Quantcast

How not to suck at pen testing 4: Bit9 issues and ISR Evilgrade attacks

John Strand dwells on a few nontrivial vectors applicable for compromising target organization’s IT infrastructure and bypassing technologies like Bit9.

Data exfiltration

Data exfiltration

Also, there’s data loss prevention. As I said, we’re in the midst of a webcast called “Sacred Cash Cow Tipping”. In information security, there’s a lot of different technologies that are becoming sacred cows. We’ve got AV, it’s clearly a sacred cow. Even though most people in here can bypass it in a matter of moments, most organizations continue to pin their entire security hopes and dreams upon AV catching things. But if AV doesn’t catch it, that’s great – we can use data loss prevention. Has anybody ever been in a pen test and DLP completely shut them down? If so, you don’t want to raise your hand. Data loss prevention, as near as I can tell, is only used for keeping honest people honest and helping catch people that make general mistakes. For a real attacker, it never works.

How would you know of that? Because if you were listening to the product marketing materials that are provided, you would think this is the best stuff since sliced bread, when in fact it doesn’t work at all. Test it. That’s what we are here to do. We are here to break things. That’s what we do – find the structural flaws.

Finding more vulnerabilities

Finding more vulnerabilities

But every time we move forward things get harder, and then we find more vulnerabilities (see left-hand image). And this is a good thing. If you look at group policy preference files – I mean, how many of you have gotten domain admin over group policy preference files in the past four or five months? It’s awesome, right? And how many of you were like “Boy, this new shell vulnerability, this bash thing, this is going to be my meal ticket for the next couple of years”? We kind of get hung up on those things. But slowly we start improving. Slowly we’ll start removing some of those structural vulnerabilities. I’m now joking with my customers and saying “The worst thing you can do for information security today is run Active Directory.” It’s like a super-highway of breaking into organizations.

But we make these steps forward and then we find more vulnerabilities. One of the fun things about Black Hills Information Security is we have a lot of customers that listen to Security Weekly. And they listen to what we recommend, they wait until I get everything kind of squirreled away from the recommendations, and then they call us. They’re like “We’ve done everything that we learned in your class, five of four hacker techniques, we did everything on the show, now you can come and pen test us.” And we’re like “Oh, that’s just great, awesome, this is going to be fun!”

We’ve run into a couple of situations where organizations have implemented Internet whitelisting. I’ve even said on this stage that we need to move to Internet whitelisting, and I still think that that’s the right thing that we need to do. We need to start moving to more whitelisting approaches. Does that mean it’s 100% secure? No. Does that mean it’s better than traditional Internet blacklisting? Absolutely. So we need to try to move people to that. But that doesn’t mean that we are not going to have stumbles along the way.

Whitelisting bypass trick

Whitelisting bypass trick

So, Ethan found out in one of his pen tests that if you applied Internet whitelisting and you did a Google search, let’s say for Google’s blah, it would say you can’t go to that website. What you can do is you can do a search that includes the domain of the organization that you’re trying to break into or out of, and it would say that’s perfectly cool (see right-hand image). The reason why is because a regular expression goes through the URL and it looks for whitelisted domains. So, let’s say that the target organization is hacked.com.
The circumvention does work

The circumvention does work

If you can do a Google search for hacked.com, it sees “hacked.com” in that URL and it allows you to bypass it, and it allows you to go to Google. So if you have a backdoor, you can have the backdoor communicate over HTTP, and all you need to do is put in a variable – in this situation, it was “blah” – equals (=) “hacked.com”, or target company dot com, and it allows you to bypass it (see left-hand image).

Does this apply to Websense?

Does this apply to Websense?

Does this work on different organizations like Websense?
Websense bypassed

Websense bypassed

Yes, this works on Websense as well (see left-hand image). So, if you have an organization and you have to get out of that organization, all you need to do is gen up your backdoor to make sure it has the target URL of the organization – and it’s going to let you through, because that is an authorized domain. What’s really cute is whenever you try to give this to the vendors and say “Look, this is something you might want to fix,” what usually happens with vendors is they say “Well, yeah, that’s the way regular expressions are supposed to work.” And you’re like “Really?!” They’ll say “Yeah, this is a feature.” No, it’s not. But slowly, people get better.

Bit9 Security Platform

Bit9 Security Platform

The next two technologies I’m going to talk about – I don’t want to rip on them, because it’s going to sound like I am – but I actually love both of these technologies quite a bit. The first one is Bit9. I love Bit9, but is it a pain to install? Absolutely. But we do network pen testing and we have to bypass Bit9. Now, bypassing Bit9, for most ways to bypass it, isn’t actually trying to bypass Bit9 itself. What you are really trying to do is find configuration weaknesses in how they actually configured it. And usually the way that this is done is trying to find a file type that is authorized in that organization.

