1
00:00:00,000 --> 00:00:02,542
PIOTR DUSZYNSKI: My name is Piotr Duszynski.

2
00:00:02,542 --> 00:00:06,125
And this is about active defense in progress.

3
00:00:06,709 --> 00:00:09,501
I will go quickly through the slides because I have

4
00:00:09,501 --> 00:00:11,209
a lot of them.

5
00:00:11,250 --> 00:00:15,375
So keep your shirts on and let's start.

6
00:00:15,584 --> 00:00:17,792
Basically a short thing about me.

7
00:00:17,792 --> 00:00:20,751
I'm a security consultant with Trustwave Spiderlabs.

8
00:00:21,999 --> 00:00:26,083
Basically, I do security, amongst other things, but let's move

9
00:00:26,083 --> 00:00:28,209
to another slide.

10
00:00:28,542 --> 00:00:31,751
So this presentation is about the efforts

11
00:00:31,751 --> 00:00:37,999
of my private research of using active defense in practice.

12
00:00:39,125 --> 00:00:43,167
Defense part will be about the new technique that I have

13
00:00:43,167 --> 00:00:47,626
developed basically to slow down your attackers, to keep them

14
00:00:47,626 --> 00:00:51,999
from staying to keep them out, from seeing your profile, while

15
00:00:51,999 --> 00:00:56,792
they analyze your system and providing them as little information

16
00:00:56,792 --> 00:00:59,125
as humanly possible.

17
00:00:59,751 --> 00:01:03,083
The second part will be example based and I

18
00:01:03,083 --> 00:01:08,167
will present you a new attacks for the software that I have taken

19
00:01:08,167 --> 00:01:10,667
from the Internet.

20
00:01:10,999 --> 00:01:16,083
So far it's used for scanning and exploiting assistance.

21
00:01:17,334 --> 00:01:20,918
At the end, there will be a PoC demo from one

22
00:01:20,918 --> 00:01:24,417
of the well known support canners.

23
00:01:25,709 --> 00:01:27,834
I hope you like it.

24
00:01:27,834 --> 00:01:29,999
Basically we can start with the first part.

25
00:01:30,250 --> 00:01:34,209
This part is made me focus on the recognizance phase

26
00:01:34,209 --> 00:01:39,167
the most important part of every recognizance phase.

27
00:01:44,083 --> 00:01:47,501
This is the most popular tool.

28
00:01:47,876 --> 00:01:51,751
It's possible that someone will be using it to scan your system.

29
00:01:51,751 --> 00:01:54,584
Here we have someone trying to scan your system and they get

30
00:01:54,584 --> 00:01:57,250
all the information, all of the running services

31
00:01:57,250 --> 00:01:59,334
within an instance.

32
00:01:59,417 --> 00:02:04,584
And yeah, it's not exactly what we like to share with our,

33
00:02:04,584 --> 00:02:07,542
let's say offenders.

34
00:02:08,375 --> 00:02:14,334
Basically this information can be used as other steps to carry

35
00:02:14,334 --> 00:02:18,292
out more sophisticated attacks.

36
00:02:18,292 --> 00:02:23,209
So I thought, what would be the most the worst case scenario

37
00:02:23,209 --> 00:02:27,250
for persons scanning or trying to get a view

38
00:02:27,250 --> 00:02:31,999
of your running services on your system.

39
00:02:31,999 --> 00:02:35,501
What if all the ports were open and what

40
00:02:35,501 --> 00:02:40,999
if on every port there was actually a byte or it appears

41
00:02:40,999 --> 00:02:47,626
to be value services listening and your attacker has to get a view

42
00:02:47,626 --> 00:02:53,542
of all the running services on your remote system.

43
00:02:53,876 --> 00:02:55,999
So basically, I portspoof.

44
00:03:02,083 --> 00:03:07,959
So when you want to get a full view, you try to go through all the ports

45
00:03:07,959 --> 00:03:11,751
and get all the services identified.

46
00:03:12,083 --> 00:03:16,209
Oh, your attacker will need a lot of patience because as I have seen,

47
00:03:16,209 --> 00:03:21,167
basically as I have tested, well, all of the ports will be opened.

48
00:03:21,167 --> 00:03:24,083
He will have to send, like, about 120 megabytes of data and

49
00:03:24,083 --> 00:03:27,501
the scan will take him    Stop talking.

50
00:03:29,999 --> 00:03:32,542
So we have a traditional at DEF CON.

51
00:03:32,542 --> 00:03:34,999
First time speakers need to do a shot on stage.

52
00:03:34,999 --> 00:03:37,876
Let's give him a round of applause for getting selected.

