Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Doomsday Preppers - HackMiami

Doomsday Preppers - HackMiami

rvrsh3ll

May 20, 2017
Tweet

More Decks by rvrsh3ll

Other Decks in Technology

Transcript

  1. Doomsday Preppers:
    Fortifying Your Red
    Team Infrastructure

    View full-size slide

  2. 1
    Introduction

    View full-size slide

  3. Whoami
    ● Steve Borosh
    ○ Penetration Tester / Red Teamer
    ○ Blogger https://www.rvrsh3ll.net/
    ○ https://github.com/rvrsh3ll
    ● Jeff Dimmock
    ○ Penetration Tester / Red Teamer
    ○ Blogger https://bluescreenofjeff.com/
    ○ https://github.com/bluscreenofjeff

    View full-size slide

  4. Slides/Resources online
    bit.ly/RedTeamInfrastructure

    View full-size slide

  5. Agenda
    ▪ Introduction
    ▪ “Standard” Infrastructure
    ▪ “Advanced” Infrastructure
    ▪ For The Blues: Tips and Tradecraft
    ▪ Questions

    View full-size slide

  6. Purpose
    ▪ Infrastructure design
    ▫ Build a resilient infrastructure
    ▫ Stay hidden
    ▫ Separation of resources
    ▪ Secure the infrastructure
    ▫ Prevent “hack-back”
    ▫ Prevent data leakage
    ▪ Train both Blue and Red

    View full-size slide

  7. Props to prior research
    ▪ blog.cobaltstrike.com - Raphael Mudge
    ▫ “A Vision for Distributed Red Team
    Operations”
    ▫ “Advanced Threat Tactics: Course and
    Notes”
    ▪ Cybersyndicates.com - Alex
    Rymdeko-Harvey
    ▫ “6 Red Team Infrastructure Tips”

    View full-size slide

  8. 3
    “Standard” Infrastructure

    View full-size slide

  9. Design
    ▪ One (or few) hosts handle all
    functionality
    ▫ Payloads/C2/Phishing/etc
    ▪ Quick to deploy
    ▪ Simple hardening

    View full-size slide

  10. Components
    ▪ Single-server C2 + SMTP
    ▪ Originates all attacks
    ▪ Default traffic profiles
    ▪ Open to entire Internet

    View full-size slide

  11. Use Cases
    ▪ Tests w/o active incident
    response
    ▪ Fully whitebox
    ▪ Functional testing
    ▫ Click tracking
    ▫ Egress testing

    View full-size slide

  12. Attacker
    Router/Firewall
    C2/SMTP Server
    Router/Firewall
    Victim

    View full-size slide

  13. Weaknesses
    ▪ Hosted payloads are easily
    enumerated by defenders
    ▪ C2 may be easily blocked by IP,
    netblock, or domain name
    ▪ No redundancy in case of outages
    ▪ Susceptible to Internet-wide
    probing or exploitation

    View full-size slide

  14. 5
    “Advanced” Infrastructure

    View full-size slide

  15. Design
    ▪ Based on “Infrastructure for
    Ongoing Red Team Operations” by
    Raphael Mudge
    ▪ Segregate assets based on
    function, minimize overlap
    ▪ Place redirectors in front of
    every host

    View full-size slide

  16. Design
    ▪ Document the setup
    ▫ Know what points where
    ▪ Split hosts amongst providers
    ▫ (Pay attention to terms of service!)
    ▪ Forward all logs to central
    server via rsyslog

    View full-size slide

  17. Components
    ▪ Four teamservers
    ▫ Phishing & payloads
    ▫ Long-term DNS C2
    ▫ Short-term DNS C2
    ▫ Short-term HTTP C2
    ▪ Four redirectors (VPS hosts)
    ▫ Two for DNS C2 via socat/iptables
    ▫ HTTP C2 via Apache
    ▫ HTTP payloads via Apache
    ▪ SMTP server (VPS host)
    ▪ Four domains

    View full-size slide

  18. Domains
    ▪ expireddomains.net
    ▫ Old first registered age
    ▫ High SimilarWeb score
    ▫ High number of backlinks
    ▪ Register pre-used domains
    ▪ Register domains in same category
    ▪ Finance/Healthcare usually have
    firewall exceptions for SSL

