SlideShare a Scribd company logo

May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.

L
Leszek Mi?

Slides from workshop delivered at Brucon 2017 Conference in Gent, Belgium. Data exfiltration is the process of transmitting data from pwned or infected networks back to the attacker while trying to minimize detection. During this workshop (2 hours) we will go through different network exfiltration methods and techniques (DNS, ICMP, TCP, UDP, HTTP, RDP, Cloud-app based and others). I will explain how they work, how to run them and what differences between are. It is a highly interactive workshop (I have dozen short labs already prepared) where you will be guided through the use of a set of open source tools powered by a short-fast theory.

Software
1 of 42
Download to read offline
May the Data stay with U! Network Data Exfiltration Techniques. Leszek Miś - BruCON 2017
About me ● IT Security Architect and Founder @ Defensive Security ● VP, Cyber Security @ Collective Sense ● Offensive Security Certified Professional (OSCP) ● Red Hat Certified Architect/RHCSS/RHCX/Sec+ ● Member of ISSA/OWASP Poland Chapter ● Speaker at OWASP Appsec USA, Brucon, Confidence ISSA and many others ● Mostly I am focusing on: ○ Linux & Web Application Security ○ Penetration testing / security audits ○ Threat hunting and Incident Response ○ Hardened IT Infrastructure (SSO/IdM) ○ Behavioral / statistic analysis → Machine Learning / Deep Learning
What you need for this workshop? ● Kali VM ● your External VPS / Linux server ● Wireshark installed ● Internet connection
What is Data Exfiltration? ● Part of post exploitation process ● Unauthorized copying, transfer or retrieval of data from a computer or server. ● Malicious activity performed through various different techniques, typically by cybercriminals over the Internet or other network ● Data theft, data exportation ● There is no silver bullet solution to detect it: ■ → Defence in Depth
“Pre-post” exploitation process ● Sensitive information on public services ● Authentication bypass ● Admin access to administration panel → BF ● DNS subdomain takeover ● Docker image registry publicly accessible ● Source code disclosure, ex. publicly exposed GIT/SVN repos ● 0-day Unathenticated remote code execution ● Wget arbitraty file upload ● Client-side attacks ● Quake 3 server in corpo network
Defence in depth ● Strategy of having layered security mechanisms: ■ if one fails, the other may still provide a protection ■ Network segmentation + deep network traffic analysis + host hardening + segregation of data + security culture + people + threat hunting ■ Question: ● Which layers/devices does your external network packet pass?
ATT&CK Framework ● Adversarial Tactics, Techniques, and Common Knowledge: ○ Threat Modeling Methodology for various phases of an adversary's lifecycle and platforms that are known to be targeted by cyber threats ○ Sections → ■ Collection ■ Exfiltration https://attack.mitre.org
ATT&CK Framework - Collection ● Collection techniques prior to exfiltration: ○ Audio/Camera/Screen capture → BeEF & XSS ○ Automated collections ○ Clipboard data ○ Data from Local System / Data from Network Shares / Data from Removable Media → network/OS digging ○ Emails ○ Input Capture → keyloggers ○ Others
ATT&CK Framework - Exfiltration ● Exfiltration techniques: ○ Data compressed ○ Data encoded ○ Data encrypted ○ Data Transfer Size Limits → data chunks ○ Exfiltration over Alternative Protocol ○ Exfiltration over C2 Channel ○ Exfiltration over other Network Medium ○ Exfiltration over Physical Medium ○ Scheduled Transfer