53
00:03:44,959 --> 00:03:47,501
(Applause)    PIOTR DUSZYNSKI: Cheers, everyone!

54
00:03:47,501 --> 00:03:48,501
Thanks for coming.

55
00:03:51,209 --> 00:03:52,626
(Applause).

56
00:03:56,334 --> 00:03:58,459
Now we have to see if we can pick up where he left

57
00:03:58,459 --> 00:04:00,501
off in the technical talk.

58
00:04:00,999 --> 00:04:02,876
You guys judge how well he does.

59
00:04:02,876 --> 00:04:05,083
PIOTR DUSZYNSKI: I'm from Poland, come on.

60
00:04:05,083 --> 00:04:06,083
It's just one shot.

61
00:04:08,999 --> 00:04:10,959
So coming back here.

62
00:04:10,959 --> 00:04:16,751
So basically you've got our attackers get nice just the output,

63
00:04:16,751 --> 00:04:22,083
65,000 or more services identified by Nmap.

64
00:04:22,501 --> 00:04:25,417
I focused on the Nmap but basically it can be any other

65
00:04:25,417 --> 00:04:27,083
port scanner.

66
00:04:27,459 --> 00:04:29,375
So why not.

67
00:04:31,083 --> 00:04:35,751
If you go through the listing, you can see different services

68
00:04:35,751 --> 00:04:37,709
like, telnet.

69
00:04:37,959 --> 00:04:39,918
There's even a bug there if you can see.

70
00:04:39,918 --> 00:04:44,999
So basically, among that, there's some, probably your service running,

71
00:04:44,999 --> 00:04:50,626
which could be possibly exploited, but try to find it, it's not so easy,

72
00:04:50,626 --> 00:04:52,167
I guess.

73
00:04:52,167 --> 00:04:55,626
And some in the when the attackers go through your

74
00:04:55,626 --> 00:05:00,999
through the service scan, they can find a hidden message.

75
00:05:00,999 --> 00:05:01,999
(Laughter).

76
00:05:01,999 --> 00:05:13,999
So basically (Applause) Yeah, you can put any ASCII art out there.

77
00:05:16,501 --> 00:05:20,999
And it's a bit strange.

78
00:05:20,999 --> 00:05:24,209
You can see that the real operating system was actually

79
00:05:24,209 --> 00:05:25,999
Linux, 3.2.

80
00:05:25,999 --> 00:05:29,459
Here you have like UNIX, Windows, Linux, Solaris,

81
00:05:29,459 --> 00:05:32,626
you don't know what it is.

82
00:05:33,501 --> 00:05:37,626
Additionally which is actually the part, the second part of the presentation,

83
00:05:37,626 --> 00:05:41,417
you can also control certain fields which can help you with exploitation

84
00:05:41,417 --> 00:05:43,667
of a particular system.

85
00:05:44,459 --> 00:05:49,292
So, yeah, AMAP, there are similar results.

86
00:05:49,292 --> 00:05:50,751
All the ports are open.

87
00:05:50,751 --> 00:05:52,834
Some of them are unidentified.

88
00:05:54,083 --> 00:05:56,959
Yeah, so what are the conclusions?

89
00:05:56,959 --> 00:06:01,292
Basically, the it's no longer helpful with this because if all the ports are

90
00:06:01,292 --> 00:06:05,292
open, basically you can make a connection.

91
00:06:05,292 --> 00:06:07,667
If there's an open port, then there's a service running,

92
00:06:07,667 --> 00:06:09,792
all of them are open.

93
00:06:09,999 --> 00:06:13,125
So, yeah, also identification is a bit more challenging.

94
00:06:14,417 --> 00:06:21,999
Yeah, it's it's also forces your attackers to generate a huge amount of traffic.

95
00:06:21,999 --> 00:06:25,999
So basically you can detect them or it's easier.

96
00:06:26,584 --> 00:06:31,334
Yeah, for service probes, and, of course, it's frustration

97
00:06:31,334 --> 00:06:33,834
to the offenders.

98
00:06:34,083 --> 00:06:36,792
Some might say this is security by obscurity.

99
00:06:37,999 --> 00:06:41,125
If only it works, you know, that's the point.

100
00:06:41,125 --> 00:06:45,375
I don't know if you can see the fish there, but it's there.

101
00:06:45,751 --> 00:06:46,751
Yeah.

102
00:06:46,751 --> 00:06:50,083
So but I'm sure that also we are thinking like, okay, fine.

103
00:06:50,083 --> 00:06:52,918
But I'm sure I can find some kind of bypass.