    View full-size slide

  19. Domains
    ▪ Check categorization
    ▫ Bluecoat
    ▫ McAfee (TrustedSource)
    ▫ Fortiguard
    ▪ Senderbase Score
    ▫ http://www.senderbase.org/
    ▪ Check blacklists (web and email)
    ▫ http://multirbl.valli.org/

    View full-size slide

  20. SMTP
    ▪ Use “redirector” for sending
    ▪ Remove previous server headers
    ▪ Catch-all address to receive
    bounce-backs or responses
    ▪ Use third-party SMTP servers
    ▫ Read the TOS first!

    View full-size slide

  21. Apache mod_rewrite
    ▪ Redirect unwanted requests
    ▫ Invalid URIs
    ▫ IR useragents
    ▫ Blacklisted IPs
    ▪ OS-specific payload delivery
    ▪ Payload extension hiding
    ▪ Filter non-C2 requests to C2
    domains

    View full-size slide

  22. Mobile Redirection
    Apache mod_rewrite

    View full-size slide

  23. Invalid URI Redirection
    Apache mod_rewrite

    View full-size slide

  24. Apache mod_rewrite
    OS-Specific Payloads

    View full-size slide

  25. Apache mod_rewrite

    View full-size slide

  26. Apache mod_rewrite

    View full-size slide

  27. DNS
    ▪ socat vs. iptables
    ▫ https://github.com/bluscreenofjeff/Red-
    Team-Infrastructure-Wiki#dns
    ▪ Modify query results in profile
    ▫ Typical default of 0.0.0.0
    ▫ Nslookup = google,opendns
    ▪ Modify DNS request lengths
    ▫ Max domain name, 253 text characters
    ▫ MRZGS3TLEBWW64TFEBXXM.dns.example.com

    View full-size slide

  28. DNS Redirection
    Socat
    http://www.rvrsh3ll.net/blog/offensive/redir
    ecting-cobalt-strike-dns-beacons/
    IPTables
    ▪ Forward UDP port 53 to teamserver from
    redirector

    View full-size slide

  29. DNS Redirection

    View full-size slide

  30. DNS Redirection

    View full-size slide

  31. DNS Redirection

    View full-size slide

  32. NAT’d DNS Redirection
    Cobalt Strike
    (192.168.20.10)
    SOCAT & SSH
    Main Redirector
    (104.236.x.x)
    SOCAT
    Volatile Redirector
    (45.63.y.y)
    IPTables
    https://gist.github.com/pcting/1041387

    View full-size slide

  33. Modify Your C2 Channels!
    ▪ Don’t use defaults
    ▪ Use a different profile for each
    c2 channel
    ▪ Blend your profiles into your
    target environment

    View full-size slide

  34. Modified C2 Signatures
    ▪ Changes how C2 looks on the wire
    ▪ Impersonate adversary or internal
    applications
    ▪ Malleable C2 -> Cobalt Strike
    ▪ Communication Profile -> Empire
    ▪ Use custom profiles on every
    server!

    View full-size slide

  35. Malleable C2 Example (Amazon Traffic)
    https://raw.githubusercontent.com/rsmudge/Malleable-C2-Profiles/master/normal/pandora.profile

    View full-size slide

  36. Modified C2 Signatures

    View full-size slide

  37. Modified C2 Signatures

    View full-size slide

  38. Modified C2 Signatures

    View full-size slide

  39. Domain Fronting

    View full-size slide

  40. Domain Fronting
    ▪ https://www.bamsoftware.com/paper
    s/fronting/
    ▪ Utilize high-trust domains
    ▫ Cloudfront
    ▫ AWS
    ▫ Google
    ▪ Implementation varies per
    provider

    View full-size slide

  41. Domain Fronting (cont.)

    View full-size slide

  42. Domain Fronting (cont.)
    ▪ Resources
    “High-reputation Redirectors and
    Domain Fronting” -Raphael Mudge
    “Domain Fronting via Cloudfront
    Alternate Domains” -Vincent Yiu
    “Escape and Evasion Egressing
    Restricted Networks” -Chris Patten
    and Tom Steele

