>>  All right.  So, this is the talk about fire bypassing firewall application white list and secure remote desktops.  Do you know how to bypass fire walls?  If yes, raise your hand.  Now I promised that the end of my presentation all of you will be able to bypass fire walls.  This is my name, this is where I work and this is what we usually do.  We call it AV testing but in reality we try bypass the antivirus symptoms.  I know it's not challenging but some will have to do that job as well.  These are the things I'm really proud to show you I'm a proud member of the team and we have accompanied the second runner up at the global competition in 2012.  I'm from Hungary and as we are very, very small country, we are really proud of our achievements.  For example, did you know that the Rubik's cube has been invented by a Hungarian guy 40 years ago or did you know that the exchange system is the idea of a Hungarian guy.  I know that the phone exchange system is basically the den mother of the internet.  Also, one of the main parts of the basic language is from Hungary and last but not least two years ago a guy nicknamed BEBOCH won the lifetime achievement award here for his patches.  He's also from Hungary.  And I have to admit that I love hacking.  This is what I do.  This is my life.  This is my hobby.  Okay.  Now I'm going to ask you for a little game.  Close your eyes.  All of you.  And what I'm going ask question and I want you to think about it for a second.  Hacking high security systems, what is the first image that pops into your mind?  Now you can open it.  Was it this one?  Okay.  In the slides we will do something similar but without having these cables and acrobatic stuff.  Okay.  So, here is the story.  Let's say that I'm a spy and I want access to a secure RTP server and unfortunately I'm not Tom Cruise and I want to access this server because it's got very confidential data or something like that and on top of that, I need command and control communication.  For example I want to upload files, download files or just having some code exchange.  All right.  This hack could be very easy in an ideal world.  For example, let's say I can steel the RTP class word, connect to the RTP server ‑‑ yes.
(Applause).
>>  We have a first time speaker and judging by the round of applause I take you guys know what's going on.  We have a tradition here at DEF CON it's called shock the newb.
>>  (Inaudible).
>>  Are you by yourself. 
(Laughter).
>>  So, our way to welcome you here to DEF CON, welcome.
>>  Congratulations.
(Applause).
>>  (Inaudible).
(Laughter).
>>  So ‑‑
(Laughter).
>>>  After I impact the client desktop I can steal the RTP password and with the password I can connect to the RDP server the command and control and that's all.  But in my case, it's a little bit different, something more challenging.  For example, the RDP server is not reachable from the internet.  And the users are using two factor to access the RDP server.  Also drive has been disabled which means there is no direct between the RDP client and server.  And the most important thing is that there is some very hard firewall between the user and the remote access server which only allows from the users work stations to the RDP server, nothing else.  No inbounds no outbounds, nothing else just the RDP port.  At least on the RDP server there is some application used.  Okay.  If you think this has been made up I can assure you that this is a really real scenario because when I was doing some tests we had a very similar environment client and we were talking about whether this environment is capable or not and 'cause I'm a hacker and I said yes we can hack it, but unfortunately during the engagement we didn't have enough dedicated time for that, so you might ask whether I was pissed off that I couldn't hack this environment .  
(Laughter)
>>  I went home and although the project was over I started to code.  Now, this is how you can image and spy at the bottom and after infecting the user's work station I want to access the desktop server through the firewall.  And one wise man said in hacking there is no such thing as impossible, only things that are more challenging.  Now, if you agree with this wise man, raise your hand.  All right.  So, I don't want to begin the story from Adam and Eve, so let's say that I have already compromised a user's work station who has usually access to the second RDP server.  And meanwhile I have also accessed the test RDP server which is pretty similar to the production one I want to hack.  But it doesn't have the confidential data I'm looking for.  But I know how the server looks like, the services are, so forth.  Now, as you can clearly see the talk is about post exploitation.  Now, if you are a RAP member hands up.  All right.  Now, you should listen because I'm going to show you two new tools which you can use during your hacking.  Now, if you are a blue team member, hands up.  Okay.  So, now I'm going to show you some new things you should look for during log analyzes or incident response or forensic ‑‑ something like that.  Now after I was facing this big problem I'm not sure what to do.  Now you have such huge problems, what I do is that I try to divide the problem into smaller pieces and cure them all one by one.  Have I identified four different problems I have to solve.  First one is how can I drop the malware into the RDP server.  Second is how can I start it because the application should block it.  After that I have to elevate my privileges to administrative level which was needed for the fourth step which is bypassing the hardware firewall.  And the focus of my presentation is on the first and the fourth step, because these are the tools I have developed.  Okay.  Now, let's start with a small demo of the first tool I'm calling it for the user simulator.  What it means that this tool can simulate keyboard events and through the keyboard events I can do a hell of a lot of different things.  Now, let's show it.  Here ‑‑ oh, that's going to be fun.  Okay, now that's better.  So, this is the tool I'm going start soon and this is the concentration file of the tool.  It starts with some sleep and it presses the Windows R button which is start.  Create a new document, some sleep again.  Now, please give me a color you want to use for this demo.  Shout out please.