104
00:06:52,918 --> 00:06:56,334
So for the that's also the way I was thinking.

105
00:06:57,167 --> 00:07:00,751
I think some of your questions, there's no trivial way

106
00:07:00,751 --> 00:07:04,083
to detect false signatures apart from using some type

107
00:07:04,083 --> 00:07:06,250
of protocol probes.

108
00:07:06,375 --> 00:07:08,792
IP fragmentation, the network techniques

109
00:07:08,792 --> 00:07:11,584
will not work because it goes through the colonel

110
00:07:11,584 --> 00:07:15,417
to the user based program that they have written.

111
00:07:15,417 --> 00:07:17,626
So basically, you can use fragmentation

112
00:07:17,626 --> 00:07:20,375
for any way that you want.

113
00:07:20,375 --> 00:07:22,167
It will anyhow be assembled.

114
00:07:22,292 --> 00:07:25,459
The only thing that will work is actually

115
00:07:25,459 --> 00:07:30,334
the full connectivity not a mistake in the ID but every software

116
00:07:30,334 --> 00:07:32,999
is vulnerable to this.

117
00:07:32,999 --> 00:07:34,626
I made some tests.

118
00:07:34,667 --> 00:07:37,918
You can always try to mitigate this by using some

119
00:07:37,918 --> 00:07:43,999
of the of the spool parameters or try to use IT with traffic ciphers.

120
00:07:44,125 --> 00:07:48,542
And if you have any ideas for the bypass, I will try to fix

121
00:07:48,542 --> 00:07:53,751
the software or, I don't know, implement your idea.

122
00:07:53,999 --> 00:07:57,375
Yeah, the portspoof, it's a user based software.

123
00:07:57,375 --> 00:08:00,999
It doesn't provide any kernel modules and it binds

124
00:08:00,999 --> 00:08:07,459
to one port per instance and then it just configurates through IPstables

125
00:08:07,459 --> 00:08:12,209
by directing some of the ports that you want to spoof

126
00:08:12,209 --> 00:08:14,542
to local host.

127
00:08:14,834 --> 00:08:15,834
Yeah.

128
00:08:15,834 --> 00:08:16,834
Okay.

129
00:08:16,834 --> 00:08:20,792
So let's go to good the part, which is practical exploitation

130
00:08:20,792 --> 00:08:24,083
of your offenders' tool box.

131
00:08:25,959 --> 00:08:29,584
Maybe the output here is not very clear.

132
00:08:30,209 --> 00:08:33,292
But with Nmap, you can control certain fields,

133
00:08:33,292 --> 00:08:37,709
like for example, the version fields, host fields.

134
00:08:37,999 --> 00:08:43,626
That gives you I like vector possibilities.

135
00:08:43,999 --> 00:08:48,083
So it went to the Internet, look for Google.

136
00:08:48,083 --> 00:08:49,918
We have Googled for some software that could be

137
00:08:49,918 --> 00:08:51,999
exploited with that.

138
00:08:52,250 --> 00:08:56,083
And basically, the first example is, okay, safari,

139
00:08:56,083 --> 00:09:00,083
because they have not responded to me.

140
00:09:00,083 --> 00:09:05,209
Basically if you set up on the portspoof, a bailout, like on any part,

141
00:09:05,209 --> 00:09:08,959
and somebody used Nmap to scan your system,

142
00:09:08,959 --> 00:09:12,999
and generates a rebirth and basically you are able

143
00:09:12,999 --> 00:09:18,375
to inject some JavaScript code into his processor, say, context,

144
00:09:18,375 --> 00:09:24,083
when he will be browsing the read ports on his computer.

145
00:09:24,083 --> 00:09:29,083
There was a nice thing about that, for example, if he runs Safari

146
00:09:29,083 --> 00:09:32,667
and goes through the through the results,

147
00:09:32,667 --> 00:09:36,751
basically, the policy doesn't apply.

148
00:09:38,999 --> 00:09:44,209
It's actually my friend, Mikalu told me this one.

149
00:09:44,542 --> 00:09:49,375
So there's a simple exploitation vector for this one, like port 17,

150
00:09:49,375 --> 00:09:52,375
you can have one of them.

151
00:09:52,501 --> 00:09:57,375
The next example is non Nmap, so just so we don't stick to Nmap,

152
00:09:57,375 --> 00:10:03,459
all the time, just proof of concept, you can go to the McAfee superscan,

153
00:10:03,459 --> 00:10:06,918
it was fixed a few days ago.

