Doomsday Preppers - HackMiami

Slide 1

Slide 1 text

Doomsday Preppers: Fortifying Your Red Team Infrastructure

Slide 2

Slide 2 text

1 Introduction

Slide 3

Slide 3 text

Whoami ● Steve Borosh ○ Penetration Tester / Red Teamer ○ Blogger https://www.rvrsh3ll.net/ ○ https://github.com/rvrsh3ll ● Jeff Dimmock ○ Penetration Tester / Red Teamer ○ Blogger https://bluescreenofjeff.com/ ○ https://github.com/bluscreenofjeff

Slide 4

Slide 4 text

Slides/Resources online bit.ly/RedTeamInfrastructure

Slide 5

Slide 5 text

Agenda ▪ Introduction ▪ “Standard” Infrastructure ▪ “Advanced” Infrastructure ▪ For The Blues: Tips and Tradecraft ▪ Questions

Slide 6

Slide 6 text

Purpose ▪ Infrastructure design ▫ Build a resilient infrastructure ▫ Stay hidden ▫ Separation of resources ▪ Secure the infrastructure ▫ Prevent “hack-back” ▫ Prevent data leakage ▪ Train both Blue and Red

Slide 7

Slide 7 text

Props to prior research ▪ blog.cobaltstrike.com - Raphael Mudge ▫ “A Vision for Distributed Red Team Operations” ▫ “Advanced Threat Tactics: Course and Notes” ▪ Cybersyndicates.com - Alex Rymdeko-Harvey ▫ “6 Red Team Infrastructure Tips”

Slide 8

Slide 8 text

3 “Standard” Infrastructure

Slide 9

Slide 9 text

Design ▪ One (or few) hosts handle all functionality ▫ Payloads/C2/Phishing/etc ▪ Quick to deploy ▪ Simple hardening

Slide 10

Slide 10 text

Components ▪ Single-server C2 + SMTP ▪ Originates all attacks ▪ Default traffic profiles ▪ Open to entire Internet

Slide 11

Slide 11 text

Use Cases ▪ Tests w/o active incident response ▪ Fully whitebox ▪ Functional testing ▫ Click tracking ▫ Egress testing

Slide 12

Slide 12 text

Attacker Router/Firewall C2/SMTP Server Router/Firewall Victim

Slide 13

Slide 13 text

Weaknesses ▪ Hosted payloads are easily enumerated by defenders ▪ C2 may be easily blocked by IP, netblock, or domain name ▪ No redundancy in case of outages ▪ Susceptible to Internet-wide probing or exploitation

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

5 “Advanced” Infrastructure

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

Design ▪ Based on “Infrastructure for Ongoing Red Team Operations” by Raphael Mudge ▪ Segregate assets based on function, minimize overlap ▪ Place redirectors in front of every host

Slide 23

Slide 23 text

Design ▪ Document the setup ▫ Know what points where ▪ Split hosts amongst providers ▫ (Pay attention to terms of service!) ▪ Forward all logs to central server via rsyslog

Slide 24

Slide 24 text

Components ▪ Four teamservers ▫ Phishing & payloads ▫ Long-term DNS C2 ▫ Short-term DNS C2 ▫ Short-term HTTP C2 ▪ Four redirectors (VPS hosts) ▫ Two for DNS C2 via socat/iptables ▫ HTTP C2 via Apache ▫ HTTP payloads via Apache ▪ SMTP server (VPS host) ▪ Four domains

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

Domains ▪ expireddomains.net ▫ Old first registered age ▫ High SimilarWeb score ▫ High number of backlinks ▪ Register pre-used domains ▪ Register domains in same category ▪ Finance/Healthcare usually have firewall exceptions for SSL

Slide 27

Slide 27 text

Domains

Slide 28

Slide 28 text

Domains

Slide 29

Slide 29 text

Domains ▪ Check categorization ▫ Bluecoat ▫ McAfee (TrustedSource) ▫ Fortiguard ▪ Senderbase Score ▫ http://www.senderbase.org/ ▪ Check blacklists (web and email) ▫ http://multirbl.valli.org/

Slide 30

Slide 30 text

Domains

Slide 31

Slide 31 text

Domains

Slide 32

Slide 32 text

Domains

Slide 33

Slide 33 text

SMTP ▪ Use “redirector” for sending ▪ Remove previous server headers ▪ Catch-all address to receive bounce-backs or responses ▪ Use third-party SMTP servers ▫ Read the TOS first!