    View full-size slide

  43. Finding Frontable Domains
    ▪ Searchable by CNAME
    ▫ Google ‘CNAME “*.cloudfront.net”’
    ▪ Bruteforce/find subdomains
    ▫ Can search alexa top x sites
    ▫ Search by domain
    ▫ https://github.com/rvrsh3ll/FindFrontab
    leDomains

    View full-size slide

  44. Watching the watchers
    ▪ ‘Pre-phish’ with a weak phish to
    fingerprint response
    ▫ Easy-to-spot, but not Nigerian Prince
    ▫ Use completely different infrastructure
    ▫ Perform far in advance
    ▫ Skype Pre-Phish:
    https://www.youtube.com/watch?v=oTyLdAU
    jw30
    ▪ WATCH ALL LOGS
    ▫ Look for CURL/WGET/Python requests
    ▫ Geolocate IPs
    ▫ ID appliances
    ▫ ID incident response actions

    View full-size slide

  45. Watching the watchers
    ▪ Monitor domain/IP
    categorization/blacklisting
    ▪ Monitor emails, if possible
    ▫ Compromised accounts
    ▫ Bouncebacks
    ▪ Roll infrastructure as needed

    View full-size slide

  46. Securing the Infrastructure
    ▪ Attackers can be attacked too!
    ▫ Metasploit*
    ▫ Empire**
    ▫ Cobalt Strike***
    ▪ RCE on unprotected attack
    infrastructure
    *https://github.com/justinsteven/advisories/blob/master/2016_metasploit_rce_static_key_deserialization.md
    *https://github.com/justinsteven/advisories/blob/master/2017_metasploit_meterpreter_dir_traversal_bugs.md
    **http://www.harmj0y.net/blog/empire/empire-fails/
    ***http://blog.cobaltstrike.com/2016/10/03/cobalt-strike-3-5-1-important-security-update/

    View full-size slide

  47. Securing the Teamserver
    ▪ Chattr cron directories
    ▪ iptables
    ▫ Restrict resources to only needed IPs
    ▪ Lock down SSH
    ▫ PKI auth only
    ▫ Limited user rights

    View full-size slide

  48. Securing the Teamserver (cont.)
    ▪ Block non-target country IPs
    ▪ Keep your C2 updated!

    View full-size slide

  49. 7
    For the Blues

    View full-size slide

  50. Hunting C2 Infrastructure
    ▪ Default requests
    ▫ Notable lack of headers
    ▫ Lack of proper HTTP response codes
    ▪ Static Content
    ▫ “It Works!” responses
    ▪ Reference
    ▫ http://www.chokepoint.net/2017/04/hunti
    ng-red-team-empire-c2.html
    ▫ http://www.chokepoint.net/2017/04/hunti
    ng-red-team-meterpreter-c2.html

    View full-size slide

  51. Default Empire Response

    View full-size slide

  52. Shodan Search For Empire
    http://securesql.info/hacks/2017/4/5/fall-of-an-empire

    View full-size slide

  53. Identifying malicious DNS traffic
    ▪ Request length
    ▪ Same domain with many subdomains
    ▫ Entropy in subdomains
    ■ KDJSOISJFSLKJSOIFJ.example.com
    ■ Subdomain.example.com
    ▪ DNS Server resolves to 0.0.0.0 or
    something funky

    View full-size slide

  54. Identifying other malicious traffic
    ▪ SSL Certs
    ▫ Let’s Encrypt Certs
    ▫ Self-Signed
    ▪ Consistent URL patterns
    ▫ /admin.php etc..
    ▫ Repeated intervals with Bro
    ▪ Research common C2 platforms
    ▫ (low hanging fruit for defenders)
    ▫ Stagers are easy to spot

    View full-size slide

  55. Identifying Malicious traffic (cont.)
    ▪ Analyze network captures
    ▫ Beacon intervals (jitter)
    ▫ Filter out known-good
    ▪ VPS address ranges

    View full-size slide

  56. Thanks!
    ANY QUESTIONS?
    You can contact us at:
    @424f424f (Steve Borosh) @bluscreenofjeff (Jeff Dimmock)
    http://www.rvrsh3ll.net https://www.bluescreenofjeff.com

    View full-size slide