154
00:10:06,999 --> 00:10:12,834
But anyone could scan your system with this particle two, with a reboot

155
00:10:12,834 --> 00:10:16,999
and they would be able to inject JavaScript code

156
00:10:16,999 --> 00:10:20,083
into his process context.

157
00:10:20,876 --> 00:10:25,501
You can use B for any other tool to do some exploitation,

158
00:10:25,501 --> 00:10:28,459
what we are going to do.

159
00:10:29,375 --> 00:10:30,626
Yeah.

160
00:10:30,792 --> 00:10:33,876
This actually a real exploit from the Internet.

161
00:10:33,959 --> 00:10:39,459
So I don't know if you can see the exact vulnerable line, but this here,

162
00:10:39,459 --> 00:10:44,584
basically we control the contents of the storage files which

163
00:10:44,584 --> 00:10:48,584
is retrieved from one of the ports.

164
00:10:50,000 --> 00:10:56,999
If we set up a payload, on port 18, which is actually the to which

165
00:10:56,999 --> 00:11:01,584
the port the exploit will connect.

166
00:11:02,167 --> 00:11:06,209
Well, if somebody will launch the exploit against your system,

167
00:11:06,209 --> 00:11:10,417
he will get an additional context, which is root.

168
00:11:10,417 --> 00:11:15,209
So basically you are able to execute or to do a command injection

169
00:11:15,209 --> 00:11:20,876
in the in somebody's shell, if somebody is launching, for example,

170
00:11:20,876 --> 00:11:24,375
an exploit against your system.

171
00:11:25,083 --> 00:11:28,626
What's nice about this you can also create,

172
00:11:28,626 --> 00:11:34,375
for example, a weaponized version of this of this for this payload, but,

173
00:11:34,375 --> 00:11:39,999
I won't go through all the details here, because, I mean, for example,

174
00:11:39,999 --> 00:11:44,501
if you want to exploit the particular line that you have

175
00:11:44,501 --> 00:11:48,999
a relation of the file content, and basically have to go

176
00:11:48,999 --> 00:11:53,250
around some like, you cannot uses spaces.

177
00:11:54,417 --> 00:11:58,209
So basically this would be in the conference mode if you want

178
00:11:58,209 --> 00:12:00,209
to use it later.

179
00:12:00,209 --> 00:12:04,125
The result is that basically if you set up such payloads on one of your ports.

180
00:12:04,834 --> 00:12:10,209
Yeah, next time when somebody will launch the text, on your system,

181
00:12:10,209 --> 00:12:16,542
he will not only get who am I, output, but you will be able to, for example,

182
00:12:16,542 --> 00:12:20,250
download his whole root directory.

183
00:12:20,626 --> 00:12:24,375
Another example is taken from the auto pwn script.

184
00:12:25,999 --> 00:12:29,999
The pwn scripts usually go through all the ports and try

185
00:12:29,999 --> 00:12:33,125
to exploit all the possibilities.

186
00:12:33,125 --> 00:12:36,167
So basically if you have, like, different payloads on every port,

187
00:12:36,167 --> 00:12:39,999
some of them might hit the particular vulnerability and you

188
00:12:39,999 --> 00:12:42,918
will be able to exploit it too.

189
00:12:43,125 --> 00:12:48,918
In this case, you have again and this is a real line of code.

190
00:12:48,918 --> 00:12:50,999
I don't know if you see the vulnerability.

191
00:12:50,999 --> 00:12:52,375
It's rather pretty obvious.

192
00:12:52,999 --> 00:12:54,083
Yeah.

193
00:12:54,083 --> 00:12:55,999
And, again, what surprise?

194
00:12:55,999 --> 00:12:56,999
Who am I will work.

195
00:13:01,959 --> 00:13:03,876
What can you do with this?

196
00:13:03,876 --> 00:13:06,918
And what are the conclusions for the current state

197
00:13:06,918 --> 00:13:10,834
of the security tools because from what I have seen

198
00:13:10,834 --> 00:13:16,876
on the Internet in different tools, different software, most of them, not all,

199
00:13:16,876 --> 00:13:21,999
but most of them are exploitable, if it was simple payloads, like,

200
00:13:21,999 --> 00:13:27,083
for example, who am I, or any other escaping sequences.

201
00:13:27,584 --> 00:13:31,792
Especially auto pwn tools used by script keys and I don't know who.

202
00:13:32,167 --> 00:13:38,083
Yes, if they launch, the type of script against your system, basically,

203
00:13:38,083 --> 00:13:42,999
you can also try to create a I named it aggressive honeypot

204
00:13:42,999 --> 00:13:47,751
because you can create different payloads for every port

205
00:13:47,751 --> 00:13:51,542
with different escaping sequences.

