chosen as exfiltration points. (Some of the more recent talks on APT were quite good at pointing this style out - generally you see standard tools being used in custom ways by good operator teams here). AV evasion is a useful (but easy) feature when you get to this level, on a host and network level. At many higher levels here you'll also see application whitelisting, which has its own restrictions on your toolset. These can be worked around, but you often end up special-casing your toolset to deal with them. (e.g. US Military red teams) 3-Sat-Hops-Deep - for example, a shipboard computer network on a carrier group Size becomes a premium - writing exploits in these environments is like sending care packages to astronauts. You can still maintain C&C and decent situational awareness in these environments if you do it carefully. This kind of environment is where operator skill gets a bit "magical" - did that packet get dropped or did the exploit fail? When dealing with these sorts of networks, you'll see operators that have habits as strange as those of a cave dwelling salamander. For example, ICMP messages <http://www.tunnelbroker.net/forums/index.php?topic=2463.0> being dropped cause TCP to silently fail, or managing packet loss on a TCP network manually by retriggering resends with null packets, etc. Latency becomes a much bigger issue than bandwidth typically - 3 seconds can be a long time to wait for a packet to bounce back, so you won't see people doing things like typing into Cmd.exe here. The tools and techniques at this level are weird but almost understandable. Most penetration testers get culture shock here, like any normal corporate executive visiting outback Saudi Arabia. But things at least look similar at a high level - they still look like /hacking/. Protected Nuclear Bunker or SCIF - no legitimate wired access to outside world. Here is where you need a FLAME-like protocol where you receive (incompletely in many cases) data that the worm has decided was interesting enough to exfil. And you get this data weeks or months after it has been collected. This has obvious ramifications for your operational cycle. Your C&C must be resilient to active attack as it's unlikely you can make modifications to it in time to beat your opponent's incident response. (This BitDefender <http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/> article is the best resource on how these types of C&C look in the wild.) Things at this level often don't look like hacking so much as managing information flows within an organization by injecting pieces of code in the right places. Or rather, as Immunity's current doctrine would put it, they look like the near future of hacking. -- INFILTRATE - the world's best offensive information security conference. April 2013 in Miami Beach www.infiltratecon.com
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Context, and in which contexts context is important Dave Aitel (Nov 13)