What does attacker want to collect?
What does attacker want to collect? ● Config files ● Password files ● Certificates & PKI keys ● Backup of critical infrastructure configs ● Bitcoins ● E-mails ● Source Codes + Data Files ● Office Documents ● DB Dumps ● Memory Dumps :> ● Custom Binary files
Why should we care? - offensive part ● Test Data Leakage Protection (DLP) solutions ● IDS/IPS Evasion ● Machine Learning Sensors Evasion ● Bypass a data whitelisting ● Bypass a “stricted” firewall rules ● Bypass a SSL forward proxies ● Hide my data & catch me if you can! Check you ”Network Security Stack” for things we are going to talk about now!
Why we should care? - defensive part ● Proactive event analysis: ○ Few questions: ■ Who? When? Where? What? Why? How? ○ Key points: ■ Active analysis of logs and system events ■ Behavioral analysis of user actions: user → IP mapping ■ Periodic vulnerability scanning ■ Attack paths identification ■ Periodic RAM memory analysis for critical systems → rootkit detection ■ Multi-level network traffic analysis
Multi-level network traffic analysis ● Packet Headers → Full Packet Capture ● Netflows → network billing ● Passive: ○ DNS ○ TLS ○ HTTP ○ SMTP ● Signatures / IP reputation / malware feeds ● SNMP + CVE search ● Active security scans → vuls ● GEO / whois / ipinfo ● Honey traps → canary tokens
Top Protocols for Exfil! ● TCP ● UDP ● ICMP ● HTTP / HTTPS ● DNS ● SSH / SCP / SFTP ● POP3 / SMTP ● RDP ● FTP ● NTP ● BGP ○ + Powershell based ○ + TOR
Top Cloud Services for Exfil! ● Twitter ● Gmail / Google Docs ● Slack ● Facebook → 25MB raw file ● Github ● Pastebin ● Skype ● LinkedIN → 100MB Office documents ● Youtube → 20GB as a video ● Vimeo → 5GB ● Flickr → 200MB as image ● Tumblr
ICMP ● ICMP → “ping” ○ echo request ○ echo reply ● ICMP: ○ icmptunnel ○ auxiliary/server/icmp_exfil ■ nping ■ exfiltrate-data.rb ○ icmpsh ○ hans
LAB1 - ICMP ● Lab 1: ○ ICMPtunnel ■ exfiltrate-data.rb ○ Meterpreter ○ tcpdump / wireshark
TCP - Metasploit / meterpreter ● Meterpreter ■ bind / reverse shell: ● upload / download ■ pivoting: ● route ● portfwd
LAB2 - Metasploit / meterpreter ● Lab 2: ○ metasploit / meterpreter ○ tcpdump / wireshark
TCP - simple Linux tricks / “one-liners” ● Tools: ○ nc ○ netcat ○ socat ○ curl ○ rsync ○ ssh ○ ftp ○ scp / sftp ○ /dev/tcp ○ xxd ○ host , dig, nslookup ○ others
TCP - simple Linux tricks ● LAB3: ○ one-liners ○ linux tools ○ wireshark
DNS ● Core of the communication ● UDP vs TCP ● Requests and responses
DNS ● DNS responses: ○ NOERROR → DNS Query completed successfully ○ FORMERR → DNS Query Format Error ○ SERVFAIL → Server failed to complete the DNS request ○ NXDOMAIN → Domain does not exist ○ NOTIMP → Function not implemented ○ REFUSED → The server refused to answer for the query ○ YXDOMAIN → Name that should not exist, does exist ○ XRRSET → RRset that should not exist, does exist ○ NOTAUTH → Server not authoritative for the zone ○ NOTZONE → Name not in zone
DNS ● Allow for querying a internal DNS servers only ● No one should send TXT resolve request to the DNS except MX servers ● Track down number of NXDomain responses → DGA ● Profile your devices against DNS traffic → generate notification if there is a one who reach the threshold ● Watch out for a: ○ lot of requests to restricted domain ○ lot of requests to one domain ○ lot of requests to fast flux domains ○ DNS replies have private addresses ○ lot of DNS traffic going to bad guy country ○ DNS replies have patterned encoding ○ Packet size outside the normal distribution ○ Spike in DNS byte count across normal traffic patterns