206
00:13:51,542 --> 00:13:56,083
And then it's up to you, which command you inject.

207
00:13:56,417 --> 00:13:59,999
And if you want to find, for example, more vulnerable software,

208
00:13:59,999 --> 00:14:02,083
just go to Google.

209
00:14:02,918 --> 00:14:08,083
The ones I found are actually the top of a mountain, an ice mountain.

210
00:14:08,250 --> 00:14:11,083
I mean, many, many scripts are vulnerable.

211
00:14:11,083 --> 00:14:15,626
You can use just your imagination while creating some payloads.

212
00:14:15,709 --> 00:14:19,751
In this case, I'm sure you will find something.

213
00:14:20,834 --> 00:14:25,083
And in the end, I wanted to show you a nice proof of concept

214
00:14:25,083 --> 00:14:30,709
for Nmap official NSE script which, again, proves the concept.

215
00:14:30,792 --> 00:14:32,918
It's nothing against the tool itself.

216
00:14:32,918 --> 00:14:33,918
Okay.

217
00:14:33,918 --> 00:14:34,918
Let's okay.

218
00:14:34,918 --> 00:14:35,918
Let me try this.

219
00:14:35,918 --> 00:14:36,918
Can you see it?

220
00:15:03,167 --> 00:15:06,959
We can't see in the front.

221
00:15:22,125 --> 00:15:34,667
PIOTR DUSZYNSKI: No, really.

222
00:15:34,667 --> 00:15:36,999
AUDIENCE MEMBER: Do an interpretive dance!

223
00:15:36,999 --> 00:15:38,626
PIOTR DUSZYNSKI: Ah, right.

224
00:15:38,626 --> 00:15:39,999
In front here, you can see it?

225
00:15:58,999 --> 00:16:01,375
AUDIENCE MEMBER: Just tell us.

226
00:16:01,375 --> 00:16:02,375
We will trust you.

227
00:16:02,375 --> 00:16:04,959
PIOTR DUSZYNSKI: Yeah, then, I will tell you.

228
00:16:04,959 --> 00:16:07,999
Basically the first screen that you can key, it's the top of the portspoof tool,

229
00:16:07,999 --> 00:16:11,083
along with a map interpreter.

230
00:16:16,999 --> 00:16:20,999
The second one we scanned a remote system.

231
00:16:20,999 --> 00:16:24,501
We want to check actually what's on the port 80.

232
00:16:24,626 --> 00:16:27,999
You can see that there's an old version that's exploitable.

233
00:16:32,083 --> 00:16:41,250
So basically what we will do yeah, here's a reverse handler on that exploit.

234
00:16:47,584 --> 00:16:52,375
This is the latest Nmap version, C25.

235
00:16:53,999 --> 00:16:59,250
So if you have that, it's still vulnerable and just

236
00:16:59,250 --> 00:17:03,999
the exact HTTP script which basically results

237
00:17:03,999 --> 00:17:08,709
in a remote arbitrary file applaud.

238
00:17:08,709 --> 00:17:12,999
So if you launch that against, for example, the system, or

239
00:17:12,999 --> 00:17:17,999
on portspoof, you will be able to upload an arbitrary file,

240
00:17:17,999 --> 00:17:24,083
override any file that's accessible with Nmap privileges and in this case,

241
00:17:24,083 --> 00:17:28,292
I have written the script itself, so the next time

242
00:17:28,292 --> 00:17:34,250
because someone might think it's strange that there's some there's some

243
00:17:34,250 --> 00:17:37,375
strange results in there.

244
00:17:37,999 --> 00:17:42,083
The next time someone launches the particular script of the same

245
00:17:42,083 --> 00:17:46,584
with the same parameters, yeah, you will get pwned.

246
00:17:46,999 --> 00:17:51,375
He will get a remote reverse interpreter.

247
00:17:51,375 --> 00:17:53,999
(Applause)    PIOTR DUSZYNSKI: Just like here.

248
00:18:03,999 --> 00:18:08,459
I know the quality is a bit low, but if you want to just go

249
00:18:08,459 --> 00:18:12,792
to the main website, you can view it online.

250
00:18:12,876 --> 00:18:16,709
I will change I will upload in a second.

251
00:18:16,999 --> 00:18:18,083
Sorry for this.

252
00:18:18,083 --> 00:18:19,709
I thought it would be visible.

253
00:18:19,834 --> 00:18:21,999
At the end, yeah.

254
00:18:23,999 --> 00:18:27,501
So thank you for your time and for coming.

255
00:18:27,501 --> 00:18:28,626
I hope you enjoyed it.