>>  (Inaudible).
>>  Okay.  I heard purple and give me an animal name.
>>  (Inaudible).
>>  So we going to use purple zebra for this demo.  Now I'm going to start this tool and I'm going to show my hands that I'm not cheating.  What should happen that it starts, creates a new document, ties purple together and I can do a lot of stuff, for example I can change the font size, I can change the font style, comic sans, for example, I can change the colors.  So, you get an idea of what it does.  No, I don't need that.  Okay.  Now, what my tool does in this hacking scenario that it waits for the user so that the user connect to the RDP server with the application and also the connection is processed than my tool creates a screen shot and it shows to the user in the foreground and operationally it can block the user keyboard and mouse as well for ten seconds.  User experiences, oh, my God, it froze again.  What really happens in the background that it starts typing things and we chose the RDP client connection is the currently active window everything which is typed it's been done on the RDP server.  So, I can start, for example, Microsoft Word on the RDP server, drop some ST encoded pay load into the Word document, create some macro code, basic macro code which can write out the binary code I will need and it will start the binary.  That's the first step.
>>  I said that I want to drop my malware into the RDP server.  I'm going to show you how this really looks like in practice.  Now, there are another use cases I can ‑‑ I was able to test with these user simulator.  For example, I can instruct the antivirus GUI to add a directory to exclusion from the scan and it's very good because ‑‑
(Laughter).
>>>  Just a second.  All right.  I think it's going to work now.  No?
>>  (Inaudible).
(Applause).
>>  Other cases that I can install some retractible table data with the RDP and there is going to be a warning dialogue which the user should accept but my tool can detect this warning dialogue and accept the warning.  So, it's the possibilities with this tool is really endless.  Okay, now, next step I have to bypass these application which is Microsoft Applocker.  When I try to research how I can bypass Applocker I have checked the official documentation and Microsoft was kind enough to give me lot of bypass exploit code but you can use ‑‑ you can set some things in your binary.  I should say it should be called bypass flag or something like that because that's the only purpose of this slide:  Last but not least if you have administrative privileges then by this you are ‑‑ In my case I have chosen something different because it's turned out that I can load it directly from the word macro code visual basic macro code and it's funny because with the DLR loading there is no executable running so there is nothing to execute so it will bypass the Microsoft and if you fold that Microsoft office tools like word or excel you didn't know that you can even run shell code directly from your basic code.  You can do scans.  So, if you have a box where you can't install stuff but Microsoft office is installed there, you have everything you want really.  It's a really powerful tool .  
(Laughter).  
>>  All right.  Now, the first step I have to elevate my privileges to administrator level because I do need this ‑‑ I will need this for the fourth step and you will see why.  There are a lot of possibilities how I can achieve this.  For example, if I have some privilege exploration exploit then I can use that or if the server is on.  I can exploit that.  Perm vulnerability, I can search for vulnerable RP service for example for privilege exploration and don't forget there after I have admin, I'm not restricted.  And in my case I have chosen the first one by exploiting the vulnerable service and as you can clearly see on this slide the service is vulnerable to privilege escalation because I can replace the service file and, before, replacing the file I can stop the service, so my file will be started with system privileges.  If you were not able to see it in the previous slide, it might be a little bit better that every server user has privileges to this file and every indirectly logged upon users are allowed to stop or start a service.  I am sure that all of are you bored to death so here's a little quiz for you.  The first person who can answer this question will get this Rubik's cube from me for the presentation.  So, the question is what's the name of the company which published the first paper about fire walls.  Not Microsoft, not Sun.