DNS ● Tools: ○ DET ○ OzymanDNS ○ DNS2TCP ○ Iodine ○ SplitBrain ○ TCP-over-DNS ○ YourFreedom ○ Heyoka ○ DNScat2 → remote shell ○ NSTX ○ DNScapy ○ VPN over DNS ○ MagicTunnel ○ Element53
DNS ● Lab 4: ○ dnscat2 → remote shell ○ DET → DNS ○ Passive dns analysis
HTTP / HTTPS ● It is all about HTTP methods, requests and responses, right?
HTTP / HTTPS ● It is all about HTTP methods, requests and responses, right?
HTTP / HTTPS ● It is all about HTTP methods, requests and responses, right?
HTTP / HTTPS ● Incoming HTTP POST payload analysis at server side: ○ you need WAF (Web Application Firewall) → ex. modsecurity: ■ SecRequestBodyAccess ■ SecResponseBodyAccess ● Outgoing HTTPS traffic analysis: ○ you need SSL Forward Proxy for TLS inspection → logs ■ internal PKI CA: ● → passive TLS inspection ● Corporate NTLM HTTP proxy as a gateway (only 443/tcp allowed) → ○ rpivot ○ cntlm ○ OpenVPN ● Detection of HTTP traffic sent directly to IP (without domain name in use)
HTTP / HTTPS ● Tools: ○ httptunnel ○ tunna ○ XSSshell-XSStunnel ○ DET → HTTP ○ curl ○ rpivot ○ cntlm ○ Proxytunnel ○ corkscrew ○ connect-proxy ○ meterpreter
Cloud based apps ● Gmail → DET: ○ "gmail": { ■ "username": "cda262cdwe3a6c345046af3f9734d9ebdwdqwf@gmail.com", ■ "password": "Give_me_some_B33rs!", ■ "server": "smtp.gmail.com", ■ "port": 587 }
Text-based steganography ● Cloakify: ○ transforms any filetype (e.g. .zip, .exe, .xls, etc.) into a list of harmless-looking strings ○ hide the file in plain sight, and transfer the file without triggering alerts. ○ defeat data whitelisting controls - is there a security device that only allows IP addresses? ○ example: you can transform a .zip file into a list of Pokemon creatures or Top 100 Websites.
Text-based steganography ● Lab
IDS / IPS (not only signature-based) ● Open Source: ○ Suricata - http://suricata-ids.org ○ BRO IDS - https://bro.org ○ Snort - https://www.snort.org
IDS / IPS ● Suricata is an engine for NIDS, NIPS, NSM: ○ IDS → passive → TAP or SPAN port ○ IPS → active → inline → router/bridge ● Features : ○ IPV4/IPV6, defrag, TCP tracking ○ Stateful HTTP, SMTP, DNS, TLS ○ Lua scripting ○ ET Ruleset / VRT/Talos
Amsterdam ● Provide features of Suricata+ELK via docker containers ○ Objective is super fast installation ○ Amsterdam provides ■ Latest ELK and suricata ● Basic setup sniffing traffic on physical host: ○ pip install amsterdam ○ amsterdam -d ams -i wlan0 setup ○ amsterdam -d ams start ○ firefox http://localhost:8000
Summary ● Try also: ○ PyExfil → https://github.com/ytisf/PyExfil ○ IPv6DNSExfil → https://github.com/DShield-ISC/IPv6DNSExfil ○ QRCode-Video → https://github.com/Neohapsis/QRCode-Video-Data-Exfiltration ○ udp2raw-tunnel → https://github.com/wangyu-/udp2raw-tunnel ○ XFLTReaT → https://github.com/earthquake/XFLTReaT ○ sound-poc → https://github.com/iiamit/data-sound-poc ○ sneaky-creeper → https://github.com/DakotaNelson/sneaky-creeper ○ corkscrew → https://github.com/elia/corkscrew ○
Questions? lm@defensive-security.com lm@collective-sense.com Twitter: @cr0nym LinkedIN: https://www.linkedin.com/in/crony/
Open Source Defensive Security Training https://defensive-security.com @DeepSec → November 14-15, Vienna @Brucon 2018 Spring Training Session - hope so :)
● Excellent visibility based on many collectors ● Behavioral analysis of network traffic ● Hybrid ML / DL based anomaly detection ● Active 0-day protection module ● Modular, responsive web interface https://collective-sense.com