PowerShell scripts work wonders

PowerShell scripts work wonders

One of my favorite ways for bypassing Bit9 is PowerShell scripts (see left-hand image). Why would PowerShell scripts be allowed to bypass Bit9? How many of your organizations use PowerShell as part of their day-to-day activities? So, a lot of what we are doing is we are trying to find those gray areas, where we can exploit those gray areas in the efforts of trying to blend in. Mr. Mick Douglas is going to give a presentation a little bit later on about Powercat, which is a PowerShell implementation of Netcat. All you need to do is put your malware or have it download, and you can do direct memory injection using PowerShell, and it will bypass most implementations of Bit9. You can actually do digital code signing certificates for your scripts.

jrDesktop

jrDesktop

You can do a lot of things to try to mitigate this but, by and large, most organizations will allow all .ps1 files to execute, or they’ll allow all JAR files to execute. Why? Well, we need to allow Java. This is jrDesktop (see right-hand image), which is just a very nice implementation of VNC in Java, and almost every single organization we have tested will allow you to fire up a backdoor using jrDesktop. This isn’t leet hacking, it’s just trying to find those gray areas that most organizations miss whenever they are trying to establish their security architecture.

ISR Evilgrade attacks

ISR Evilgrade attacks

The other thing is ISR Evilgrade attacks (see left-hand image). The reason why this works is because of something called “inheritance”. Whenever you have an application that runs, many times you will say “I trust this application” or “I trust this directory that this particular application executes from.” And then anything else that executes in that directory, or anything else that is executed from an executable that is already trusted, will be trusted as well. So, if you have Java updater, Java updater is trusted because you want to update your Java. When Java updater goes out and pulls down an executable, you can give them malware using ISR Evilgrade, and then that malware will be trusted because it was started from Java updater. So you, basically, take advantage of that issue of inheritance. And this is probably one of the more difficult things for organizations to tune Bit9 to actually get it to work properly to detect it.

Great vendor making cool products

Great vendor making cool products

Palo Alto and their application inspection – once again, I like this product. I think these guys are a great vendor, they do really cool things. Once again, is the product super-easy to implement? No. It takes a lot of love, care and feeding to try to implement it properly.
dnscat

dnscat

One of our favorite tools for bypassing these products, or products like Palo Alto, is Ron Bowes’ dnscat (see left-hand image). How many of you were on Bowes’ talk today? Ron was there, that’s good; although he looked like he wasn’t sure. I don’t quite know why he looked a little bit confused about that. If you are working with a firewall vendor and you want to get a discount on that product, fire up Ron’s tool. Ron gives it away for free, I mean the tool: dnscat is the tool that Ron Bowes gives away for free. I’m trying to be more precise when I speak.

Dnscat is an outstanding product and you can test it, and whenever you get a full shell bypassing someone’s product, all of a sudden the price tends to come down a little bit from a cost perspective. If you ask vendors, they are going to say “Oh yeah, we totally catch that, because dnscat uses Port 53 UDP, and we monitor that port.” No, that’s not how dnscat works. It’s not a shell over TCP or UDP. If that were the case, Ron’s tool would be the lamest tool ever. It does more than that. It does all the backdoor communication over well-formed DNS requests and responses, and that’s what makes it awesome, that’s what makes it very good.

VSAgent tool

VSAgent tool

Another thing you can do – we have a tool called VSAgent that we have created; and all of the communication with the tool goes back and forth in well-formed HTML, and we insert all of our command-and-control in a value called “_VIEWSTATE” (see right-hand image). Anybody encounter _VIEWSTATE in their web application pen test? How long can this field get? I think we had a record in one of our tests, for us personally: four pages long of VIEWSTATE data. And the customer is like “Why is it taking you so long to scan our website?” I’m like “Because it’s broken, that’s why!” But this makes an outstanding field for us to exfiltrate data. This makes an outstanding field for command-and-control, because it’s meant to be randomized, right? It’s meant to be a long, variable link, usually very-very long. And most of your firewall tools will not do analysis on those fields because it’s impossible for them to do analysis on every single one of those fields. So, that’s an easy way to try and bypass them.
 

Read previous: How not to suck at pen testing 3: Mitigating structural weaknesses

Read next: How not to suck at pen testing 5: Hunt teaming

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: