Paul Asadoorian and John Strand give finishing touches to their research, highlighting methods of attribution and counterattacking, and listing the relevant precautions.Paul Asadoorian: Now along to attribution. So, if we can annoy attackers and draw them into certain places inside of our website or inside our network, let’s learn some information about them. What kind of tools are they using? What kind of web browsers are they using? Where are they specifically?
A lot of these techniques have a lot of repercussions for a lot of organizations, such as law enforcement. I mean, knowing where an attacker is at is huge these days, especially with technologies such as TOR, open proxies on the Internet – there’s lots of ways for an attacker to hide, so why not find out? Maybe the same attacker, you can correlate from different areas. You can say: “Hey, there were these 16 different IP addresses attacking us, but guess what – we did the attribution that we’re going to talk about in this section, and it is in fact the same attacker.”John Strand: The first one we’re going to talk about is Word web-bugs (see image). This is something that originally I found; it was actually implemented by good friends of ours. They actually embedded an HTML inside a Word doc, and then the Word doc will beacon back home; I’ll show that on the next slide.
But you don’t need Core Impact or any expensive tool to do that, you can do this on your own. Microsoft Word can read files that have HTML. If you put in an HTML and you put in an iFrame or a reference to a cascading style sheet, then, as soon as Word starts, it’s going to try and load that resource. And when it does, it’s going to create a quick beacon back, and you can capture some information about where your documents are.We have customers that have very, very sensitive files and they want to make sure they can track them wherever they are (see image). So, we put in a little HTML; they create their documents; they use them however they normally would, but as soon as they open it, it’s going to create a beacon. Then we can take the IP addresses that are connecting back, and we can geolocate where that document is. If your company is in Ohio, and all of a sudden your document is being opened in Kuala Lumpur, you might have something to research. This is very effective, and, by the way, this is completely independent of whether or not you have VBScript. The next one is the Decloak project. This is something that was started by folks at Metasploit, and we actually have a couple of additional modules that we’ve added to it. But the idea is if an attacker is attacking you and they’re attacking you through a TOR network and they’re trying to obfuscate where their real IP address is, there are ways that we can get them to connect to us with other applications. If you look at the slide (see image), you can see the TOR when it logs the information; it’ll say that we have a connection from Java, we have a connection from HTTP, we have a connection from UDP. How this works is when you go to a website, it will spawn off Microsoft Word, it will spawn off iTunes, it will spawn off a Java app, it will spawn off a Flash application. And the reason why that works is because many of these applications, when you’re using TOR with your browser, may not be going through the TOR connection. As soon as they’re invoked, they’re not going to go through the TCP connect function, and they’re going to make a direct connection back to you. So that’s very effective when we’re talking about how to attribute who is attacking you. Speaking of attack, Paul…
Paul Asadoorian: So, the attack section is the one that I think gets people most nervous – when we say we’re going to actually attack the attackers. And we don’t mean to attack them in that we’re going to log into their systems and delete their hard drives – not all the time, anyway. But we’re going to have attackers come to places on our website or inside of our network; then they’re going to visit specific places which we are drawing attackers to; and the attackers now are going to launch code that we provide them.And that’s what we really mean by attack – they are running code of our choice. A lot of this presents itself to management applications, so we set up fake management applications that say: “Hey, attackers, come manage this switch that’s wide open to the network or the intranet that’s on my network, and, by the way, you need a Java payload in order to manage this switch.” That Java payload, essentially, could give us things like shell, it could delete their hard drives, or it could provide us with more attribution (see image).
John Strand: Probably the most well-known Java application – for penetration testers, anyway – is the signed Java applet attack in Metasploit, and also implemented in the Social Engineering Toolkit by Dave Kennedy.
You can actually set that up at a part of your website, mentioning in robots.txt ‘disallow’ or ‘nofollow’ to the admin directory, and as soon as they get there, exactly as Paul said, it says: “You need to install this Java app.” Now, if they believe – attackers, that is – that they need to install this Java app trying to manage your firewall, you’d better believe that they’re going to do it. We do recommend having warning banners in place clearly identifying to the bad guys that by coming to this page you’re subjecting to the reasonable terms of us checking your computer out. It should say: don’t be evil.So, the evil Java application: as we said, we can put a reference in robots.txt. The bad guy goes right to that directory, hopefully a warning banner pops up that’s been approved by your legal department, and as soon as they run the Java code, then it’s code of your choosing. At that point you have the capability of getting shell: you can do a rootkit; VNC level access, if you have, of course, authorization from various law enforcement agencies; or it could be something as simple as what are the users on the system. What is the IP address of the system? It does traceroute: what is the hostname of the computer system? What are the wireless access points that are nearby? There’s a custom Java app that we developed that allows us to actually identify geolocation, latitude and longitude simply by triggering the applet. Now, here’s an example, once again, from the Social Engineering Toolkit (see left-hand image). You still get a pop-up in this situation, as you would get in penetration testing – the idea is about using some of the techniques that pentesters use, but using them in such a fashion that we can defend and attribute and retrieve some additional information about the attackers. Everyone clicks Run, and for about $160 you can make the little pop-up go away by having it digitally signed. It’s not pretty, but it works. So, precautions and usage: please, please, please make sure that a lot of the stuff you set up is something you set up on the inside of your network. You want to make sure that the attacker doesn’t redirect your users to your own traps. Make sure no one can ever take over your Metasploit server; and also, you don’t have to do everything with your servers: you can autorun certain non-damaging commands; you can ping your system; you can do security checks. And the important thing is that if it ever goes to court, you can say: “We never intended to get fully maintained access on their system; we just validated the security configurations of their computer; and, by the way, they agreed to that in the warning banner.”
Paul Asadoorian: So, just as a conclusion: you can watch our shows where we talk about these techniques and more; you can listen to our podcast which is in iTunes by searching for PaulDotCom, and you can watch our live production or recorded videos by going to our website pauldotcom.com/live to watch us live, or on YouTube to watch our prerecorded videos.
John Strand: We are pretty much everywhere. Thank you very much for your time!