Recommended

Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
Jason Williams
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat Security Conference
 
Password cracking
Password crackingPassword cracking
Password cracking
Ilan Mindel
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
MrArora Arjuna
 
DNS privacy in theory and practice
DNS privacy in theory and practiceDNS privacy in theory and practice
DNS privacy in theory and practice
APNIC
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
Creds extraction
Creds extractionCreds extraction
Creds extraction
Ilan Mindel
 
Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)
Abhishek Kumar
 

Recommended

Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
Jason Williams
 
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat v17 || TLS 1.3 - Full speed ahead... mind the warnings - the great, t...
BlueHat Security Conference
 
Password cracking
Password crackingPassword cracking
Password cracking
Ilan Mindel
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
MrArora Arjuna
 
DNS privacy in theory and practice
DNS privacy in theory and practiceDNS privacy in theory and practice
DNS privacy in theory and practice
APNIC
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
Creds extraction
Creds extractionCreds extraction
Creds extraction
Ilan Mindel
 
Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)
Abhishek Kumar
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group
 
Hta f42
Hta f42Hta f42
Hta f42
SelectedPresentations
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
wolfSSL
 
網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark
Julia Yu-Chin Cheng
 
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
Paulo Henrique
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
Brian A. McHenry
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App Firewall
Brian A. McHenry
 
Suricata
SuricataSuricata
Suricata
tex_morgan
 
Proofpoint Emerging Threats Suricata 5.0 Webinar
Proofpoint Emerging Threats Suricata 5.0 WebinarProofpoint Emerging Threats Suricata 5.0 Webinar
Proofpoint Emerging Threats Suricata 5.0 Webinar
Jason Williams
 
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh TâmSecurity Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Nikto
NiktoNikto
Nikto
Sorina Chirilă
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!
OWASP
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
Alexandre Moneger
 
Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]
RootedCON
 
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
CODE BLUE
 
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Severalnines
 
Разведка в сетях IPv6
Разведка в сетях IPv6Разведка в сетях IPv6
Разведка в сетях IPv6
Positive Hack Days
 
22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)
UTD Computer Security Group
 
CNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password AttacksCNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password Attacks
Sam Bowne
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
CTruncer
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
CTruncer
 

More Related Content

What's hot

Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh TâmSecurity Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
CODE BLUE
 
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Severalnines
 
Разведка в сетях IPv6
Разведка в сетях IPv6Разведка в сетях IPv6
Разведка в сетях IPv6
Positive Hack Days
 

What's hot (20)

UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domain
 
Hta f42
Hta f42Hta f42
Hta f42
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
 
網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark網路攻擊與封包分析- Wireshark
網路攻擊與封包分析- Wireshark
 
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
FLISOL 2015 - Criptografia é importante! Aprenda meios simples de proteger ar...
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App Firewall
 
Suricata
SuricataSuricata
Suricata
 
Proofpoint Emerging Threats Suricata 5.0 Webinar
Proofpoint Emerging Threats Suricata 5.0 WebinarProofpoint Emerging Threats Suricata 5.0 Webinar
Proofpoint Emerging Threats Suricata 5.0 Webinar
 
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh TâmSecurity Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
Security Bootcamp 2013 - Timing info-leak made easy - Quan Minh Tâm
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
Nikto
NiktoNikto
Nikto
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
 
Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]
 
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
[CB19] CIRCO: Cisco Implant Raspberry Controlled Operations by Emilio Couto
 
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
 
Разведка в сетях IPv6
Разведка в сетях IPv6Разведка в сетях IPv6
Разведка в сетях IPv6
 
22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)
 
CNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password AttacksCNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password Attacks
 

Similar to May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.

BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
Mp26 : Tachyon, sloppiness is bliss
Mp26 : Tachyon, sloppiness is blissMp26 : Tachyon, sloppiness is bliss
Mp26 : Tachyon, sloppiness is bliss
Montreal Python
 
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
Omid Vahdaty
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptx
ssuser020436
 

Similar to May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017. (20)

Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busby
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
 
Internet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! nightInternet Of Things: Hands on: YOW! night
Internet Of Things: Hands on: YOW! night
 
Splunk, SIEMs, and Big Data - The Undercroft - November 2019
Splunk, SIEMs, and Big Data - The Undercroft - November 2019Splunk, SIEMs, and Big Data - The Undercroft - November 2019
Splunk, SIEMs, and Big Data - The Undercroft - November 2019
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
Mp26 : Tachyon, sloppiness is bliss
Mp26 : Tachyon, sloppiness is blissMp26 : Tachyon, sloppiness is bliss
Mp26 : Tachyon, sloppiness is bliss
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
 