Slide 34

Slide 34 text

Apache mod_rewrite ▪ Redirect unwanted requests ▫ Invalid URIs ▫ IR useragents ▫ Blacklisted IPs ▪ OS-specific payload delivery ▪ Payload extension hiding ▪ Filter non-C2 requests to C2 domains

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

Mobile Redirection Apache mod_rewrite

Slide 37

Slide 37 text

Invalid URI Redirection Apache mod_rewrite

Slide 38

Slide 38 text

Apache mod_rewrite OS-Specific Payloads

Slide 39

Slide 39 text

Apache mod_rewrite

Slide 40

Slide 40 text

Apache mod_rewrite

Slide 41

Slide 41 text

DNS ▪ socat vs. iptables ▫ https://github.com/bluscreenofjeff/Red- Team-Infrastructure-Wiki#dns ▪ Modify query results in profile ▫ Typical default of 0.0.0.0 ▫ Nslookup = google,opendns ▪ Modify DNS request lengths ▫ Max domain name, 253 text characters ▫ MRZGS3TLEBWW64TFEBXXM.dns.example.com

Slide 42

Slide 42 text

DNS Redirection Socat http://www.rvrsh3ll.net/blog/offensive/redir ecting-cobalt-strike-dns-beacons/ IPTables ▪ Forward UDP port 53 to teamserver from redirector

Slide 43

Slide 43 text

DNS Redirection

Slide 44

Slide 44 text

DNS Redirection

Slide 45

Slide 45 text

DNS Redirection

Slide 46

Slide 46 text

NAT’d DNS Redirection Cobalt Strike (192.168.20.10) SOCAT & SSH Main Redirector (104.236.x.x) SOCAT Volatile Redirector (45.63.y.y) IPTables https://gist.github.com/pcting/1041387

Slide 47

Slide 47 text

Modify Your C2 Channels! ▪ Don’t use defaults ▪ Use a different profile for each c2 channel ▪ Blend your profiles into your target environment

Slide 48

Slide 48 text

Modified C2 Signatures ▪ Changes how C2 looks on the wire ▪ Impersonate adversary or internal applications ▪ Malleable C2 -> Cobalt Strike ▪ Communication Profile -> Empire ▪ Use custom profiles on every server!

Slide 49

Slide 49 text

Malleable C2 Example (Amazon Traffic) https://raw.githubusercontent.com/rsmudge/Malleable-C2-Profiles/master/normal/pandora.profile

Slide 50

Slide 50 text

Modified C2 Signatures

Slide 51

Slide 51 text

Modified C2 Signatures

Slide 52

Slide 52 text

Modified C2 Signatures

Slide 53

Slide 53 text

Domain Fronting

Slide 54

Slide 54 text

Domain Fronting ▪ https://www.bamsoftware.com/paper s/fronting/ ▪ Utilize high-trust domains ▫ Cloudfront ▫ AWS ▫ Google ▪ Implementation varies per provider

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

Domain Fronting (cont.)