>>  (Inaudible).
>>  I heard back there.  Yes.  All right.
(Applause).
>>>  Okay.  Now, the fourth step.  So, as I said there is a really firewall between the users and me and now I have dropped my malware, I will be able to elevate my privileges to admin but still how can I get my shells.  I confuse the shell, I confuse original like Vienna, QDP, whatever.  I don't have any shells so I have to do something about this.  My very first idea was that let's say that I install a kernel driver and the kernel driver will look for the incoming traffic and when the traffic starts with some magic data I set, then the kernel driver will know that this has to be handled differently and the kernel driver can direct the traffic to another destination port.  But the problem with this approach was that we found out that I have to write, either rewrite or the hacker ‑‑ all the hacker applications I want to use for my shells or I have to create some proxy application and use that proxy application on both the client and proxy level toward these magic vibe and remove the magic vibe and I said no, no, that's not going to work.  That should be something simpler here.  And my idea was that why don't I use the TCP source port to indicate kernel driver that this traffic is something special and there are some limitations with this approach, for example, the ether server there is firewall but in my case I said that I don't care about the scenario.  It's pretty easy it's really one line of ITP code.  Let's say that every destination port constitutes a sage which is coming from source port 1337, should be redirected to my blind shell on 31337 you don't have IP tables on Windows.  This is how it should look like in reality.  So, either the ether or the infected work station I can set the specific source for the communication and I will connect to the RDP port on the RDP server but kernel driver will see that this communication is special so it will redirect the traffic to another port that I can start a blind shell, for example.  If you are into Lord of the rings, this is the guy who is the very dumb faithful firewall with all his friends and they are inspecting the package and they are really drunk.  They only check the port, the destination port in my case so they think this is legit and they cannot see the back door traffic inside but after the traffic arrives, the back door traffic can be separated from the port perfect and I can use this for my blind shell.  In order to install kernel driver on a Windows 64 environment, you need a trusted signed kernel driver and this was a problem until I found a really great framework called WinDivert and the framework is called (Inaudible) and he has asked the Nemea Development team to sign the kernel drivers and they ship it with the framework which is a trusted kernel driver and with the framework you can use your own executables and this will interact with the signed kernel driver.
(Applause).
>>>  There are also other ways to bypass these restrictions.  For example, there is bench guard bypass code on port project, there are also some root keys which use the ‑‑ I think they have used counter driver and they exploited something like that, the kernel driver to accept code at the kernel level.  Last but not least one can use my user simulator to install certificate and after that one can use the kernel driver with the (Inaudible) signed by the hacker. Okay, now the question was that how can I set the TCP source port for any application and it turned out it's pretty easy because the Netcat tool, Oracle provides it for use so using this syntax you can set the TCP source port for any application you want.  Netcat will reroute it for you for free.  Okay.  Now, let's see this in action, this hardware firewall bypass.  Is it working now?  Hm?  Okay.  So, this new one is the client and that you can see I just set the source ports for this and set the destination to the RD P‑4 89.  This is the server, the green one and I will start a blind shell on it on a different port.  As you can see there was no traffic yet.  And I am also going to start my executable, the kernel driver and as you can see in the syntax I set the TCP source port the original destination port and the new one where the blind shell is.  Okay, now the client is going to connect to the RDP port through Netcat, send some message and if you look at the Netcat, the communication has been established.  If you look at the bio short level you can see that the communication was through the RDP port.  But if you look at the user space, you will see that the communication was between the special source port and the special blind shell port.  And you know because it's a TCP traffic it's two ways, so from now on I can use anything because it's simple TCP connection.  So, I cannot just send it out from the client server but back and forth.  All right.
(Applause).