Collect distributed application logging using fluentd (EFK stack)
Collect distributed application logging using fluentd (EFK stack)Collect distributed application logging using fluentd (EFK stack)
Collect distributed application logging using fluentd (EFK stack)
 
Pyongyang Fortress
Pyongyang FortressPyongyang Fortress
Pyongyang Fortress
 
Log Management: AtlSecCon2015
Log Management: AtlSecCon2015Log Management: AtlSecCon2015
Log Management: AtlSecCon2015
 
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
 
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | English
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | EnglishAWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | English
AWS big-data-demystified #1.1 | Big Data Architecture Lessons Learned | English
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptx
 

Recently uploaded

Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 

Recently uploaded (20)

tonesoftg
tonesoftgtonesoftg
tonesoftg
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 

May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.

  • 1. May the Data stay with U! Network Data Exfiltration Techniques. Leszek Miś - BruCON 2017
  • 2. About me ● IT Security Architect and Founder @ Defensive Security ● VP, Cyber Security @ Collective Sense ● Offensive Security Certified Professional (OSCP) ● Red Hat Certified Architect/RHCSS/RHCX/Sec+ ● Member of ISSA/OWASP Poland Chapter ● Speaker at OWASP Appsec USA, Brucon, Confidence ISSA and many others ● Mostly I am focusing on: ○ Linux & Web Application Security ○ Penetration testing / security audits ○ Threat hunting and Incident Response ○ Hardened IT Infrastructure (SSO/IdM) ○ Behavioral / statistic analysis → Machine Learning / Deep Learning
  • 3. What you need for this workshop? ● Kali VM ● your External VPS / Linux server ● Wireshark installed ● Internet connection
  • 4. What is Data Exfiltration? ● Part of post exploitation process ● Unauthorized copying, transfer or retrieval of data from a computer or server. ● Malicious activity performed through various different techniques, typically by cybercriminals over the Internet or other network ● Data theft, data exportation ● There is no silver bullet solution to detect it: ■ → Defence in Depth
  • 5. “Pre-post” exploitation process ● Sensitive information on public services ● Authentication bypass ● Admin access to administration panel → BF ● DNS subdomain takeover ● Docker image registry publicly accessible ● Source code disclosure, ex. publicly exposed GIT/SVN repos ● 0-day Unathenticated remote code execution ● Wget arbitraty file upload ● Client-side attacks ● Quake 3 server in corpo network
  • 6. Defence in depth ● Strategy of having layered security mechanisms: ■ if one fails, the other may still provide a protection ■ Network segmentation + deep network traffic analysis + host hardening + segregation of data + security culture + people + threat hunting ■ Question: ● Which layers/devices does your external network packet pass?
  • 7. ATT&CK Framework ● Adversarial Tactics, Techniques, and Common Knowledge: ○ Threat Modeling Methodology for various phases of an adversary's lifecycle and platforms that are known to be targeted by cyber threats ○ Sections → ■ Collection ■ Exfiltration https://attack.mitre.org
  • 8. ATT&CK Framework - Collection ● Collection techniques prior to exfiltration: ○ Audio/Camera/Screen capture → BeEF & XSS ○ Automated collections ○ Clipboard data ○ Data from Local System / Data from Network Shares / Data from Removable Media → network/OS digging ○ Emails ○ Input Capture → keyloggers ○ Others
  • 9. ATT&CK Framework - Exfiltration ● Exfiltration techniques: ○ Data compressed ○ Data encoded ○ Data encrypted ○ Data Transfer Size Limits → data chunks ○ Exfiltration over Alternative Protocol ○ Exfiltration over C2 Channel ○ Exfiltration over other Network Medium ○ Exfiltration over Physical Medium ○ Scheduled Transfer
  • 10. What does attacker want to collect?
  • 11. What does attacker want to collect? ● Config files ● Password files ● Certificates & PKI keys ● Backup of critical infrastructure configs ● Bitcoins ● E-mails ● Source Codes + Data Files ● Office Documents ● DB Dumps ● Memory Dumps :> ● Custom Binary files
  • 12. Why should we care? - offensive part ● Test Data Leakage Protection (DLP) solutions ● IDS/IPS Evasion ● Machine Learning Sensors Evasion ● Bypass a data whitelisting ● Bypass a “stricted” firewall rules ● Bypass a SSL forward proxies ● Hide my data & catch me if you can! Check you ”Network Security Stack” for things we are going to talk about now!
  • 13. Why we should care? - defensive part ● Proactive event analysis: ○ Few questions: ■ Who? When? Where? What? Why? How? ○ Key points: ■ Active analysis of logs and system events ■ Behavioral analysis of user actions: user → IP mapping ■ Periodic vulnerability scanning ■ Attack paths identification ■ Periodic RAM memory analysis for critical systems → rootkit detection ■ Multi-level network traffic analysis
  • 14. Multi-level network traffic analysis ● Packet Headers → Full Packet Capture ● Netflows → network billing ● Passive: ○ DNS ○ TLS ○ HTTP ○ SMTP ● Signatures / IP reputation / malware feeds ● SNMP + CVE search ● Active security scans → vuls ● GEO / whois / ipinfo ● Honey traps → canary tokens
  • 15. Top Protocols for Exfil! ● TCP ● UDP ● ICMP ● HTTP / HTTPS ● DNS ● SSH / SCP / SFTP ● POP3 / SMTP ● RDP ● FTP ● NTP ● BGP ○ + Powershell based ○ + TOR
  • 16. Top Cloud Services for Exfil! ● Twitter ● Gmail / Google Docs ● Slack ● Facebook → 25MB raw file ● Github ● Pastebin ● Skype ● LinkedIN → 100MB Office documents ● Youtube → 20GB as a video ● Vimeo → 5GB ● Flickr → 200MB as image ● Tumblr
  • 17. ICMP ● ICMP → “ping” ○ echo request ○ echo reply ● ICMP: ○ icmptunnel ○ auxiliary/server/icmp_exfil ■ nping ■ exfiltrate-data.rb ○ icmpsh ○ hans
  • 18. LAB1 - ICMP ● Lab 1: ○ ICMPtunnel ■ exfiltrate-data.rb ○ Meterpreter ○ tcpdump / wireshark
  • 19. TCP - Metasploit / meterpreter ● Meterpreter ■ bind / reverse shell: ● upload / download ■ pivoting: ● route ● portfwd
  • 20. LAB2 - Metasploit / meterpreter ● Lab 2: ○ metasploit / meterpreter ○ tcpdump / wireshark
  • 21. TCP - simple Linux tricks / “one-liners” ● Tools: ○ nc ○ netcat ○ socat ○ curl ○ rsync ○ ssh ○ ftp ○ scp / sftp ○ /dev/tcp ○ xxd ○ host , dig, nslookup ○ others
  • 22. TCP - simple Linux tricks ● LAB3: ○ one-liners ○ linux tools ○ wireshark
  • 23. DNS ● Core of the communication ● UDP vs TCP ● Requests and responses
  • 24. DNS ● DNS responses: ○ NOERROR → DNS Query completed successfully ○ FORMERR → DNS Query Format Error ○ SERVFAIL → Server failed to complete the DNS request ○ NXDOMAIN → Domain does not exist ○ NOTIMP → Function not implemented ○ REFUSED → The server refused to answer for the query ○ YXDOMAIN → Name that should not exist, does exist ○ XRRSET → RRset that should not exist, does exist ○ NOTAUTH → Server not authoritative for the zone ○ NOTZONE → Name not in zone
  • 25. DNS ● Allow for querying a internal DNS servers only ● No one should send TXT resolve request to the DNS except MX servers ● Track down number of NXDomain responses → DGA ● Profile your devices against DNS traffic → generate notification if there is a one who reach the threshold ● Watch out for a: ○ lot of requests to restricted domain ○ lot of requests to one domain ○ lot of requests to fast flux domains ○ DNS replies have private addresses ○ lot of DNS traffic going to bad guy country ○ DNS replies have patterned encoding ○ Packet size outside the normal distribution ○ Spike in DNS byte count across normal traffic patterns