Slide 57

Slide 57 text

Domain Fronting (cont.) ▪ Resources “High-reputation Redirectors and Domain Fronting” -Raphael Mudge “Domain Fronting via Cloudfront Alternate Domains” -Vincent Yiu “Escape and Evasion Egressing Restricted Networks” -Chris Patten and Tom Steele

Slide 58

Slide 58 text

Finding Frontable Domains ▪ Searchable by CNAME ▫ Google ‘CNAME “*.cloudfront.net”’ ▪ Bruteforce/find subdomains ▫ Can search alexa top x sites ▫ Search by domain ▫ https://github.com/rvrsh3ll/FindFrontab leDomains

Slide 59

Slide 59 text

No content

Slide 60

Slide 60 text

Watching the watchers ▪ ‘Pre-phish’ with a weak phish to fingerprint response ▫ Easy-to-spot, but not Nigerian Prince ▫ Use completely different infrastructure ▫ Perform far in advance ▫ Skype Pre-Phish: https://www.youtube.com/watch?v=oTyLdAU jw30 ▪ WATCH ALL LOGS ▫ Look for CURL/WGET/Python requests ▫ Geolocate IPs ▫ ID appliances ▫ ID incident response actions

Slide 61

Slide 61 text

Watching the watchers ▪ Monitor domain/IP categorization/blacklisting ▪ Monitor emails, if possible ▫ Compromised accounts ▫ Bouncebacks ▪ Roll infrastructure as needed

Slide 62

Slide 62 text

Securing the Infrastructure ▪ Attackers can be attacked too! ▫ Metasploit* ▫ Empire** ▫ Cobalt Strike*** ▪ RCE on unprotected attack infrastructure *https://github.com/justinsteven/advisories/blob/master/2016_metasploit_rce_static_key_deserialization.md *https://github.com/justinsteven/advisories/blob/master/2017_metasploit_meterpreter_dir_traversal_bugs.md **http://www.harmj0y.net/blog/empire/empire-fails/ ***http://blog.cobaltstrike.com/2016/10/03/cobalt-strike-3-5-1-important-security-update/

Slide 63

Slide 63 text

Securing the Teamserver ▪ Chattr cron directories ▪ iptables ▫ Restrict resources to only needed IPs ▪ Lock down SSH ▫ PKI auth only ▫ Limited user rights

Slide 64

Slide 64 text

Securing the Teamserver (cont.) ▪ Block non-target country IPs ▪ Keep your C2 updated!

Slide 65

Slide 65 text

7 For the Blues

Slide 66

Slide 66 text

No content

Slide 67

Slide 67 text

Hunting C2 Infrastructure ▪ Default requests ▫ Notable lack of headers ▫ Lack of proper HTTP response codes ▪ Static Content ▫ “It Works!” responses ▪ Reference ▫ http://www.chokepoint.net/2017/04/hunti ng-red-team-empire-c2.html ▫ http://www.chokepoint.net/2017/04/hunti ng-red-team-meterpreter-c2.html

Slide 68

Slide 68 text

Default Empire Response

Slide 69

Slide 69 text

Shodan Search For Empire http://securesql.info/hacks/2017/4/5/fall-of-an-empire

Slide 70

Slide 70 text

Identifying malicious DNS traffic ▪ Request length ▪ Same domain with many subdomains ▫ Entropy in subdomains ■ KDJSOISJFSLKJSOIFJ.example.com ■ Subdomain.example.com ▪ DNS Server resolves to 0.0.0.0 or something funky

Slide 71

Slide 71 text

Identifying other malicious traffic ▪ SSL Certs ▫ Let’s Encrypt Certs ▫ Self-Signed ▪ Consistent URL patterns ▫ /admin.php etc.. ▫ Repeated intervals with Bro ▪ Research common C2 platforms ▫ (low hanging fruit for defenders) ▫ Stagers are easy to spot

Slide 72

Slide 72 text

Identifying Malicious traffic (cont.) ▪ Analyze network captures ▫ Beacon intervals (jitter) ▫ Filter out known-good ▪ VPS address ranges

Slide 73

Slide 73 text

VPS Lookup

Slide 74

Slide 74 text

Thanks! ANY QUESTIONS? You can contact us at: @424f424f (Steve Borosh) @bluscreenofjeff (Jeff Dimmock) http://www.rvrsh3ll.net https://www.bluescreenofjeff.com