>>>  There are also some other use cases for these hardware firewall bypass kernel driver.  For example, let's say that you have hacked a server and you have already admin privileges but you don't have any shells because of the firewall then you can use this tool.  And on the other hand, for example, you can set up Netcat on the hack server and you can basically create a proxy from the hacked server and use this as a point, for example, and last but not least, you can use it to hide your back door traffic.  So, for example, if there is some log analysis done at the hack company and they will see, whoa, this port is strange, this is something new, what the heck is going on, but before that happens, you use the kernel driver and you put in it a way that in the firewall you can stay under the radar.  Okay, let's put the whole hack together.  What happens?  The user's work station has been already infected.  I drop my malware there and the malware waits for the user to log into the RDP server with proper identification which creates a screen shot, he's able to get the mouse, user says oh, shit, and meanwhile my malware in the background can drop the malware on the RDP server using the keyboard events and Microsoft office visual basic code and the clipboard.  The visual base code will load the DLR to bypass the application why at least I can escalate my privileges.  I can install with the admin privileges my kernel driver.  I can also start my favorite blind shell which was zebra purple in my case and this is how it looks like in one picture.  And it can connect to the work station, my traffic gets rerouted, I set the TCP source port to the special port 1337.  I connect to the port 3389.  This is what the firewall sees but because of my kernel driver at the RDP server disconnection gets redirected to the blind shell on port 31337.  Now, let's see.  Okay, so I connect to the work station because I have already compromised it.  I set off the port in the infected client.  And if I run the calculator which is here on the work station, this is where my code gets executed at the moment and I already uploaded my malware to the infected work station and I'm going to start the user simulator.  Now, the user connected to the RDP server and as you can see this directory is empty at the moment and whatever happens from now this is done by the user simulator because RDP executed on the RDP server so starts, creates a new document, some hex encoded pay load into the work, creates a new visual basic application through the clipboard it creates the macro code, which will basically decode the hack's pay load, the folder and as you can see the directory now has all my files and it started the Meterpreter blind shell together with the kernel driver I have dropped and both of them are running with the service privileges which was system in my case.  Okay, now I start Netcat on the user's work station to set the TCP source port.  And after everything is set, from the machine I can connect through all the port fire walls and Netcats and kernel driver stuff to the blind shell on the RDP server.  And as you can see, this is the command station which at the firewall level is through the RDP port and the Meterpreter space is downloaded, downloaded and here we have our shell.  We have the shells on the restricted work station through all this magic.
(Applause). 
>>>  Now, as you can see, it can be how shall I say, quite suspicious for the user who sees these things going on, so let's see, the user experience what really happens.  This is the user desktop.  And is connecting to the RDP server.  User says, oh, shit, Microsoft sucks again.  
(Laughter).
>>>  I can't use my keyboard, I can't use my mouse.  What happened?  I'm going to call ‑‑ oh, no, it works.  Everything is fine.
(Applause).
>>>  Okay.  So, lesson learned.  You have two new tools.  One, you can simulate the user and create some keyboard events and for example you can drop malware or configure easy or something like that and my other tool as you have seen, you can bypass hardware fire walls after you can execute kernel level code at server level.  New team members, you know, every additional level of security you add to your network increases your execute level but you never can achieve 100 percent protection.  Every layer can be bypassed and I have heard from a lot of people that restricting desktop is pretty secure because this is not an interface or malware spreading, it is a really tough studying malware.  This can be stopped by using some next generation firewall.  I'm sure you have heard about it on Black Hat but the thing is that if I write a proxy and let Meterpreter through this proxy which basically wraps my communication into something which looks like RDP, then, again, these next generation fire walls can be bypassed as well.  And last but not least, you shouldn't trust your firewall blindly because they might lie to you.  Okay, guys, these tools have not been published yet.  If you think I should not publish these because this is dangerous, shout no.  Okay.
(Laughter).
>>>  If you think I should publish it, shout yes.
>>  Yes.
>>  All right.  All right.  It's public and there you go.
(Applause). 
>>>  But there's one more thing.  Actually, two things.  I have created both tools with modules, it's available to you just at your fingertips.
(Applause). 
>>>  Now on this final slide, you can see the links to the published code and to contact me and my blog and a lot of things but the most important thing is if you happen to be in Europe especially in Hungary in October, visit the Hacktivity.  It's the same as DEF CON but the lines are shorter. 
(Applause). 
>>>  Thank you.