  • 26. DNS ● Tools: ○ DET ○ OzymanDNS ○ DNS2TCP ○ Iodine ○ SplitBrain ○ TCP-over-DNS ○ YourFreedom ○ Heyoka ○ DNScat2 → remote shell ○ NSTX ○ DNScapy ○ VPN over DNS ○ MagicTunnel ○ Element53
  • 27. DNS ● Lab 4: ○ dnscat2 → remote shell ○ DET → DNS ○ Passive dns analysis
  • 28. HTTP / HTTPS ● It is all about HTTP methods, requests and responses, right?
  • 29. HTTP / HTTPS ● It is all about HTTP methods, requests and responses, right?
  • 30. HTTP / HTTPS ● It is all about HTTP methods, requests and responses, right?
  • 31. HTTP / HTTPS ● Incoming HTTP POST payload analysis at server side: ○ you need WAF (Web Application Firewall) → ex. modsecurity: ■ SecRequestBodyAccess ■ SecResponseBodyAccess ● Outgoing HTTPS traffic analysis: ○ you need SSL Forward Proxy for TLS inspection → logs ■ internal PKI CA: ● → passive TLS inspection ● Corporate NTLM HTTP proxy as a gateway (only 443/tcp allowed) → ○ rpivot ○ cntlm ○ OpenVPN ● Detection of HTTP traffic sent directly to IP (without domain name in use)
  • 32. HTTP / HTTPS ● Tools: ○ httptunnel ○ tunna ○ XSSshell-XSStunnel ○ DET → HTTP ○ curl ○ rpivot ○ cntlm ○ Proxytunnel ○ corkscrew ○ connect-proxy ○ meterpreter
  • 33. Cloud based apps ● Gmail → DET: ○ "gmail": { ■ "username": "cda262cdwe3a6c345046af3f9734d9ebdwdqwf@gmail.com", ■ "password": "Give_me_some_B33rs!", ■ "server": "smtp.gmail.com", ■ "port": 587 }
  • 34. Text-based steganography ● Cloakify: ○ transforms any filetype (e.g. .zip, .exe, .xls, etc.) into a list of harmless-looking strings ○ hide the file in plain sight, and transfer the file without triggering alerts. ○ defeat data whitelisting controls - is there a security device that only allows IP addresses? ○ example: you can transform a .zip file into a list of Pokemon creatures or Top 100 Websites.
  • 36. IDS / IPS (not only signature-based) ● Open Source: ○ Suricata - http://suricata-ids.org ○ BRO IDS - https://bro.org ○ Snort - https://www.snort.org
  • 37. IDS / IPS ● Suricata is an engine for NIDS, NIPS, NSM: ○ IDS → passive → TAP or SPAN port ○ IPS → active → inline → router/bridge ● Features : ○ IPV4/IPV6, defrag, TCP tracking ○ Stateful HTTP, SMTP, DNS, TLS ○ Lua scripting ○ ET Ruleset / VRT/Talos
  • 38. Amsterdam ● Provide features of Suricata+ELK via docker containers ○ Objective is super fast installation ○ Amsterdam provides ■ Latest ELK and suricata ● Basic setup sniffing traffic on physical host: ○ pip install amsterdam ○ amsterdam -d ams -i wlan0 setup ○ amsterdam -d ams start ○ firefox http://localhost:8000
  • 39. Summary ● Try also: ○ PyExfil → https://github.com/ytisf/PyExfil ○ IPv6DNSExfil → https://github.com/DShield-ISC/IPv6DNSExfil ○ QRCode-Video → https://github.com/Neohapsis/QRCode-Video-Data-Exfiltration ○ udp2raw-tunnel → https://github.com/wangyu-/udp2raw-tunnel ○ XFLTReaT → https://github.com/earthquake/XFLTReaT ○ sound-poc → https://github.com/iiamit/data-sound-poc ○ sneaky-creeper → https://github.com/DakotaNelson/sneaky-creeper ○ corkscrew → https://github.com/elia/corkscrew ○
  • 41. Open Source Defensive Security Training https://defensive-security.com @DeepSec → November 14-15, Vienna @Brucon 2018 Spring Training Session - hope so :)
  • 42. ● Excellent visibility based on many collectors ● Behavioral analysis of network traffic ● Hybrid ML / DL based anomaly detection ● Active 0-day protection module ● Modular, responsive web interface https://collective-sense.com